Daily News Update: Wednesday, April 2, 2025 (Australia/Melbourne)

Audio Summary: Wednesday, April 2, 2025 (Australia/Melbourne)

0:00

/878.016

1×

Palo Alto GlobalProtect Scans a Potential Precursor to Exploitation

A significant spike in scanning activity targeting Palo Alto Network GlobalProtect login portals has been observed between the 17th and 26th March, with over 24,000 unique source IP addresses involved.

GreyNoise reports that 23,800 of these IPs are classified as "suspicious," while 154 were validated as "malicious." Most of the scanning attempts originate from IPs located in the United States and Canada, with the majority of targets in the United States.

GreyNoise suggests this activity could be preparatory reconnaissance, potentially followed by the disclosure of flaws.

"Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies [...] These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later." -Bob Rudis, VP of Data Science at GreyNoise

Researchers also linked this activity to a separate spike in PAN-OS crawler activity observed around the same time.

While the exact motive remains unclear, GreyNoise advises Palo Alto administrators to increase vigilance, review logs since mid-March for signs of targeting or compromise, harden login portals, and consider blocking the known malicious IPs listed in their report.

_{Bleeping Computer | "Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans"}

_{GreyNoise | "Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats"}

China Identified as Primary Cyber Threat by Gen. Paul Nakasone

In a recent interview, Gen. Paul Nakasone, former head of the NSA and U.S. Cyber Command, identified China as the foremost cyber threat to the United States.

He highlighted the discovery of Chinese malicious code in U.S. critical infrastructure, including telecommunications companies and local power districts. Nakasone emphasised the unprecedented scope and scale of Chinese cyber activities, surpassing previous adversaries. He noted that Chinese hackers are exploiting vulnerabilities within five days of Patch Tuesday, while businesses take months to detect and remove intrusions.

"I think the priority should be to understand the scope and scale of what the Chinese are undertaking here. This is like nothing we have seen before."

Nakasone expressed concern over the potential for China to wreak havoc or spark a crisis during periods of tension, particularly concerning Taiwan. He also pointed out that Salt Typhoon is using large language models to target specific individuals, including political figures and members of the Department of Justice and FBI.

Nakasone advocated for a broader approach to cyber defence, radical partnerships between government, private sector, and academia, and addressing vulnerabilities in software. He also touched on the potential kinetic capabilities of cyber warfare, citing examples from the Russia-Ukraine conflict.

_{The Record | "Exclusive: Gen. Paul Nakasone says China is now our biggest cyber threat"}

North Korean IT Worker Army Expands Operations in Europe

North Korea's state-sponsored IT workers, often referred to as "IT warriors," are expanding their fraudulent employment operations into Europe, according to Google's Threat Intelligence Group (GTIG).

These individuals use deceptive tactics, including fake identities, fabricated references, and VPNs/laptop farms, to pose as legitimate freelance IT professionals from various countries (including Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam). Their goal is to secure remote work contracts with companies worldwide, generating significant revenue for the DPRK regime, which reportedly takes up to 90% of their earnings to fund its weapons programs.

Following increased scrutiny, sanctions, and indictments in the United States, these operations are now increasingly targeting companies in Germany, Portugal, and the United Kingdom. GTIG found evidence of DPRK personas seeking work via platforms like Upwork, Telegram, and Freelancer, targeting roles in AI, blockchain, web development, and CMS development. Payments were often facilitated through cryptocurrency or services like TransferWise and Payoneer to obscure fund origins.

One notable case involved a DPRK worker targeting European defence industrial base and government sector organisations in late 2024 using fabricated personas. This expansion aligns with previous warnings from the FBI, South Korean, and Japanese authorities about this widespread scheme. There are also instances where these workers, upon discovery, have extorted their former employers by threatening to leak stolen data.

Mandiant Principal Analyst Michael Barnhart noted the trend of these workers infiltrating larger organisations to steal data and extort them, adding it's "unsurprising to see them expanding their operations into Europe to replicate their success."

_{Bleeping Computer | "North Korean IT worker army expands operations in Europe"}

Breaches Rife with Identity Flaws in 2024

Weaknesses in identity controls were the primary vector for cyberattacks observed by Cisco Talos incident responders throughout 2024. According to their annual report, 60% of incidents involved an identity attack component, with attackers favouring the use of legitimate credentials, session cookies, and API keys for initial access, lateral movement, and privilege escalation.

Using valid accounts remained the top initial access method for the second year running. This approach is often easier and stealthier for attackers than exploiting vulnerabilities or deploying malware, as the traffic appears legitimate.

The impact was particularly severe in ransomware incidents. Half of all identity-based attacks observed by Talos were linked to ransomware or pre-ransomware activities. Furthermore, valid accounts were used for initial access in 69% of the ransomware attacks they responded to.

Other common motives for identity attacks included credential theft for sale to initial access brokers (nearly a third of incidents), data theft for espionage (10%), and financial fraud (8%).

Talos identified common enterprise weaknesses enabling these attacks:

• Poor Active Directory Security: Targeted in 44% of identity attacks, often due to misconfigurations or insufficient policies.
• Excessive Privileges: Granting users more access than necessary.
• Weak Passwords: Including default credentials.
• MFA Deficiencies: This was the leading issue. In compromised organisations, 24% lacked MFA enrollment, 22% didn't have it fully enabled across all necessary services, and 19% specifically lacked MFA on VPNs.

The report underscores the critical need for organisations to prioritise identity and access management (IAM) security, focusing on robust MFA implementation, least privilege principles, and diligent Active Directory hygiene.

_{CyberScoop | "Identity lapses ensnared organizations at scale in 2024"}

Oracle Scrub Evidence, Continue to Deny Breach

Two Oracle data security breaches have been reported, with allegations that the company is downplaying the incidents and potentially removing evidence.

To recap - an actor has claimed to have accessed customer login systems, potentially exposing six million records, including encrypted SSO and LDAP passwords, and security certificates. Oracle denied any breach of Oracle Cloud, but evidence, including a 10,000-line sample of stolen data, was provided to Alon Gal of Hudson Rock, who verified its legitimacy with Oracle customers.

CloudSEK also confirmed the breach, attributing it to the exploitation of CVE-2021-35587, a years-old vulnerability in Oracle Access Manager. It's claimed Oracle failed to patch this known flaw on its production SSO servers. Separately, Oracle Health customers were notified of a potential data breach involving stolen credentials.

Security researchers have criticised Oracle's response, accusing the company of using semantics to avoid responsibility and scrubbing evidence using the Internet Wayback Machine's archive exclusion process.

_{The Register | "Oracle Cloud security SNAFU: IT giant accused of pedantry as evidence vanishes"}

Analysis of DCRat Malware Delivery Chain

Researchers at the Acronis Threat Research Unit (TRU) have detailed a sophisticated, multi-stage malware delivery chain used to deploy payloads like the DCRat remote access trojan or the Rhadamanthys infostealer.

The attack typically starts with a phishing email, often using social engineering lures like a fake "Summons for account garnishment" (in Spanish) containing a RAR archive. Extracting the archive reveals a heavily obfuscated Visual Basic Script (VBS).

The infection chain proceeds as follows:

1. The obfuscated VBS script executes, generating a Windows batch (BAT) file.
2. The BAT file constructs a Base64 encoded string from environment variables, representing a PowerShell script.
3. The BAT file executes the encoded PowerShell script using the `-command` argument.
4. The PowerShell script reads the last line of the BAT file, removes marker bytes, and decodes the payload.
5. The decoded payload is a Windows .NET executable, packed with a custom packer and heavily obfuscated.
6. This executable is loaded into memory using a RunPE technique (process hollowing).
7. The final payload (e.g., DCRat) resides within two encrypted data blobs in the executable's resources, decrypted using a simple byte-by-byte XOR operation with the key 0x78.

This multi-stage approach, using multiple scripting languages and layers of obfuscation, aims to bypass traditional security solutions. However, as Acronis notes - this complexity also introduces more potential points of failure.

_{Bleeping Computer | "We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain"}

CISA Warns of Resurge Malware Targeting Ivanti Flaw

CISA is warning Ivanti users about a new malware strain, dubbed Resurge, actively exploiting a previously patched vulnerability. This malware targets Ivanti Connect Secure, Policy Secure, and ZTA Gateway products by leveraging CVE-2025-0282.

This critical stack-overflow bug, which allows unauthenticated remote code execution, was notably used in zero-day attacks by the Spawn malware family earlier this year before patches were released. Resurge appears to incorporate elements from Spawn (specifically the Spawn Chimera variant).

Once it infects a device, Resurge can:

• Create web shells for remote control.
• Bypass system integrity checks.
• Modify files.
• Harvest credentials.
• Create accounts and reset passwords.
• Grant elevated permissions to attackers.

Due to its ability to embed itself deeply and bypass checks, CISA advises that the only way to ensure complete removal is to perform a factory reset using a known clean image, after backing up the configuration. Following the reset, CISA recommends resetting passwords for *all* privileged, non-privileged, domain, and local accounts, paying special attention to the krbtgt account (resetting it twice).

Ivanti reiterated that patching instructions released in January, which include performing a factory reset, effectively remediate the vulnerability and urged customers to ensure they are on the latest version (22.7R2.6).

_{The Register | "CISA spots spawn of Spawn malware targeting Ivanti flaw"}

Sign up for Opalsec

Actionable insights for Cyber Security Professionals

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Critical Auth Bypass Bug in CrushFTP Exploited in Attacks

Heads up, CrushFTP admins! A critical authentication bypass vulnerability, tracked as CVE-2025-2825, is now being actively exploited in the wild.

The flaw affects unpatched versions of CrushFTP v10 and v11, allowing remote attackers to gain unauthenticated access to vulnerable servers. Patches were released by CrushFTP on March 21st, with an urgent warning to update immediately.

Exploitation attempts surged after ProjectDiscovery published technical details and a proof-of-concept (PoC) exploit last week. Threat monitoring service Shadowserver reported detecting dozens of exploitation attempts hitting its honeypots, originating from multiple IP addresses. As of March 30th, they observed over 1,500 unpatched instances still exposed online and vulnerable.

If you haven't patched CVE-2025-2825 yet (to versions 10.8.4+ or 11.3.1+), do it ASAP. As a temporary mitigation, enabling the DMZ perimeter network option can offer some protection.

_{Bleeping Computer | "Critical auth bypass bug in CrushFTP now exploited in attacks"}

Apple Backports Zero-Day Patches to Older iPhones and Macs

Apple has released security updates that backport fixes for actively exploited zero-day vulnerabilities to older versions of its operating systems. This includes:

• CVE-2025-24200 (USB Restricted Mode bypass): Patched in iOS/iPadOS 16.7.11 & 15.8.4.
• CVE-2025-24201 (WebKit sandbox escape): Patched in iOS/iPadOS 16.7.11 & 15.8.4.
• CVE-2025-24085 (Core Media privilege escalation): Patched in iPadOS 17.7.6, macOS Sonoma 14.7.5 & Ventura 13.7.5.

Apple also released security updates for the latest stable branches of its operating systems and software like Safari and Xcode. Specifically, the latest update for iOS 18.4 and iPadOS 18.4 fixes 77 vulnerabilities, and macOS Sequoia 15.4 addresses 123 vulnerabilities.

_{Bleeping Computer | "Apple backports zero-day patches to older iPhones and Macs"}

_{CyberScoop | "Apple issues fixes for vulnerabilities in both old and new OS versions"}

UK Threatens £100K-a-Day Fines Under New Critical Infrastructure Cyber Bill

The UK government has laid out the details of its upcoming Cyber Security and Resilience (CSR) Bill, designed to significantly update and strengthen the existing Network and Information Systems (NIS) regulations from 2018.

Key confirmed pillars of the bill include:

• Expanded Scope: Bringing critical digital service providers, notably Managed Service Providers (MSPs), explicitly under the regulations.
• Enhanced Enforcement: Granting regulators more power, including improved information-gathering capabilities for the ICO.
• Mandatory Incident Reporting: Requiring regulated entities to report significant incidents (impacting confidentiality, integrity, or availability – not just service continuity) to their regulator and the NCSC within 24 hours of awareness, followed by a full report within 72 hours. This is stricter than EU NIS2 or US CIRCIA reporting timelines.
• Adaptability: Allowing the government to update the regulations more flexibly (e.g., bringing new sectors into scope) without needing a full Act of Parliament.
• Supply Chain Duties: Enabling stronger supply chain security requirements for essential service operators and digital service providers via secondary legislation.

Additional measures under consideration include:

• Bringing datacenters formally into scope (following their designation as CNI).
• Establishing a unified set of strategic objectives for all regulators.
• Giving the government power to issue ad-hoc directives to specific organisations to address urgent threats, potentially backed by daily fines of up to £100,000 or 10% of turnover for non-compliance.

Technology Secretary Peter Kyle stated the bill aims to address vulnerabilities and improve resilience, citing recent attacks like Synnovis and the MoD contractor breach as evidence of the need for stronger defences. NCSC CEO Richard Horne welcomed the bill as a "landmark moment."

_{The Register | "UK threatens £100K-a-day fines under new cyber bill"}

_{The Record | "UK sets out new cyber reporting requirements for critical infrastructure"}

Russia Tightens Cybersecurity Measures Amid Rising Cyber Fraud

Russian President Vladimir Putin has enacted legislation to bolster cyber security in response to escalating financial cybercrime. The new law restricts the use of foreign messaging apps by state institutions, banks, and major digital platforms with over 500,000 daily users. Organisations must also label incoming calls with official names to combat identity scams. A state-run information system will track cyber offenders.

This move comes after a record 27.5 billion rubles ($300 million) were stolen from Russian bank accounts in 2024, a 74.4% increase from the previous year. Data leaks, including 286 million phone numbers and 96 million email addresses, have exacerbated the problem.

Putin previously banned cyber security services from "unfriendly" countries and is pushing for digital isolation, favouring state-controlled infrastructure. Recent internet outages, attributed to issues with "foreign server infrastructure," may be linked to the blocking of Cloudflare.

_{The Record | "Russia tightens cybersecurity measures as financial fraud hits record high"}

European Commission's Push for Lawful Access to Encrypted Data and Enhanced Europol Role

The European Commission has unveiled a new internal security strategy, dubbed ProtectEU, signalling its intent to tackle evolving threats and join the contentious debate around end-to-end encryption (E2EE).

While short on specific policy details, the strategy outlines its key goals:

• Strengthening Europol: Transforming it into a more operational agency, akin to the U.S. FBI, to handle complex cross-border cases.
• Lawful Access & Encryption: Creating roadmaps to explore "lawful and effective access to data for law enforcement," including assessing technological solutions for accessing encrypted data while safeguarding rights and cybersecurity – a historically controversial goal.
• Intelligence Sharing: Enhancing cooperation via the EU's Single Intelligence Analysis Capacity (SIAC), though acknowledging the political challenges as security remains a national competence for member states.
• New Cybersecurity Act: Proposing new legislation, despite acknowledging that existing laws (like NIS2) haven't been fully implemented domestically by all member states.

_{The Record | "European Commission takes aim at end-to-end encryption and proposes Europol become an EU FBI"}