Daily News Update: Friday, March 21, 2025 (Australia/Melbourne)
Taiwan Critical Infrastructure Targeted by Hackers
Hackers with apparent ties to China-based groups like Volt Typhoon are targeting critical infrastructure in Taiwan. Cisco Talos discovered a malicious campaign, active since at least 2023, attempting to establish long-term access and steal information.
The group behind the campaign, tagged as UAT-5918, has tactics, techniques, procedures, and victims that overlap with Chinese state-backed groups, including Volt Typhoon and Flax Typhoon.
UAT-5918 typically gains entry by exploiting vulnerabilities in unpatched web and application servers. They use open-source tools to move through a victim’s network, stealing credentials and creating administrative accounts. Several tools used for credential and data theft are also used by Volt Typhoon and Flax Typhoon. Cisco Talos also found potential ties to other China-based threat actors, including Famous Sparrow and Earth Estries.
“We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors,”
The Record | "Taiwan critical infrastructure targeted by hackers with possible ties to Volt Typhoon"
RansomHub Ransomware Uses Betruger Backdoor
A newly identified custom backdoor, named Betruger, has been linked to RansomHub ransomware attacks. Symantec researchers describe it as a "rare example of a multi-function backdoor" engineered for ransomware attacks. Betruger's capabilities include keylogging, network scanning, privilege escalation, credential dumping, screenshotting, and uploading files to a command and control (C2) server. The backdoor has so far been observed being dropped with filenames such as 'mailer.exe' and 'turbomailer.exe'.
“The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared”
The RansomHub ransomware-as-a-service (RaaS) operation emerged in February 2024 and has claimed high profile victims including Halliburton, Christie's, and Frontier Communications. RansomHub has also leaked Change Healthcare's stolen data and claimed the breach of BayMark Health Services.
The FBI says RansomHub affiliates breached over 200 victims from multiple critical US infrastructure sectors until August 2024.
Bleeping Computer | "RansomHub ransomware uses new custom Betruger backdoor in attacks"
HellCat Hackers Target Jira Servers Worldwide
The HellCat hacking group is actively targeting Jira servers globally, using compromised credentials to breach organisations. Swiss global solutions provider Ascom confirmed a cyberattack on its IT infrastructure, with HellCat claiming to have stolen 44GB of data. The hackers compromised Ascom's technical ticketing system, but the company claims no impact on business operations.
“At the heart of this latest incident lies a technique that has become HELLCAT’s signature: exploiting Jira credentials harvested from compromised employees that were infected by Infostealers”
HellCat has previously targeted Schneider Electric, Telefónica, and Orange Group through Jira servers. They also claimed responsibility for an attack on Jaguar Land Rover (JLR), leaking 700 internal documents. Alon Gal from Hudson Rock notes that HellCat exploits Jira credentials harvested from compromised employees infected by infostealers.
Recently, HellCat compromised the Jira system of Affinitiv, stealing a database with over 470,000 unique emails and 780,000 records. Affinitiv has begun an investigation.
Bleeping Computer | "HellCat hackers go on a worldwide Jira hacking spree"
Nation-State Groups Exploit Windows Zero-Day
Cybercriminals working on behalf of at least six nation-states are actively exploiting a zero-day vulnerability in Microsoft Windows to commit espionage, steal data, and cryptocurrency. Trend Micro tracks the vulnerability as ZDI-CAN-25373, which allows attackers to hide malicious commands stored in .lnk files by padding them with white-spaces.
State-sponsored groups have been exploiting the zero-day since 2017, targeting governments, think tanks, and organizations in the finance, cryptocurrency, telecom, military, and energy sectors. Trend Micro discovered and reported the defect to Microsoft in September. Dustin Childs from Trend Micro's Zero Day Initiative stated that at least 300 different organizations have been affected, with thousands of devices infected.
Nearly half of the attacks are linked to North Korean state-sponsored attackers, APT43 and APT37. Groups from Iran, Russia, and China are each linked to roughly 1 in 5 attacks. Trend Micro has also attributed attacks to groups working on behalf of India, Pakistan, and financially motivated cybercriminals.
Any EDR worth their salt should pick up on suspicious commands executed through this Persistence mechanism, regardless of the presence of white-spaces or not.
Microsoft acknowledges the research but disputes the need for a prompt response, stating that shortcut files trigger a warning when downloaded from the internet. Andrew Grotto from Stanford University's Center for International Security and Cooperation notes that Microsoft has a history of actively exploited zero-day vulnerabilities. Trend Micro has provided defenders with information to protect their systems and hopes to put pressure on Microsoft to provide a fix.
CyberScoop | "Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day"
VSCode Extensions Download Early-Stage Ransomware
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft's review process. The extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store.
ReversingLabs discovered that the two extensions contain a PowerShell command that downloads and executes another PS script that acts as ransomware from a remote server. The ransomware encrypts files in the C:\\users\\%username%\\Desktop\\testShiba folder and displays a Windows alert stating, "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them."
ExtensionTotal security researcher Italy Kruk told BleepingComputer that while their automated scanner caught the extensions earlier and informed Microsoft a while back, they received no response. The fact that the extensions downloaded and executed remote PowerShell scripts and could stay undetected for almost four months demonstrates a concerning gap in Microsoft's review process.
Bleeping Computer | "VSCode extensions found downloading early-stage ransomware"
RCE Vulnerability in WP Ghost WordPress Plugin
The WP Ghost WordPress security plugin, used in over 200,000 WordPress sites, is vulnerable to a critical remote code execution (RCE) flaw (CVE-2025-26909). The vulnerability stems from insufficient input validation in the 'showFile()' function, allowing attackers to include arbitrary files via manipulated URL paths.
The flaw is triggered if WP Ghost's "Change Paths" feature is set to Lite or Ghost mode. Exploiting the flaw could lead to a complete website takeover. Patchstack discovered the flaw and notified the vendor on March 3. The developers of WP Ghost incorporated a fix in version 5.4.02, adding validation on the supplied URL or path. Users are recommended to upgrade to version 5.4.02 or 5.4.03 to mitigate the vulnerability.
“The vulnerability occurred due to insufficient user input value via the URL path that will be included as a file,”
Bleeping Computer | "WordPress security plugin WP Ghost vulnerable to remote code execution bug"
218 Repositories Victim to GitHub Action Supply Chain Attack
The compromise of GitHub Action tj-actions/changed-files has impacted a small percentage of the 23,000 projects using it, with an estimated 218 repositories exposing secrets due to the supply chain attack. The attack involved adding a malicious commit on March 14, 2025, to dump CI/CD secrets from the Runner Worker process to the repository.
The attack was likely made possible via another supply chain attack targeting the "reviewdog/action-setup@v1" GitHub Action, potentially compromising a GitHub personal access token (PAT). Endor Labs monitored the exposure of secrets and found that 5,416 repositories referenced the targeted GitHub Action, with 614 running the workflow during the exposure timeframe.
Of those 614, 218 printed secrets to the console log. Exposed secrets included GitHub install access tokens, DockerHub, npm, and AWS credentials.
Bleeping Computer | "GitHub Action supply chain attack exposed secrets in 218 repos"
Cisco Vulns Reportedly Exploited in-the-wild
Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account (CVE-2024-20439). Cisco patched this flaw in September, describing it as "an undocumented static user credential for an administrative account" that can let unauthenticated attackers log into unpatched systems remotely with admin privileges.
The company also addressed a second critical CLSU information disclosure vulnerability (CVE-2024-20440) that unauthenticated attackers can use to access log files containing sensitive data. These vulnerabilities only impact systems running vulnerable Cisco Smart Licensing Utility releases and are only exploitable if the user starts the CSLU app.
Johannes Ullrich from SANS Technology Institute reported that threat actors are now chaining the two security flaws in exploitation attempts targeting CSLU instances exposed on the Internet. Despite this, Cisco's security advisory still says that its PSIRT has found no evidence that threat actors exploit the two security flaws in attacks.
Bleeping Computer | "Critical Cisco Smart Licensing Utility flaws now exploited in attacks"
DollyWay Malware Campaign Compromises WordPress Sites
The 'DollyWay' malware campaign has been active since 2016, compromising over 20,000 WordPress sites globally. Initially distributing ransomware and banking trojans, the latest version (v3) functions as a large-scale scam redirection system. GoDaddy Security researchers have linked multiple campaigns to this single, sophisticated threat actor, naming the operation 'DollyWay World Domination'.
DollyWay v3 exploits n-day flaws in WordPress plugins and themes, generating 10 million fraudulent impressions per month by redirecting visitors to fake dating, gambling, crypto, and sweepstakes sites. Monetization occurs through VexTrio and LosPollos affiliate networks, using a Traffic Direction System (TDS) to filter visitors.
The malware uses script injection with 'wp_enqueue_script' to load a second script, collecting visitor referrer data and loading the TDS script. Direct website visitors without a referrer, who are not bots, and are not logged-in WordPress users are not redirected. The final redirection occurs only when the visitor interacts with a page element, evading passive scanning tools.
DollyWay is persistent, automatically reinfecting sites with every page load. It spreads PHP code across all active plugins and adds a hidden copy of the WPCode plugin containing obfuscated malware snippets. It also creates hidden admin users with random 32-character hex strings, visible only through direct database inspection. GoDaddy has shared indicators of compromise (IoCs) to help defend against this threat.
Bleeping Computer | "Malware campaign 'DollyWay' breached 20,000 WordPress sites"
Veeam Criticized Over RCE Vulnerability
Veeam is facing criticism from researchers for its handling of uncontrolled deserialization vulnerabilities in Backup and Replication (B&R). The vendor patched the critical remote code execution (RCE) bug CVE-2025-23120 (9.9) on March 19, which can be exploited by any authenticated domain user if the Veeam server is domain-joined. It affects Backup and Replication 12.3.0.310 and all earlier versions.
Piotr Bazydlo from watchTowr noted that the authentication requirement is fairly weak, as any domain user can exploit the bugs. Veeam tries to pass blame onto users by saying the B&R server should never be domain-joined, but many are unaware of this.
Rapid7 added that more than 20 percent of incident response cases in 2024 involved Veeam being exploited.
Bazydlo criticized Veeam's use of a blocklist-based system to mitigate deserialization vulnerabilities, noting that whitelists are preferred. He piggybacked off Sina Kheirkhah's work from September on CVE-2024-40711, a similar RCE bug that could be exploited by gadgets missed by Veeam's blocklist. Bazydlo blasted Veeam for only assigning one CVE identity to the bug despite the discovery of two separate gadgets that could be used to achieve RCE.
“It is hard for us to be positive about this, given the criticality of the solution, combined with the well-known and trodden ground of this solution being targeted by ransomware gangs,”
The Register | "Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist"
Major Web Services Go Dark in Russia
Russian internet users faced widespread outages this week, attributed by regulators to issues with “foreign server infrastructure.” Local experts suggested the disruptions stemmed from Russia’s blocking of Cloudflare. The outages affected platforms such as TikTok, Steam, Twitch, Epic Games, Duolingo, and major Russian mobile operators.
The disruption also impacted banking and government services, with users reporting difficulties accessing apps for Sberbank, Gazprombank, and Alfa-Bank, as well as the Russian government’s portal. Messaging apps, including Telegram and WhatsApp, also faced interruptions. Russian internet regulator Roskomnadzor said the disruptions affected services that rely on foreign server infrastructure and recommended that local organizations switch to Russian hosting providers.
Roskomsvoboda's technical director, Stanislav Shakirov, suggested that Roskomnadzor will eventually block Cloudflare entirely. Cloudflare has previously refused to meet Roskomnadzor’s demands. Shakirov suggests that if Roskomnadzor determines the block is effective, it may pursue a permanent ban, similar to measures taken in Iran. Russia’s crackdown on foreign tech services aligns with the Kremlin’s policy of digital isolation.
“This blocking is a kind of ‘trial shot’ — both to see how much disruption it causes and to push Russian-based resources away from Cloudflare, signaling that it won’t work reliably and will only create problems for them,”
The Record | "Major web services go dark in Russia amid reported Cloudflare block"
UK Sets Timeline for Quantum-Resistant Encryption
The UK's National Cyber Security Centre (NCSC) has issued guidance urging organizations to begin planning for the transition to post-quantum cryptographic (PQC) algorithms. The guidance breaks down the migration into three phases, spanning from 2028 to 2035.
By 2028, organizations must assess systems and services using current cryptography and create a migration plan. By 2031, they should complete priority migrations and refine the plan as PQC technology evolves. By 2035, the migration to PQC should be complete. The NCSC recommends adopting NIST-approved PQC algorithms.
The NCSC will launch a pilot scheme to connect cryptography specialists with UK organizations migrating to PQC. The United States has established a similar timeline through National Security Memorandum 10 (NSM-10), also setting 2035 as the target year for completing the transition across federal systems.
“We know that PQC migration can feel like a daunting challenge for many organizations,”
The Record | "UK sets timeline for country’s transition to quantum-resistant encryption"
Bleeping Computer | "UK urges critical orgs to adopt quantum cryptography by 2035"
