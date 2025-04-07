Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day.

Hackers don't need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough.

This week, we trace how simple oversights turn into major breaches — and the silent threats most companies still underestimate.

Let's dive in.

⚡ Threat of the Week

UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch and figured out a way to exploit prior versions to breach unpatched systems. UNC5221 is believed to share overlaps with clusters tracked by the broader cybersecurity community under the monikers APT27, Silk Typhoon, and UTA0178.

🔔 Top News

EncryptHub Unmasked as a Likely Lone Wolf Actor — An up-and-coming threat actor operating under the alias EncryptHub has been exposed due to a series of operational security blunders. What distinguishes EncryptHub from other typical cybercriminals is the dichotomy of their online activities – while conducting malicious campaigns, the individual simultaneously contributed to legitimate security research, even receiving acknowledgment from the Microsoft Security Response Center (MSRC) last month for discovering and reporting CVE-2025-24061 and CVE-2025-2407. Another interesting aspect of EncryptHub is their use of OpenAI ChatGPAT as a "partner in crime," leveraging it for malware development and translation tasks. In some particularly revealing conversations with the artificial intelligence (AI) chatbot, EncryptHub asked it to evaluate whether he was better suited to be a "black hat or white hat" hacker and if would be better being a "a cool hacker or a malicious researcher," even going to the extent of confessing to his criminal activities and the exploits he had developed. "When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology," Outpost24 said. "However, many hackers are normal people who at some point decided to follow a dark path."

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2025-22457 (Ivanti Connect Secure, Policy Secure, and ZTA Gateway), CVE-2025-30065 (Apache Parquet), CVE-2024-10668 (Google Quick Share for Windows), CVE-2025-24362 (github/codeql-action), CVE-2025-1268 (Canon), CVE-2025-1449 (Rockwell Automation Verve Asset Manager), CVE-2025-2008 (WP Ultimate CSV Importer plugin), CVE-2024-3660 (TensorFlow Keras), CVE-2025-20139 (Cisco Enterprise Chat and Email), CVE-2025-20212 (Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series), CVE-2025-27520 (BentoML), CVE-2025-2798 (Woffice CRM theme), CVE-2025-2780 (Woffice Core plugin), CVE-2025-31553 (WPFactory Advanced WooCommerce Product Sales Reporting plugin), CVE-2025-31579 (EXEIdeas International WP AutoKeyword plugin), and CVE-2025-31552 (RSVPMarker plugin).

📰 Around the Cyber World

Oracle Privately Confirms Data Breach — Enterprise computing giant Oracle is reportedly informing its customers in private that it hackers compromised a "legacy" Oracle environment, exposing usernames, passkeys, and encrypted passwords, contradicting its consistent public denial about the incident. "The company informed customers that the system hasn't been in use for eight years and that the stolen client credentials therefore pose little risk," Bloomberg reported. An investigation by the U.S. Federal Bureau of Investigation (FBI) and CrowdStrike is reportedly ongoing. This is the second breach the company has acknowledged to clients in recent weeks. The intrusion is assessed to be separate from another hack at Oracle Health(formerly Cerner) that affected some U.S. healthcare customers last month. News about the breach came to light after an unidentified threat actor named "rose87168" attempted to sell data on BreachForums that they claimed to have stolen from the company's cloud servers. Multiple cybersecurity companies, including Black Kite, CloudSEK, CyberAngel, Hudson Rock, Orca Security, SOCRadar, Sygnia, and Trustwave, have analyzed and validated the data posted for sale online as directly extracted from Oracle. The attacker is believed to have exploited an unpatched vulnerability in Oracle Fusion Middleware (CVE-2021-35587) to compromise Oracle Cloud's login and authentication system and steal the data. "This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a web shell along with malware," CyberAngel said. "The malware specifically targeted the Oracle IDM database and was able to exfil data." Security researcher Kevin Beaumont said "Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility," adding "Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on 'Oracle Cloud' by using this scope — but it's still Oracle cloud services that Oracle manage. That's part of the wordplay." CloudSEK has developed an online tool that allows organizations to check whether they are impacted by the data breach. Oracle's private acknowledgment also comes just days after the company was hit with a class action lawsuit over its handling of the security event.

🎥 Expert Webinar

Shadow AI Is Already Inside Your Apps — Learn How to Lock It Down — AI tools are flooding your environment — and most security teams can't see half of them. Shadow AI is quietly connecting to critical systems like Salesforce, creating hidden risks that traditional defenses miss. Join Dvir Sasson, Director of Security Research at Reco, to uncover where AI threats are hiding inside your SaaS apps, real-world attack stories, and how leading teams are detecting and shutting down rogue AI before it causes real damage.

— AI tools are flooding your environment — and most security teams can't see half of them. Shadow AI is quietly connecting to critical systems like Salesforce, creating hidden risks that traditional defenses miss. Join Dvir Sasson, Director of Security Research at Reco, to uncover where AI threats are hiding inside your SaaS apps, real-world attack stories, and how leading teams are detecting and shutting down rogue AI before it causes real damage. Secure Every Step of the Identity Lifecycle — Before Attackers Exploit It — Today's attackers are using AI-driven deepfakes and social engineering to bypass weak identity defenses. Securing the entire identity journey — from enrollment to daily access to recovery — is now essential. Join Beyond Identity and Nametag to learn how enterprises are blocking account takeovers, securing access with phishing-resistant MFA and device trust, and defending against AI threats with Deepfake Defense™.

🔧 Cybersecurity Tools

GoResolver — Golang malware is tough to reverse — obfuscators like Garble hide critical functions. GoResolver, Volexity's open-source tool, uses control-flow graph similarity to recover hidden function names and reveal package structures automatically. Integrated with IDA Pro and Ghidra, it turns opaque binaries into readable code faster. Available now on GitHub.

Matano — It is a serverless, cloud-native security data lake built for AWS, giving security teams full control over their logs without vendor lock-in. It normalizes unstructured security data in real time, integrates with 50+ sources out of the box, supports detections-as-code in Python, and transforms logs using powerful VRL scripting — all stored in open formats like Apache Iceberg and ECS. Query your data with tools like Athena or Snowflake, write real-time detections, and cut SIEM costs while keeping ownership of your security analytics.

🔒 Tip of the Week

Detecting Threats Early by Tracking First-Time Connections — Most attackers leave their first real clue not with malware, but when they log in for the first time — from a new IP, device, or location. Catching "first-time" access events is one of the fastest ways to spot breaches early, before attackers blend into daily traffic. Focus on critical systems: VPNs, admin portals, cloud dashboards, and service accounts.

You can automate this easily with free tools like Wazuh (detects new devices and IPs), OSQuery (queries unknown endpoints), or Graylog (builds alerts for unfamiliar connections). More advanced setups like Microsoft Sentinel or CrowdStrike Falcon Free also offer "first seen" detection at scale. Simple rules — like alerting when an admin account logs in from a new country or an unexpected device accesses sensitive data — can trigger early alarms without waiting for malware signatures.

Pro Move: Baseline your "known" users, IPs, and devices, then flag anything new. Bonus points if you combine this with honeytokens (fake credentials) to catch intruders actively probing your network. Remember: attackers can steal credentials, bypass MFA, or hide malware — but they can't fake never having connected before.

Conclusion

In cybersecurity, the threats that worry us most often aren't the loudest — they're the ones we never see coming. A silent API flaw. A forgotten credential. A malware-laced package you installed last month without a second thought.

This week's stories are a reminder: real risk lives in the blind spots.

Stay curious. Stay skeptical. Your next breach won't knock first.