Daily News Update

Daily News Update: Tuesday, March 25, 2025 (Australia/Melbourne)

Opalsec

Opalsec

7 min read
Daily News Update: Tuesday, March 25, 2025 (Australia/Melbourne)

audio-thumbnail
Audio Summary: Tuesday, March 25, 2025 (Australia/Melbourne)
0:00
/390.312

Critical Flaw in Next.js Allows Authorization Bypass

Next.js Vulnerability

A critical severity vulnerability, tracked as CVE-2025-29927, has been discovered in the Next.js web development framework, potentially allowing attackers to bypass authorization checks. The flaw enables attackers to send requests that reach destination paths without going through critical security checks.

The vulnerability impacts all Next.js versions before 15.2.3, 14.2.25, 13.5.9, and 12.3.5. It affects self-hosted versions that use 'next start' with 'output: standalone' and environments where middleware is used for authorization or security checks without further validation.

The recommendation is to upgrade to newer revisions or block external user requests that include the 'x-middleware-subrequest header'.

Bleeping Computer | "Critical flaw in Next.js lets hackers bypass authorization"

Chinese Weaver Ant Hackers Spied on Telco Network for 4 Years

Weaver Ant Hackers

A China-linked advanced threat group named Weaver Ant spent more than four years in the network of an Asian telecommunications services provider, hiding traffic and infrastructure with the help of compromised Zyxel CPE routers.

Researchers found multiple variants of the China Chopper backdoor and a previously undocumented custom web-shell called ‘INMemory’ that executes payloads in the host’s memory.

Weaver Ant intrusions leveraged an operational relay box (ORB) network made primarily of Zyxel CPE routers to proxy traffic and conceal infrastructure. The threat actor established a foothold on the network by using an AES-encrypted variant of the China Chopper web shell.

The data exfiltration methods used in the attacks were also selected to raise as little alarm as possible, including passive network traffic capturing via port mirroring.

Bleeping Computer | "Chinese Weaver Ant hackers spied on telco network for 4 years"

The Record | "Chinese hackers spent four years inside Asian telco’s networks"

New VanHelsing Ransomware Targets Windows, ARM, ESXi Systems

VanHelsing Ransomware

A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems.

VanHelsing was first promoted on underground cybercrime platforms on March 7, offering experienced affiliates a free pass to join while mandating a deposit of $5,000 from less experienced threat actors.

The VanHelsing ransomware is written in C++, and evidence suggests that it was deployed in the wild for the first time on March 16. VanHelsing uses the ChaCha20 algorithm for file encryption.

Bleeping Computer | "New VanHelsing ransomware targets Windows, ARM, ESXi systems"

Oracle Denies Cloud Breach Claims

Oracle Cloud

Oracle has denied claims that its cloud infrastructure was breached and customer data stolen. A threat actor had advertised the sale of what they claimed were Oracle Cloud customer security keys and other sensitive data, allegedly obtained by exploiting a vulnerability in one of Oracle's single sign-on (SSO) login servers.

Oracle stated that the published credentials were not for Oracle Cloud and that no customers experienced a breach or data loss. However, the threat actor claimed to have created a text file on an Oracle Cloud login server as proof of compromise.

Infosec firm CloudSEK suggested the server may not have been patched against CVE-2021-35587, a critical vulnerability in Oracle Fusion Middleware's Oracle Access Manager. Exploiting this flaw could grant access to sensitive information.

The attacker had reportedly contacted Oracle demanding $200 million in cryptocurrency for details about the alleged theft, but was turned down.

The Register | "Oracle Cloud says it's not true someone broke into its login servers and stole data"

Cyberattack Takes Down Ukrainian State Railway’s Online Services

Ukrainian Railway Cyberattack

Ukrzaliznytsia, Ukraine’s national railway operator, has been hit by a massive cyberattack that disrupted online services for buying tickets both through mobile apps and the website, describing it as "systematic, complex, and multi-layered."

The incident forced people to booths to buy physical tickets, causing overcrowding, delays, long waiting times, and frustration.

Despite difficulties with the online ticket-selling platform, Ukrzaliznytsia noted that traveling operations weren’t impacted by the cyberattack. This is significant as the railway has been a crucial transportation lifeline for Ukrainians since the Russian invasion, given the closure of Ukrainian airports.

Bleeping Computer | "Cyberattack takes down Ukrainian state railway’s online services"

The Record | "Cyberattack hits Ukrainian state railway, disrupting online ticket sales"

DrayTek Routers Worldwide Experience Reboot Loops

DrayTek Routers

Many Internet service providers (ISPs) worldwide are alerting customers of an outage that started Saturday night and triggered DrayTek router connectivity problems.

Those affected by this incident reported seeing routers across multiple series models intermittently losing connectivity and entering boot loops.

Impacted ISPs linked the Internet connection issues to attacks targeting unspecified vulnerabilities or a buggy software update pushed by DrayTek.

Bleeping Computer | "DrayTek routers worldwide go into reboot loops over weekend"

Europol Warns of AI-Enhanced Cybercrime

AI and Cybercrime

Europol has warned that organised crime networks are increasingly reliant on digital technology, including AI, for their activities. According to Europol executive director Catherine De Bolle, criminal networks have evolved into global, technology-driven enterprises, exploiting digital platforms and geopolitical instability.

AI is being adopted to automate tasks, expand operations, and evade law enforcement. The internet has become the "primary theatre for organised crime," and data is now "the new currency of power."

Europol also highlights the cooperation between criminal networks and "hybrid threat actors," potentially state-aligned entities, for mutual benefit.

"Hybrid threat actors and criminal actors cooperate for mutual benefit, leveraging each other's resources, expertise, and protection to achieve their objectives,"

The report suggests that criminals may gain access to cutting-edge tools through this cooperation.

The Register | "Mobsters now overlap with cybercrime gangs and use AI for evil, Europol warns"

Starlink Seizure

Thai law enforcement confiscated 38 Starlink satellite internet transmitters allegedly intended to be used in scam compounds in Myanmar.

Organized criminal groups have set up huge compounds near the Thai border where trafficked workers are forced to carry out a variety of scams, like fraudulent cryptocurrency investment schemes.

In response to electricity and telecom cut-offs, the cybercriminal gangs appear to be relying more heavily on satellite internet connections.

The Record | "Thai officers intercept Starlink transmitters allegedly headed for Myanmar scam centers"

Law Enforcement Arrests 300 Suspects Linked to African Cybercrime Rings

Cybercrime Arrests

African law enforcement authorities have arrested 306 suspects as part of 'Operation Red Card,' an INTERPOL-led international crackdown targeting cross-border cybercriminal networks.

Between November 2024 and February 2025, authorities seized 1,842 devices allegedly used in mobile banking, investment, and messaging app scams linked to over 5,000 victims.

The operation involved authorities from Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia.

Bleeping Computer | "Police arrests 300 suspects linked to African cybercrime rings"

The Record | "Over 300 arrested in international crackdown on cyber scams"

As 23andMe Declares Bankruptcy, Privacy Advocates Sound Alarm About DNA Data

23andMe Bankruptcy

Genetic testing business 23andMe filed for bankruptcy Sunday, following years of financial uncertainty contributed to in no small part by a $30 million settlement following a significant cyberattack in 2023. The move raised concerns from privacy advocates that the DNA records and personal information of its 15 million customers could soon be up for sale to the highest bidder.

While 23andMe has publicly pledged it will search for a buyer with a commitment to data privacy, the court documents specify that the company will “consider all viable options” when selling individual assets and stressed that “any delay in the sale timeline would hinder” its efforts to maximize value in a sale.

California Attorney General Rob Bonta issued a March 21 consumer alert about 23andMe’s impending bankruptcy, advising users that under state law they have the right to delete their genetic data, destroy their test saliva samples and revoke permissions for their data to be used in generic research.

CyberScoop | "As 23andMe declares bankruptcy, privacy advocates sound alarm about DNA data"

Bleeping Computer | "23andMe files for bankruptcy, customers advised to delete DNA data"

The Register | "23andMe's genes not strong enough to avoid Chapter 11"

Hackers Steal Sensitive Data from Pennsylvania County During Ransomware Attack

Ransomware Attack

Personal information from Union County, Pennsylvania, residents was stolen during a ransomware attack on government systems 10 days ago.

The county warned its residents that the ransomware attack was discovered on March 13. The affected information appears to be mostly related to individuals involved with County law enforcement, court-related matters, and/or other County business.

The data may contain Social Security numbers and driver’s license numbers.

The Record | "Hackers steal sensitive data from Pennsylvania county during ransomware attack"

China Bans Compulsory Facial Recognition

China Facial Recognition

China's Cyberspace Administration and Ministry of Public Security have outlawed the use of facial recognition without consent. New rules require organisations to conduct a "personal information protection impact assessment" before using facial recognition, considering necessity, privacy impacts, and data leakage risks.

Organisations must encrypt biometric data and audit their information security practices. The rules also prohibit facial recognition in sensitive public places like hotel rooms and bathrooms.

However, the regulations do not apply to researchers or "algorithm training activities," potentially allowing the use of facial images for AI model training. It remains unclear whether government agencies are exempt from the new rules.

The Register | "China bans compulsory facial recognition and its use in private spaces like hotel rooms"

Read more