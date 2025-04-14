Attackers aren't waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden.

This week's events show a hard truth: it's not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world where AI tools can be used against you and ransomware hits faster than ever, real protection means planning for things to go wrong — and still staying in control.

Check out this week's update to find important threat news, helpful webinars, useful tools, and tips you can start using right away.

⚡ Threat of the Week

Windows 0-Day Exploited for Ransomware Attacks — A security affecting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets, Microsoft revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerability that could allow an attacker to obtain SYSTEM privileges. An exploit for the vulnerability has been found to be delivered via a trojan called PipeMagic, with the unknown threat actors, tracked by Microsoft as Storm-2460, conducting credential harvesting and dropping a ransomware payload as part of post-compromise exploitation activities. The exact nature of the payload is unclear, however, the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family. CVE-2025-29824 was addressed by Microsoft as part of its Patch Tuesday update for April 2025.

🔔 Top News

ESET Flaw Exploited to Deliver New TCESB Malware — The China-aligned advanced persistent threat (APT) group China-aligned ToddyCat has exploited a vulnerability in ESET's antivirus software to silently execute a malicious payload called TCESB on infected devices. The dynamic link library (DLL) search order hijacking vulnerability (CVE-2024-11859) was patched in January after responsible disclosure. DLL search order hijacking is a kind of vulnerability that occurs when an application searches and loads a required DLL in an insecure order, such as starting with the current directory rather than a trusted system directory. In such instances, an attacker can try to trick the application into loading a malicious DLL as opposed to its legitimate counterpart. Once executed, TCESB reads the running kernel version and disables notification routines, installs a vulnerable driver for defense evasion, and launches an unspecified payload.

— Fortinet revealed that threat actors have found a way to maintain read-only access to FortiGate devices even after the initial access vector used to breach the devices was patched. "This was achieved via creating a symbolic link (aka symlink) connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN," the company said. Fortinet has released patches to eliminate the behavior. AkiraBot Leans on OpenAI Models to Flood Sites with SEO Spam — An artificial intelligence (AI) powered platform called AkiraBot is being used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. The platform relies on OpenAI API to generate a customized outreach message based on the contents of the website. As many as 80,000 websites have been successfully spammed by the tool since September 2024. In response to the findings, OpenAI has disabled the API key used by the threat actors.

Trending CVEs

Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2025-3102 (OttoKit plugin), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-30406 (Gladinet CentreStack), CVE-2025-29824 (Windows Common Log File System), CVE-2024-48887 (Fortinet FortiSwitch), CVE-2024-53150, CVE-2024-53197 (Google Android), CVE-2025-2945 (pgAdmin), CVE-2025-2244 (Bitdefender GravityZone), CVE-2025-31334 (WinRAR), CVE-2025-30401 (WhatsApp for Windows), CVE-2025-23120 (Rockwell Automation Industrial Data Center), CVE-2025-25211, CVE-2025-26689 (Inaba Denki Sangyo CHOCO TEI WATCHER), CVE-2024-4872, CVE-2024-3980 (Hitachi Energy MicroSCADA Pro/X SYS600), CVE-2025-2636 (InstaWP Connect – 1-click WP Staging & Migration plugin), CVE-2025-3439 (Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin), and CVE-2025-31565 (WPSmartContracts plugin).

📰 Around the Cyber World

Bulletproof Hosting Service Provider Medialand Exposed — A bulletproof hosting service provider named Medialand has been exposed likely by the same actors behind the leak of Black Basta chat logs in February 2025. According to PRODAFT, Medialand has been linked to Yalishanda (LARVA-34), with the service playing a key role in enabling a wide range of cybercriminal operations, including hosting ransomware infrastructure for Black Basta, malware C2 servers, code-signing systems, phishing kits, data exfiltration panels, data leak sites. Leaked internal data reveals a treasure trove of information about who bought servers, who paid (including via cryptocurrency), and possibly personally identifiable information (PII), not to mention allow defenders to correlate indicators of compromise (IoCs) and improve attribution efforts. The Black Basta chat dataset shed light on the group's "internal workflows, decision-making processes, and team dynamics, offering an unfiltered perspective on how one of the most active ransomware groups operates behind the scenes," Trustwave said. The discussions also revealed the group targeting individuals based on gender dynamics, assigning female callers to male victims and male operators to female targets. Furthermore, they also expose the threat actor's pursuit of security flaws and stockpiling them by paying premium prices to acquire zero-day exploits from exploit brokers to gain a competitive edge.

🔧 Cybersecurity Tools

CAPE (Config and Payload Extraction) — CAPE is a powerful malware sandbox that runs suspicious files in a safe Windows environment and digs much deeper than traditional tools. It not only tracks file changes, network traffic, and memory dumps but also automatically unpacks hidden payloads, extracts malware settings, and defeats tricks used to avoid detection. With smart use of YARA rules and a built-in debugger, CAPE gives threat hunters and analysts a faster, clearer way to uncover what malware is really doing.

MCP-Scan — It is an open-source security tool that checks your MCP servers for hidden risks like prompt injections, tool poisoning, and cross-origin attacks. It scans popular setups like Claude, Cursor, and Windsurf, detects tampering in tool descriptions, and helps catch silent changes that could compromise your environment. With built-in protections like tool pinning and Invariant Guardrail checks, MCP-Scan gives developers and security teams a fast, reliable way to spot vulnerabilities before attackers can use them.

🔒 Tip of the Week

Monitoring for Unauthorized Account Activations — Attackers are using a clever trick to stay hidden inside networks: reactivating the built-in Windows Guest account. Normally, this account is disabled and ignored by system admins. But when attackers enable it and set a new password, it blends in as part of the system — making it easy for them to quietly log in, escalate privileges, and even access devices remotely through RDP. Since the Guest account looks normal at first glance, many security teams miss it during reviews.

To catch this tactic early, monitor your security logs closely. Set alerts for Event ID 4722 — this signals when any disabled account is reactivated, including Guest. Also track the use of native Windows tools like net.exe, wmic, and PowerShell for any commands that modify accounts. Pay special attention to any Guest account being added to privileged groups like Administrators or Remote Desktop Users. Cross-check with your endpoint protection or EDR tools to spot changes outside normal maintenance windows.

If you find an active Guest account, assume it's part of a larger breach. Check for signs of hidden accounts, unauthorized remote access tools, and changes to RDP settings. Regular threat hunting — even just checking that all default accounts are truly disabled — can break an attacker's persistence before they move deeper into your environment.

Conclusion

Every breach, every evasion technique, and every new tool attackers use is also a learning opportunity. If you're in cybersecurity today, your advantage isn't just your tech stack — it's how quickly you adapt.

Take one tactic you saw in this week's update — privilege escalation, AI misuse, stealth persistence — and use it as a reason to strengthen a weak spot you've been putting off. Defense is a race, but improvement is a choice.