A PHP-CGI vulnerability strikes again

Since early 2025, more than 1K malicious IP addresses have been observed leveraging a RCE vulnerability (CVE-2024-4577)in the PHP-CGI implementation of PHP on Windows hosts. The vulnerability was first exploited in June 2024 by TellYouThePass ransomware and against a Taiwanese university, and is now widely used against Japanese companies from various sectors. The campaign is apparently also expanding to include a few victims in the US, Singapore and other Asian countries. Discovered in mid-2024, the vulnerability was considered exploitable only against hosts with installed Chinese or Japanese locales - but since then the number of available exploits has grown and no less than 79 have been made public. Attackers were observed using the flaw to harvest NTLM hashes and other credentials - but it is apparently also leveraged for wider purposes such as persistence, privilege escalation to SYSTEM and access to adversarial frameworks.

‍

[mitigate]In Akamai Adaptive Security Engine, make sure Command Injection Attack group (including rules 969151 v1, 959977 v1, 3000155 v1, 3000171 v3) is in “deny” mode; Monitor with Wiz query “Critical RCE vulnerability in PHP CGI”. [/mitigate]

Silk Typhoon shifts to target IT Supply Chain

Around its breach of the US Treasury in December 2024, the Chinese state actor Silk Typhoon (aka Hafnium) has apparently shifted its strategy to target IT supply chain companies- identity management, privileged access management, and RMM solutions. Accordingly, rather than focusing on vulnerability exploitation in edge devices to gain initial access, it growingly abuses stolen API keys and compromised credentials to laterally move inside Cloud environments. However, alongside its new tactics, the group continues to exploit vulnerabilities and was recently observed leveraging a PE flaw in Ivanti Pulse Connect VPN (CVE-2025-0282). In 2024, it has been spotted exploiting vulnerabilities in Palo Alto PAN-OS (CVE-2024-3400) and Citrix NetScaler (CVE-2023-3519) – while in the past it had a preference for Microsoft Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).

‍

‍

Akira gains initial access through webcam vulnerabilities

Akira, a well-known cybercrime group, has used critical vulnerabilities in webcams to deploy its ransomware. The group identified vulnerable webcams running a lightweight Linux OS and lacking any EDR protection. Followingly, it spread its malware abusing the fact that Server Message Block (SMB) traffic from a webcam to an impacted server is usually unmonitored.

‍

‍

Various botnets use a flaw in Edimax IP Cameras

Since mid-2024, multiple botnet groups have exploited a RCE vulnerability in Edimax IP cameras (CVE-2025-1316) to ensnare devices. Although exploitation requires prior authentication, in many cases hackers successfully authenticated with default passwords. Edimax claimed in response that, since the targeted cameras are considered legacy products, no patch will be released.

‍

HellCat attacks high profile companies

A hacker nicknamed “Rey”, serving as a prominent member of the HellCat ransomware group, recently took credit for attacks against high profile companies, such as Zurich Insurance, the French telecom Orange and Jaguar Land Rover. Hellcat is a recently established group led by a Moroccan teenager and famous for having infiltrated the Jira environments of Telefonica and Schneider Electric. It is allegedly specialized in exploiting niche software vulnerabilities.

‍

A South American APT widely leverages a NTLM disclosure flaw

A South American APT named Blind Eagle (aka APT-C-36) has partly pivoted from phishing methods to vulnerability exploitation, as it utilized a NTLM disclosure flaw (CVE-2024-43451) and successfully compromised 1.6K Colombian government targets. The attacks started in November 2024, six days after Microsoft’s patch release and a few days after a Russian campaign targeted the same vulnerability against Ukrainian entities.

‍

[mitigate]Enable Extended Protection for Authentication (EPA) on Active Directory Certificate Services (AD CS), Lightweight Directory Access Protocol (LDAP), and Exchange Servers[/mitigate]

An Indian APT makes use of an Office flaw for years

A sophisticated Indian APT named SideWinder has exploited an old Microsoft Office memory corruption vulnerability (CVE-2017-11882) in a new campaign against maritime, logistics and nuclear organizations in African and Asian countries. The group has been using the same vulnerability for many years, successfully breaching high-profile government organizations and critical infrastructures. The vulnerability is triggered when the victim opens a malicious RTF file sent through a phishing email.

‍

Apply Palo Alto Threat Prevention Signature 36804; Update registry key [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}] with "Compatibility Flags"=dword:00000400

A coordinated campaign targeting SSRF vulnerabilities

On March 9 a surge in the exploitation of SSRF vulnerabilities was observed, as 400 malicious IP addresses suddenly started to exploit SSRF flaws simultaneously, apparently in a coordinated campaign. The attacks targeted victims in the US, Germany, Singapore, India, Japan and Israel. A list of 11 vulnerabilities is concerned, including DoNetNuke (CVE-2017-0929), an Ivanti Connect Secure flaw (CVE-2024-21893) and old VMware vulnerabilities (CVE-2021-22054, CVE-2021-21973)

‍

Apple fixed a WebKit vulnerability

Apple patched a WebKit vulnerability (CVE-2025-24201) allowing an attacker to escape the Web Content sandbox by crafting malicious web content. According to Apple, the vulnerability has been already exploited in “extremely sophisticated attackagainst specific targeted individuals”.

‍

Microsoft just patched a kernel zero-day exploited since 2023  

In its latest “Patch Tuesday”, Microsoft patched no less than seven zero-days, including a kernel flaw (CVE-2025-24983) allowing to elevate privileges to SYSTEM and exploited since 2023. Three vulnerabilities in Windows NTFS were also fixed: an information disclosure flaw (CVE-2025-24984), exploitable only by attackers with physical access; another vulnerability (CVE-2025-24991) used by attackers to trick users into mounting a malicious VHD file; and a similar flaw (CVE-2025-24993) allowing for RCE.

‍

Medusa Ransomware is growing

The number of Medusa’s attacks has grown by 42% from 2023 to 2024. Medusa is a well-known double extortion ransomware group that, since its emergence in early 2023, has compromised more than 400 victims in sectors such as healthcare, manufacturing or education. It primarily uses vulnerability exploitation to gain initial access, with a preference for Microsoft Exchange, Citrix and VMware ESXi flaws.

‍