Salt Typhoon compromises Canadian Telcos with a Cisco vulnerability

In mid-February, the Chinese state-sponsored group Salt Typhoon exploited a critical Cisco vulnerability (CVE-2023-20198) in an attempt to breach several Canadian organizations, including telecommunications providers. This is the same vulnerability previously used in Salt Typhoon’s late 2024 campaign targeting nine major U.S. telecom companies. According to Canada's national cybersecurity agency, the attackers retrieved configuration files from three devices, and on at least one device, they modified the configuration to establish a GRE tunnel, enabling traffic interception from the network. Meanwhile, Viasat confirmed that it had also been impacted by the 2024 campaign but reported no evidence of customer data being affected.

‍

‍

[mitigate] Apply Cisco detection rules “Network Flow - CURRENT_EVENTS Related IP Observed” and "Suspicious Connection - CURRENT_EVENTS Related IP Observed“; Track with Tenable plugins114231, 184452, 501759, 183312 and 183167 [/mitigate]

‍

A Chinese APT SOHO infrastructure targets IT, media, and real estate

Since September 2023, a Chinese cyberespionage campaign known as LapDogs has built an infrastructure of over 1,000 compromised SOHO (small office/home office) routers which it infected with the ShortLeash backdoor. The operation primarily targets organizations in the US and East Asia, focusing on sectors such as IT, media, networking, and real estate. Most affected devices are wireless routers from Ruckus and Buffalo Technology, likely accessed via unpatched vulnerabilities (including CVE-2015-1548 and CVE-2017-17663). The campaign is attributed to UAT-5918, a Chinese group with operational overlaps to known Chinese APTs like Flax Typhoon and Volt Typhoon.

‍

‍

A ransomware compromises 19 Swiss high profile companies

The ransomware group Worldleaks, formerly known as Hunters International, recently leaked 1.9 million files containing business information from 19 Swiss companies, including major players such as the bank UBS, the leading wealth management firm Pictet, the largest Swiss department store Manor, and the real estate and construction company Implenia. The breach stemmed from the compromise of ChainIQ, a Swiss procurement services provider, where attackers maintained persistence for nearly nine hours. Worldleaks is a Russian cybercrime group which typically gains access through phishing attacks and RDP vulnerabilities, and is known for having targeted high-profile organizations like AutoCanada, ICBC, and Tata.

‍

A 2017 unpatched Microsoft vulnerability exploited against Russia

The cyberespionage group Silent Werewolf (aka XDSpy) has been conducting a multi-stage campaign against targets in Russia and Moldova, using a custom infostealer malware called XDigo. Initial access was achieved by exploiting a Windows RCE vulnerability triggered via malicious .LNK files, crafted to evade Windows inspection while delivering the payload. The vulnerability — tracked as ZDI-CAN-25373 by Trend Micro but not yet assigned a CVE ID and not fixed by Microsoft — has been actively exploited by at least 11 state-sponsored groups since 2017.

‍

‍

[mitigate] Apply Splunk detections “Windows Explorer LNK Exploit Process Launch With Padding” and “Windows SSH Proxy Command” [/mitigate]

‍

Various Exchange vulnerabilities leveraged against 70 organizations

An unidentified threat actor has launched a broad credential theft campaign by injecting keylogger code into the Microsoft Exchange login page, via the exploitation of multiple Microsoft vulnerabilities. Over 70 organizations across sectors such as banking, government, education, and IT have been impacted. The attacker leveraged a combination of flaws, including ProxyLogon (CVE-2021-26855, CVE-2021-26857/8, CVE-2021-26858, CVE-2021-27065), ProxyShell (CVE-2021-31206/07, CVE-2021-34473, CVE-2021-34523), a flaw in Windows SMBv3 (CVE-2020-0796), and an Windows IIS security bypass vulnerability (CVE-2014-4078).

‍

Prometei botnet resurfaces

A new variant of the Prometei botnet, active since 2020, has been observed infecting numerous devices globally in recent months. Designed to target both Linux and Windows environments, Prometei is multi-purpose and used for cryptomining and credential harvesting. The botnet gains initial access through brute-force attacks, then moves laterally by exploiting the infamous Windows EternalBlue vulnerability (CVE-2017-0144) as well as other flaws in the Server Message Block (SMB) protocol.

‍

‍

[mitigate] Detect with Snort Rule 1:41978; Apply Trend Micro IPS rules 1008224,1008228, 1008225, 1008227 [/mitigate]

‍

A PE vulnerability in Linux Kernel exploited

A privilege escalation vulnerability in the Linux Kernel (CVE-2023-0386), patched in 2023, is now being actively exploited in the wild. The flaw is relatively easy to exploit, relying on manipulation that forces the kernel to create a SUID binary, granting elevated permissions.

‍

High concerns about "CitrixBleed 2"

A recently identified vulnerability in Citrix NetScaler ADCs and Gateways (CVE-2025-5777) has raised significant security concerns. The flaw allows unauthenticated attackers to exfiltrate session tokens from Internet-facing NetScaler devices through maliciously crafted requests. It is considered very similar to CitrixBleed (CVE-2023-4966) – an infamous vulnerability exploited against thousands of organizations in late 2023.

‍

‍

The US warns about Iran's cyber retaliation

The Department of Homeland Security warned of a rise in Iranian cyberattacks, following the recent conflict in the Middle East. In the meantime, a significant increase in DDoS attacks targeting Israeli entities has been observed, with Israel now accounting for 40% of global DDoS victims. The Iranian group Handala has also claimed responsibility for data breaches affecting an Israeli shipping company and the Weizmann Institute of Science. Additionally, pro-Israeli groups reported operations that disrupted Bank Sepah’s ATM systems, Iranian state television broadcasts and Iran’s largest cryptocurrency exchange Nobitex.

‍