Thursday, Mar 13, 2025 // (IG): BB // GITHUB // SN R&D
Polish President Calls for U.S. Nuclear Weapons Deployment Amid Rising Tensions with Russia
Bottom Line Up Front (BLUF): Polish President Andrzej Duda has urged the United States to station nuclear weapons in Poland, arguing that NATO’s military infrastructure should move eastward to counter Russian aggression. Duda’s proposal revives a nuclear-sharing initiative previously rejected by the Biden administration in 2022. The request reflects growing security concerns in Poland and Eastern Europe, particularly as U.S.-brokered Ukraine-Russia peace talks progress under President Trump.
Analyst Comments: Given Russia’s 2023 deployment of tactical nuclear weapons in Belarus, Poland’s request is symbolic and strategic, aimed at ensuring a more assertive NATO deterrence posture. However, such a move would likely escalate tensions with Moscow, potentially triggering countermeasures from Russia, including increased military posturing along NATO’s borders. The U.S. response to this request will significantly influence Eastern Europe’s defense strategy and NATO’s future military positioning.
FROM THE MEDIA: Polish President Andrzej Duda called on the U.S. to relocate nuclear weapons to Poland, citing Russia’s nuclear deployments in Belarus as justification. Duda revealed that he had discussed the proposal with U.S. special envoy Keith Kellogg but had not received an official response. The Biden administration rejected the nuclear-sharing request, first proposed in 2022, but Poland hopes for reconsideration under Trump’s foreign policy shifts. Poland's position reflects broader NATO concerns over Russia emerging militarily stronger from Ukraine peace talks. Moscow is likely to view any U.S. nuclear deployment in Poland as a direct threat, escalating geopolitical tensions in the region.
READ THE STORY: FT
Chinese Hackers Deploy Custom Backdoors on Juniper Networks Routers
Bottom Line Up Front (BLUF): The China-linked cyber espionage group UNC3886 has breached Juniper Networks' end-of-life MX routers, deploying custom backdoors and rootkits to maintain long-term access. According to Mandiant, the attackers used six distinct TinyShell-based implants with capabilities including file transfer, remote shell access, packet sniffing, and logging evasion. UNC3886 has exploited zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices to infiltrate U.S. and Asian defense, technology, and telecom sectors.
Analyst Comments: UNC3886’s focus on network infrastructure devices—which often lack security monitoring—demonstrates an evolving cyber-espionage strategy aimed at persistent access rather than short-term disruption. The attackers' ability to bypass Junos OS protections and execute stealthy operations suggests a well-resourced and highly skilled threat actor. Given the risk of nation-state cyber warfare, organizations using outdated Juniper routers must upgrade immediately, implement network segmentation, and monitor for unauthorized SSH access to prevent covert intrusions.
FROM THE MEDIA: Researchers from Google-owned Mandiant have identified UNC3886 deploying six variants of the TinyShell backdoor on Juniper Networks MX routers. These implants, first observed in mid-2024, allow attackers to steal credentials, manipulate traffic, and disable logging mechanisms. The hackers gained privileged access through compromised terminal servers, injecting malicious payloads into the router’s memory while bypassing Juniper’s Verified Exec (veriexec) protections. UNC3886 also leveraged rootkits (Reptile, Medusa) and SSH hijacking tools (PITHOOK, GHOSTTOWN) for stealth and persistence. Mandiant advises organizations to update Juniper devices, apply security patches, and use Juniper's Malware Removal Tool (JMRT) to detect infections.
READ THE STORY: THN // The Register
Fully Undetected AnubisBackdoor Malware Enables Hackers to Execute Remote Commands
Bottom Line Up Front (BLUF): A newly discovered Python-based malware, AnubisBackdoor, has been attributed to the Savage Ladybug group, which is believed to be linked to the FIN7 cybercrime gang. This backdoor allows remote command execution, data exfiltration, and system compromise while bypassing most antivirus defenses. It represents a growing trend of stealthy malware used in cyberattacks.
Analyst Comments: The emergence of AnubisBackdoor highlights the evolution of cybercriminal tactics, particularly in malware obfuscation and stealth techniques. Unlike its namesake, the Android-focused Anubis banking trojan, this variant specifically targets desktop and server environments. Given its fully undetected (FUD) nature, security teams should anticipate its use in targeted phishing campaigns and supply chain attacks. The association with FIN7, a group known for its advanced cybercrime operations, suggests continued innovation in malware development aimed at evading endpoint security solutions.
FROM THE MEDIA: Researchers have identified AnubisBackdoor as a Python-based remote access tool designed to evade detection by traditional security software. Unlike the well-known Anubis banking trojan, this backdoor is optimized for executing remote commands and stealing sensitive data from compromised systems. The Savage Ladybug group, linked to FIN7 (also known as Carbanak), is suspected of deploying the malware. FIN7 has a history of developing sophisticated attack tools, including the Carbanak backdoor and AvNeutralizer, which disables endpoint detection and response (EDR) solutions. Security experts warn that AnubisBackdoor is already being used in malspam campaigns, posing a significant threat to organizations. Key indicators of compromise (IOCs) include malicious IP addresses (such as 38.134.148.20 and 5.252.177.249) and file hashes (03a160127cce3a96bfa602456046cc443816af7179d771e300fec80c5ab9f00f).
READ THE STORY: GBhackers
Trump Administration’s Push for $50 Oil Faces Industry Backlash
Bottom Line Up Front (BLUF): The Trump administration aims to push crude oil prices down to $50 per barrel to combat inflation and lower gasoline costs for consumers. However, U.S. shale producers warn that such a move would undermine domestic energy production, potentially leading to lower investment, job losses, and greater reliance on OPEC and Saudi Arabia for global oil supply. Industry leaders argue that the administration’s energy policies—loosening regulations while imposing tariffs on steel and aluminum—are contradictory and could backfire on U.S. energy dominance.
Analyst Comments: Lower fuel prices benefit consumers; pushing oil to $50 per barrel could destabilize the U.S. energy sector, making it unprofitable for many shale producers and forcing OPEC and Saudi Arabia to regain market control. This move could ultimately weaken U.S. energy independence, contradicting Trump’s goal of expanding domestic production by 3 million barrels per day by 2028. The administration’s simultaneous push for higher U.S. oil output and lower global prices presents a fundamental economic contradiction that may lead to market uncertainty and reduced industry confidence.
FROM THE MEDIA: Industry experts, including Scott Sheffield of Pioneer Natural Resources, warn that such a price level would force U.S. shale producers to cut output, handing market control back to OPEC by 2030. S&P Global and Morgan Stanley Analysts estimate that many U.S. shale operations are unprofitable below $50 per barrel, making the administration’s goal unsustainable. Meanwhile, Trump’s tariffs on steel and aluminum are increasing costs for oil producers, further complicating the industry’s ability to expand production. Saudi Arabia and Russia are unlikely to allow prices to drop to $50 per barrel, with OPEC+ signaling readiness to pause or reverse production increases if needed.
READ THE STORY: FT
Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
Bottom Line Up Front (BLUF): A coordinated cyber attack involving over 400 IP addresses actively exploits multiple Server-Side Request Forgery (SSRF) vulnerabilities across various platforms. GreyNoise observed a significant surge in attacks on March 9, 2025, with affected countries including the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel. The exploited SSRF vulnerabilities impact software such as Zimbra Collaboration Suite, VMware vCenter, GitLab CE/EE, and Ivanti Connect Secure, with some vulnerabilities rated as high as 9.8 on the CVSS scale.
Analyst Comments: The structured nature of these attacks, with many IPs targeting multiple SSRF flaws simultaneously, suggests using automation, pre-compromise reconnaissance, or coordinated cybercrime efforts. Exploited SSRF vulnerabilities can allow attackers to map internal networks, locate unpatched services, and steal sensitive cloud credentials by abusing internal metadata APIs. Given the widespread targeting and high-impact CVEs, organizations should immediately apply patches, limit outbound network connections, and monitor for suspicious external requests to mitigate exposure.
FROM THE MEDIA: The vulnerabilities being actively targeted include CVE-2017-0929 (DotNetNuke), CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2021-21973 (VMware vCenter), CVE-2021-22175 (GitLab CE/EE), CVE-2024-21893 (Ivanti Connect Secure), and others. The same IP addresses have been observed attacking multiple SSRF flaws simultaneously, indicating a highly coordinated campaign. Israel saw a significant spike in attacks on March 11, 2025. GreyNoise warns that modern cloud services often rely on internal metadata APIs, which SSRF exploits can access, leading to potential cloud credential theft and network mapping. Security experts recommend patching affected systems, restricting outbound traffic, and closely monitoring for suspicious requests.
READ THE STORY: THN
Volt Typhoon Hackers Maintained Access to Massachusetts Utility for 10 Months
Bottom Line Up Front (BLUF): Chinese state-sponsored hackers linked to the Volt Typhoon campaign infiltrated the Littleton Electric Light & Water Department in Massachusetts for nearly a year, from February 2023 to November 2023. The attackers moved laterally within the network, exfiltrated operational technology (OT) data, and evaded detection, highlighting China's efforts to preposition within U.S. critical infrastructure for potential future cyber operations.
Analyst Comments: The Volt Typhoon campaign represents a long-term cyber espionage strategy to gain persistent access to U.S. infrastructure, possibly for future sabotage or intelligence gathering. The lack of customer data compromise, in this case, suggests the attackers' primary focus was energy grid operations and OT processes, which would be crucial for disrupting power systems in the event of geopolitical conflict. Given the widespread targeting of utilities and military-adjacent infrastructure, organizations must prioritize threat hunting, patching VPN vulnerabilities, and implementing OT-specific security measures.
FROM THE MEDIA: The FBI first flagged the breach, alerting the utility’s leadership. Dragos' investigation confirmed lateral movement, data exfiltration, and persistence mechanisms but noted that no customer-sensitive data was stolen. The attackers focused on OT-specific intelligence, including network diagrams and operational procedures, which could be used for future cyber-physical attacks. Volt Typhoon has a history of targeting critical infrastructure in the U.S. and Guam, often exploiting firewall and VPN vulnerabilities for initial access. The White House and U.S. law enforcement agencies have intensified efforts to remove these persistent threats and harden cybersecurity defenses.
READ THE STORY: The Record
D-Wave Claims 'Quantum Supremacy' in Materials Simulation
Bottom Line Up Front (BLUF): Quantum computing company D-Wave has announced that it has achieved "quantum supremacy" by solving a materials simulation problem that it claims is impossible for classical computers. The company says its Advantage2 annealing quantum computer simulated magnetic material properties in under 20 minutes, a task that would allegedly take a leading supercomputer nearly a million years. However, some physicists challenge the claim, arguing that classical computers can still achieve comparable results with newer techniques.
Analyst Comments: D-Wave’s claim is a significant milestone in quantum computing but remains controversial within the scientific community. While demonstrating real-world applications for quantum materials simulations could validate the commercial value of quantum computing, skepticism remains over whether true "quantum supremacy" has been achieved. The debate underscores the ongoing arms race among tech giants—including Google, Amazon, and Microsoft—to prove quantum advantage in practical applications. If D-Wave’s technology is validated, it could have significant implications for drug discovery, cybersecurity, and advanced materials design.
FROM THE MEDIA: The company argues that classical computers cannot replicate the full scope of its quantum simulations, but scientists from the Flatiron Institute counter that new classical computing methods may still compete with quantum results. Additionally, some experts note that the term "quantum supremacy" is controversial, with the field shifting towards "quantum advantage" or "quantum utility", where quantum computing proves practical business or scientific value.
READ THE STORY: FT
Case Study: Physical Penetration Test Exposes Internal Network Vulnerabilities
Bottom Line Up Front (BLUF): A physical penetration test conducted by cybersecurity firm Hackmosphere at a furniture retailer revealed critical security flaws that could allow attackers to gain unauthorized access to internal networks and sensitive data. Exploited vulnerabilities included unattended unlocked computers, active USB ports, weak network access controls, and insecure office entry points. These weaknesses could enable data theft, ransomware deployment, and corporate espionage.
Analyst Comments: Attackers can escalate privileges and establish remote access to critical systems by leveraging USB-based attacks and weak network access controls. The success of this penetration test underscores the importance of implementing automatic computer lockouts, disabling unnecessary USB ports, enforcing network access controls (NAC), and restricting physical access to sensitive areas. Employee security awareness training is also crucial to mitigate social engineering risks that could facilitate similar attacks.
FROM THE MEDIA: Hackmosphere conducted a real-world attack simulation on a furniture retail store, uncovering four significant vulnerabilities that compromised internal network security. The first issue involved unlocked, unattended computers in the sales lobby, providing easy access to sensitive systems. The second vulnerability was enabled USB ports, allowing penetration testers to deploy a Rubber Ducky USB device to gain an unprivileged domain account. The third and most severe flaw was the lack of network access controls (NAC)—testers successfully used a LanTurtle device to infiltrate the company’s internal network via a remote SSH connection. Finally, the fourth vulnerability involved poor physical access controls, allowing testers to breach the store manager’s office using publicly displayed evacuation plans.
READ THE STORY: GBhackers
Blind Eagle Exploits NTLM Flaw and GitHub for Targeted Attacks on Colombian Institutions
Bottom Line Up Front (BLUF): The Blind Eagle hacking group, APT-C-36, has launched spear-phishing attacks against Colombian government agencies and private organizations since November 2024. The campaign exploits CVE-2024-43451, an NTLMv2 hash disclosure vulnerability, and uses GitHub and Bitbucket to distribute malware, affecting over 1,600 victims. The attackers deploy remote access trojans (RATs) such as Remcos RAT, AsyncRAT, NjRAT, and Quasar RAT.
Analyst Comments: Blind Eagle’s rapid weaponization of CVE-2024-43451, just six days after Microsoft patched it, highlights the speed and adaptability of modern threat actors. The group's reliance on legitimate cloud services like GitHub, Bitbucket, Google Drive, and Dropbox allows it to bypass traditional security defenses. Additionally, its use of HeartCrypt (a packer-as-a-service) suggests an increasing trend of malware developers outsourcing obfuscation techniques. Accidentally exposing 1,634 stolen credentials in a GitHub repository underscores the group's operational security failures, which could help investigators track and mitigate future attacks.
FROM THE MEDIA: Cybersecurity firm Check Point has linked Blind Eagle to ongoing cyberattacks against Colombian judicial institutions and private organizations. One campaign, on December 19, 2024, infected over 1,600 victims. The attackers use spear-phishing emails to deliver malicious.URL files that exploit CVE-2024-43451, a Windows vulnerability patched in November 2024. The exploit notifies the attackers when a victim interacts with the file, allowing them to launch a second-stage payload. The malware is packed using HeartCrypt, an emerging packer-as-a-service, and hosted on GitHub and Bitbucket. Researchers also uncovered 1,634 email-password pairs, including ATM PINs and government credentials, in a now-deleted GitHub repository, suggesting a significant breach of sensitive data.
READ THE STORY: THN
Medusa Ransomware Targets Over 300 Critical Infrastructure Organizations
Bottom Line Up Front (BLUF): The Medusa ransomware gang has attacked over 300 victims across critical infrastructure sectors, including healthcare, education, technology, and government agencies, according to a joint advisory from CISA, the FBI, and MS-ISAC. The group exploits phishing and unpatched vulnerabilities, including CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet). Medusa operates as a ransomware-as-a-service (RaaS) model, recruiting initial access brokers (IABs) to infiltrate targets.
Analyst Comments: The group's triple extortion tactics, including demanding additional payments after a ransom is paid, indicate increased financial exploitation. Organizations must prioritize patching, especially for remote access tools, and implement advanced endpoint detection to prevent initial access. The widespread targeting of critical infrastructure suggests Medusa is a long-term cybersecurity threat requiring government and private sector collaboration to mitigate.
FROM THE MEDIA: Since June 2021, CVE-2024-1709 (ScreenConnect) and CVE-2023-48788 (Fortinet) have been exploited to gain access. Its core developers control Medusa’s ransom negotiations, while affiliates recruit initial access brokers for breaches, offering payments between $100 to USD 1 million. The gang’s leak site advertises stolen data for sale, pressuring victims into paying. Medusa has targeted municipalities in France, government agencies in the Philippines, and corporations in Canada.
READ THE STORY: The Record
MirrorFace APT Exploits Windows Sandbox & Visual Studio Code for Stealthy Attacks
Bottom Line Up Front (BLUF): The MirrorFace APT group, suspected to be linked to APT10, has been exploiting Windows Sandbox and Visual Studio Code to conduct stealthy cyberattacks on organizations in Japan. The attackers use a customized version of LilimRAT and take advantage of administrative privileges within Windows Sandbox to execute malware, evade security tools, and maintain persistence. Security experts warn that the recent Windows Sandbox updates make detection even more difficult.
Analyst Comments: The abuse of Windows Sandbox represents a growing trend of leveraging built-in OS features to evade detection. MirrorFace’s approach—deploying LilimRAT within an isolated virtualized environment—demonstrates advanced operational security, making threat detection a significant challenge. The recent Windows Sandbox updates, including background execution and untraceable configuration, increase the risk of similar attacks in the future. Security teams must focus on monitoring sandbox-related processes, detecting anomalies in system memory, and implementing strict privilege management to mitigate this evolving threat.
FROM THE MEDIA: The attackers exploit Windows Sandbox, a Windows feature designed for the safe execution of untrusted applications, by gaining administrative privileges and executing malware in an isolated environment. Security researchers identified LilimRAT, a modified version of Lilith RAT, as the primary malware. The attack methodology involves automated script execution via Windows Sandbox (WSB) configuration files, allowing the malware to run undetected, steal data, and communicate with C2 servers over the Tor network. Microsoft’s October 2024 Windows Sandbox update (KB5044384) also introduced features that make detection more problematic, such as background execution and persistence until manual termination.
READ THE STORY: GBhackers
CISA Cuts $10 Million in ISAC Funding Amid Broader Cybersecurity Budget Reductions
Bottom Line Up Front (BLUF): CISA has cut $10 million annually from funding to the Center for Internet Security (CIS), which supports the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). These centers provide cybersecurity threat intelligence and assistance to state and local governments. The decision is part of broader federal cybersecurity budget cuts that have led to firings within CISA's red teams and cyber threat response units.
Analyst Comments: The elimination of federal support for the EI-ISAC could leave election offices vulnerable to nation-state cyber threats, forcing local governments to pay for expensive private-sector cybersecurity services or risk increased exposure to attacks. The broader budget cuts and CISA staff reductions, including the dismissal of over 130 cybersecurity professionals, further weaken national cybersecurity readiness at a time of rising global cyber threats from China, Russia, and other adversaries.
FROM THE MEDIA: CISA confirmed this week that it has terminated federal funding for key cybersecurity intelligence-sharing programs, including MS-ISAC and EI-ISAC, to prioritize other mission-critical areas. The decision removes $10 million annually from the Center for Internet Security (CIS), which operates these programs. The cuts come amid more considerable budget reductions across federal cybersecurity agencies, including mass firings of CISA red team members—experts who simulate cyberattacks to improve defenses. Election security experts warn that without EI-ISAC, state and local governments will struggle to defend against nation-state hackers targeting elections. Additionally, fired CISA employees have spoken out, stating they were dismissed despite working on essential national security projects. These developments raise concerns about cybersecurity gaps in the lead-up to the 2026 elections and beyond.
READ THE STORY: The Record
Apple Patches WebKit Zero-Day (CVE-2025-24201) Exploited in Targeted Attacks
Bottom Line Up Front (BLUF): Apple has released a security update to patch CVE-2025-24201, a WebKit zero-day vulnerability exploited in targeted attacks. The flaw, an out-of-bounds write issue, allowed attackers to break out of the Web Content sandbox using malicious web content. The update is available for iOS, macOS, Safari, and visionOS.
Analyst Comments: This marks the third actively exploited zero-day Apple has patched in 2025, highlighting the ongoing threat to iOS and macOS users. The fact that this vulnerability was used in highly sophisticated attacks against specific individuals suggests it may have been leveraged in nation-state cyber-espionage campaigns. Apple’s lack of details regarding the attackers, the timeframe of exploitation, and the victims leaves security researchers with limited visibility into the broader implications. Users should update their devices immediately to mitigate the risk of exploitation.
FROM THE MEDIA: The flaw, an out-of-bounds write issue, allowed attackers to craft malicious web content that could escape the Web Content sandbox and execute unauthorized actions. Apple stated that the vulnerability had been actively exploited in sophisticated attacks targeting specific individuals running older iOS versions before iOS 17.2. The update is now available for iOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1 (for Ventura and Sonoma), and visionOS 2.3.2. This is the third zero-day Apple has patched in 2025, following CVE-2025-24085 and CVE-2025-24200. Security researchers urge users to update their devices as soon as possible.
READ THE STORY: THN
Lazarus Group Exploits NPM Packages to Steal Credentials and Deploy Backdoors
Bottom Line Up Front (BLUF): North Korea’s Lazarus Group has compromised six malicious NPM packages to steal login credentials and deploy malware on Windows, macOS, and Linux systems. These packages, downloaded over 330 times, employ typosquatting tactics to trick developers into installing them. The malware steals browser login data, targets cryptocurrency wallets, and exfiltrates sensitive information to a hardcoded command-and-control (C2) server.
Analyst Comments: Typosquatting—registering malicious packages with names similar to legitimate ones—is a proven tactic for infiltrating software development workflows. The involvement of Lazarus, a state-sponsored North Korean APT, suggests a financially motivated campaign targeting cryptocurrency users and developers. Organizations should implement automated dependency audits, restrict third-party package usage, and continuously monitor for unusual dependency changes to prevent such attacks.
FROM THE MEDIA: Cybersecurity researchers identified six malicious NPM packages—is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator—being used in an active Lazarus Group campaign. These packages mimic popular development libraries and have been downloaded over 330 times. Once installed, the malware embedded in these packages collects system environment details, steals login credentials from Chrome, Brave, and Firefox, and targets cryptocurrency wallets. The data is then exfiltrated to a Lazarus-controlled C2 server. Further analysis revealed the deployment of BeaverTail malware and the InvisibleFerret backdoor, reinforcing Lazarus’s involvement. Security experts urge developers to vet third-party dependencies and block outbound connections to known malicious C2 domains.
READ THE STORY: GBhackers
Ukraine Warns That Signal’s Inaction Aids Russian Cyber Espionage
Bottom Line Up Front (BLUF): Ukraine’s National Security and Defense Council has accused Signal of failing to respond to requests for assistance in combating Russian cyber threats. According to Ukrainian officials, Russian intelligence operatives exploit Signal for phishing attacks and account takeovers targeting Ukrainian military personnel and government officials. Signal, known for its strong privacy stance, has not commented on the allegations.
Analyst Comments: While Signal is widely trusted for its end-to-end encryption, its refusal to cooperate with Ukrainian authorities could leave critical infrastructure and military communications vulnerable. The situation underscores the broader geopolitical implications of encrypted messaging platforms and their role in modern cyber warfare. With the decreasing U.S. intelligence support for Ukraine, Kyiv may seek alternative communication tools or push for policy changes that encourage platform cooperation in national security matters.
FROM THE MEDIA: At the Kyiv International Cyber Resilience Forum, Ukrainian cybersecurity official Serhii Demediuk stated that Signal has stopped responding to law enforcement requests regarding Russian cyber threats. Previously, Signal assisted Ukraine in addressing Russian cyber espionage, but this cooperation has ceased. Security researchers, including Google’s security team, have reported that Russian hackers use Signal for phishing and spyware attacks. Attackers also exploit Signal’s linked devices feature to gain unauthorized access to accounts. Ukraine has increasingly promoted Signal as an alternative to Telegram, which has a history of being exploited by Russian intelligence. Meanwhile, changes in U.S. policy and a freeze on foreign aid have further complicated Ukraine’s cyber defense efforts.
READ THE STORY: The Record
Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days
Bottom Line Up Front (BLUF): Microsoft has released security updates for 57 vulnerabilities, including six actively exploited zero-days affecting Windows NTFS, Win32 Kernel, Microsoft Management Console (MMC), and Fast FAT File System Driver. These flaws allow privilege escalation, remote code execution, and information disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by April 1, 2025.
Analyst Comments: The discovery of six actively exploited zero-days highlights the increasing sophistication of attacks targeting Windows systems. The involvement of PipeMagic malware and the EncryptHub threat actor suggests that these vulnerabilities are weaponized in real-world attacks. Notably, four NTFS-related vulnerabilities can be chained together for remote code execution and data theft, making patching critical for enterprise and government systems. The rapid adoption of malicious VHD files in phishing campaigns further underscores the need for endpoint protection and user awareness training.
FROM THE MEDIA: Microsoft has released patches for 57 security flaws, including six actively exploited zero-days, with some of the most critical being CVE-2025-24983 (Win32 Kernel, privilege escalation), CVE-2025-24985 (Fast FAT File System Driver, remote code execution), CVE-2025-24993 (Windows NTFS, heap-based buffer overflow), and CVE-2025-26633 (Microsoft Management Console, security bypass). Security firm ESET identified CVE-2025-24983 as being exploited by the PipeMagic backdoor, a trojan targeting entities in Asia and Saudi Arabia. Meanwhile, the NTFS vulnerabilities, reported anonymously, are weaponized by threat actors using malicious VHD files to bypass security defenses. Given the severity of these exploits, Microsoft and CISA are urging organizations to apply patches immediately to prevent further compromise.
READ THE STORY: THN
Items of interest
UK Shifts Industrial Strategy from Green Energy to Defense Amid U.S. Policy Changes
Bottom Line Up Front (BLUF): The UK government is pivoting its industrial strategy from clean energy to defense manufacturing in response to U.S. policy shifts under President Trump. With defense spending set to rise to 2.5% of GDP by 2027 and potentially reaching 3% in the next Parliament, the UK is strengthening its defense sector to reduce reliance on U.S. military support. The move raises concerns about procurement efficiency, sovereignty in weapons production, and balancing traditional defense contractors with emerging defense tech startups.
Analyst Comments: The shift toward defense-led industrial policy underscores the growing instability in transatlantic military cooperation. While BAE Systems and Rolls-Royce stand to benefit, the UK faces tough choices between maintaining ties with U.S. defense firms or pursuing greater European collaboration. The decision to expand domestic defense production reflects concerns over U.S. weapons export control policies, particularly the F-35 fighter jet program, which could be restricted under future U.S. administrations. However, challenges remain, including historical budget overruns, inefficient procurement, and a lack of focus on emerging warfare technologies like drones.
FROM THE MEDIA: Chancellor Rachel Reeves announced that the National Wealth Fund would now support defense industry growth alongside its original clean energy focus. The shift follows President Trump’s suspension of U.S. military aid to Ukraine, raising concerns that NATO allies relying on U.S. military technology, such as the F-35 program, could face future restrictions. The UK has joined Italy and Japan in developing a next-generation stealth fighter, reducing dependence on U.S. suppliers. However, the Ministry of Defence’s history of inefficiency raises questions about whether it can effectively manage large-scale military procurement.
READ THE STORY: FT
Why Labour's UK Industrial Strategy Could Leave Us Poorer (Video)
FROM THE MEDIA: As the new UK Labour government embraces the concept of mission-driven government, Griffiths exposes the potential pitfalls and hidden costs of such top-down economic planning. Drawing from historical examples and financial principles, he challenges the notion that government-led industrial strategies are the key to economic growth and prosperity.
Fighting To Win: Industrial Strategy For Aggressive Growth In The UK (Video)
FROM THE MEDIA: The Labour government has already published the first draft of an industrial policy entitled ‘Invest 2035’. After seeking consultation, the intention is to implement a battle plan 2025. Yet, evidenced by the direction taken by other countries, such as Japan, South Korea, and Taiwan, sustainable success is a long-term plan. Their future mindset is ‘Invest 2045’ or ‘Invest 2055’.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.