Descriptive Alt Text

This Week in Cybersecurity: Looking Back at Week 12

March 21, 2025 Reading Time: 4 minutes

This Weeks Headlines


Unpatched Windows Zero-Day Exploited by Multiple State-Sponsored Groups Since 2017

A critical, unpatched Windows zero-day vulnerability, tracked as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from nations including China, Iran, North Korea, and Russia since 2017.

This flaw allows attackers to execute hidden malicious commands on victim machines using crafted Windows Shortcut (.LNK) files.

The exploitation involves embedding concealed command-line arguments within these files, complicating detection. Notably, malware families such as Lumma Stealer, GuLoader, and Remcos RAT have been distributed using this method.

Despite the severity, Microsoft has classified the issue as low severity and currently does not plan to release a fix.

View Source

Active Exploitation of Cisco Smart Licensing Utility Vulnerabilities

Recent reports indicate that cyber attackers are actively exploiting two critical vulnerabilities in Cisco’s Smart Licensing Utility, identified as CVE-2024-20439 and CVE-2024-20440. Discovered and patched in September 2024, these flaws allow unauthenticated, remote attackers to gain administrative access using hardcoded credentials and to retrieve sensitive information from log files.

The SANS Technology Institute’s Internet Storm Center has observed exploitation attempts targeting these vulnerabilities, with attackers using default credentials to access exposed systems.

View Source

Over 300 Malicious ‘Vapor’ Apps on Google Play Amass 60 Million Downloads

Security researchers have uncovered a significant ad fraud campaign involving over 300 malicious Android applications, collectively known as ‘Vapor’ apps, on the Google Play Store. These apps, masquerading as utilities, health, fitness, and lifestyle tools, have been downloaded more than 60 million times.

Initially functional to pass Google’s review process, they were later updated to remove legitimate features, hide their icons, and bombard users with intrusive full-screen video ads, rendering devices nearly inoperative. Some apps also attempted to collect user credentials and credit card information through phishing tactics.

While Google has removed these apps from the Play Store, users who have installed them must manually uninstall them to ensure device security.

View Source

Critical Fortinet Vulnerability Actively Exploited in Ransomware Attacks

A critical authentication bypass vulnerability, identified as CVE-2025-24472, has been discovered in Fortinet’s FortiOS (versions 7.0.0 to 7.0.16) and FortiProxy (versions 7.2.0 to 7.2.12).

This flaw allows remote attackers to gain super-admin privileges by exploiting weaknesses in how these systems handle Client Server Framework (CSF) proxy requests.

Systems with exposed FortiGate firewall management interfaces are particularly vulnerable.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, citing active ransomware campaigns leveraging this flaw.

View Source

Compromised GitHub Action Exposes CI/CD Secrets in Over 23,000 Repositories

A recent supply chain attack has compromised the popular GitHub Action ’tj-actions/changed-files,’ affecting more than 23,000 repositories.

Attackers modified the action’s code, retroactively updating multiple version tags to reference a malicious commit. This alteration executes a Python script that prints CI/CD secrets—such as AWS access keys, GitHub personal access tokens, npm tokens, and private RSA keys—into GitHub Actions build logs. If these logs are publicly accessible, sensitive information could be exposed.

The compromise occurred before March 14, 2025, and has been assigned CVE-2025-30066 with a CVSS score of 8.6. Users are advised to update to version 46.0.1 of the action immediately and audit their workflows for any unauthorised changes.

View Source

Hackers Exploit Critical PHP Flaw to Deploy Quasar RAT and XMRig Miners

Cybercriminals are actively exploiting a critical vulnerability in PHP, identified as CVE-2024-4577, to distribute malware such as the Quasar Remote Access Trojan (RAT) and XMRig cryptocurrency miners.

This flaw, affecting Windows systems running PHP in CGI mode, allows remote attackers to execute arbitrary code. Since late 2024, there has been a notable increase in exploitation attempts, particularly in regions like Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).

Attackers utilise this vulnerability to perform system reconnaissance, deploy malicious payloads, and, in some cases, alter firewall configurations to block competing threats. Administrators are strongly advised to update PHP installations promptly and restrict the use of tools like PowerShell to mitigate these risks.

View Source

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818

To learn more about your data and privacy rights, visit our Privacy Statement.