0-Day News - April 01, 2025

Cyber Attacks

Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

A coordinated login scan campaign targeting Palo Alto Networks PAN-OS GlobalProtect gateways has been detected, with nearly 24,000 unique IP addresses attempting to access these portals, indicating a potential probing for vulnerabilities.

Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals

GreyNoise warns of a coordinated effort probing the internet for potentially vulnerable Palo Alto Networks GlobalProtect instances.

CISA Spots Spawn of Spawn Malware Targeting Ivanti Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a new strain of malware, dubbed Resurge, targeting Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products.

Ukraine Blames Russia for Railway Hack, Labels It "Act of Terrorism"

The CERT-UA investigation concluded that a railway hack's techniques were “characteristic of Russian intelligence services,” blaming Russia and labeling it as terrorism.

Microsoft Teams Vishing Used to Deploy Malware via TeamViewer

Attackers are using Microsoft Teams vishing attacks, combined with TeamViewer, to deploy malware while staying hidden.

Hackers Could Unleash Chaos Through Backdoor in China-Made Robot Dogs

An undocumented remote access backdoor in the Unitree Go1 Robot Dog allows remote control over the tunnel network and use of the vision cameras to see through their eyes.

Hackers Using E-Crime Tool Atlantis AIO for Credential Stuffing on 140+ Platforms

Threat actors are leveraging an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks, according to findings from Abnormal Security. Atlantis AIO "has emerged as a powerful weapon in the cybercriminal arsenal, enabling attackers to test millions of stolen credentials against numerous websites and applications at scale."

Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. "This pattern suggests a coordinated effort to probe network defenses and identify potential entry points,"

Hackers Could Unleash Chaos Through Backdoor in China-Made Robot Dogs

An undocumented remote access backdoor in the Unitree Go1 Robot Dog allows remote control over the tunnel network and use of the vision cameras to see through their eyes.

Microsoft Teams Vishing Used to Deploy Malware via TeamViewer

A vishing scam via Microsoft Teams led to attackers misusing TeamViewer to drop malware and stay hidden using simple but effective techniques.

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically enabled without requiring activation.

150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection that loads the gambling platform using a domain that resolves to a Chinese IP address,"

Critical Vulnerabilities

Critical Vulnerability Found in Canon Printer Drivers

Microsoft’s offensive security team warned Canon about a critical code execution vulnerability in printer drivers.

Critical auth bypass bug in CrushFTP now exploited in attacks

Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

Apple has backported fixes for three actively exploited zero-day vulnerabilities to older iOS and macOS devices, addressing use-after-free bugs and memory corruption issues.

WP Ultimate CSV Importer Flaws Expose 20,000 Websites to Attacks

WP Ultimate CSV Importer flaws expose 20,000 websites to attacks enabling attackers to achieve full site compromise.

Apple Patches Recent Zero-Days in Older iPhones

Apple has released a hefty round of security updates for its desktop and mobile products, patching two recent zero-days in older iPhone models.

CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability

Shadowserver has started seeing exploitation attempts aimed at a CrushFTP vulnerability tracked as CVE-2025-2825 and CVE-2025-31161.

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below - CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could result in arbitrary code execution when processing a maliciously crafted image.

Critical Vulnerability Found in Canon Printer Drivers

Microsoft’s offensive security team warned Canon about a critical code execution vulnerability in printer drivers.

Apple Patches Recent Zero-Days in Older iPhones

Apple has released a hefty round of security updates for its desktop and mobile products, patching two recent zero-days in older iPhone models.

CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability

Shadowserver has started seeing exploitation attempts aimed at a CrushFTP vulnerability tracked as CVE-2025-2825 and CVE-2025-31161.

Research Uncover 46 Critical Flaws in Solar Power Systems From Sungrow, Growatt, and SMA

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar power system vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids. The vulnerabilities affect a wide range of products, including inverters, data loggers, and monitoring portals, highlighting the systemic risks that can stem from insecure solar power infrastructure.

Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

A set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities (CVE-2025-24358, CVE-2025-24359, CVE-2025-24360, CVE-2025-24361, and CVE-2025-24362) affect all versions of the Ingress NGINX Controller prior to 1.10.0.

Data Breaches

Oracle Hit with Lawsuit Over Alleged Cloud Breach Affecting Millions

Oracle faces a class action lawsuit filed in Texas over a cloud data breach exposing sensitive data of 6M+ users; plaintiff alleges negligence and delays.

Twitter (X) Hit by 2.8 Billion Profile Data Leak in Alleged Insider Job

A massive data leak has exposed 2.8 billion Twitter (X) profiles, allegedly due to an insider job, raising serious privacy concerns.

Oracle warns customers of health data breach amid public denial

Oracle’s healthcare subsidiary Cerner is warning customers of a health data breach, despite publicly denying the incident.

Check Point confirms breach, but says it was 'old' data and crook made 'false' claims

A digital burglar is claiming to have nabbed a trove of 'highly sensitive' data from Check Point - something the American-Israeli security biz claims is a huge exaggeration.

Files stolen from NSW court system, including restraining orders for violence

Australian police are currently investigating the theft of "sensitive" data from a New South Wales court system after they confirmed approximately 9,000 files were stolen.

Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish

Infosec veteran Troy Hunt of HaveIBeenPwned fame is notifying thousands of people after phishers scooped up his Mailchimp mailing list.

Ransomware & Malware

CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices

CISA added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation, along with active exploits hitting Next.js and DrayTek devices.

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

Qilin ransomware affiliates are targeting customers downstream after spear-phishing a MSP ScreenConnect admin, continuing a three-year pattern tracked by Sophos MDR as STAC4365.

Ransomware Group Takes Credit for National Presto Industries Attack

A ransomware group has claimed responsibility for a March cyberattack on National Presto Industries subsidiary National Defense Corporation.

New Malware Variant RESURGE Exploits Ivanti Vulnerability

CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282.

Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks

A phishing-as-a-service (PhaaS) platform named 'Lucid' has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android).

Hackers abuse WordPress MU-Plugins to hide malicious code

Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.

BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability

In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the ransomware group's leak site, which it then weaponized to gain unauthorized access to their internal systems.

Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET.

New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control and overlay attacks,"

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files to deliver and execute a malicious payload,"

APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware

An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the activity to APT36 (aka Earth Karkaddan, Mythic Leopard, and Transparent Tribe), citing overlaps in tactics, techniques, and procedures (TTPs).

PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps

An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps. "PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices,"

AI & Cybersecurity

Microsoft Using AI to Uncover Critical Bootloader Vulnerabilities

Using the Security Copilot tool, Microsoft discovered 20 critical vulnerabilities in widely deployed open-source bootloaders.

Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders

Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

LLMs are now available in snack size but digest with care

Large language models (LLMs) are becoming more accessible, but organizations should carefully consider their implications and risks before implementation.

Google adds end-to-end email encryption to Gmail

Google has introduced end-to-end email encryption to Gmail, enhancing security and privacy for users.

Google rolls out easy end-to-end encryption for Gmail business users

Google has started rolling out a new end-to-end encryption (E2EE) model for Gmail enterprise users, making it easier to send encrypted emails to any recipient.

Security Operations Firm ReliaQuest Raises $500M at $3.4B Valuation

ReliaQuest has announced a new growth funding round that brings the total raised by the firm to over $830 million.

Industry Reports

Sophos ranked #1 overall for Firewall, MDR, and EDR in the G2 Spring 2025 Reports

Sophos ranked the top solution across 53 global reports for Firewall, MDR, and EDR in the G2 Spring 2025 Reports.

Digital Payment Security: Trends and Realities of 2025

A look at the trends and realities of digital payment security in 2025.

Cybersecurity Trends for 2025

An overview of cybersecurity trends for 2025.

The urgent reality of machine identity security in 2025

The importance of machine identity security in 2025 is discussed.

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats.

G2 Names INE 2025 Cybersecurity Training Leader

G2 Names INE 2025 Cybersecurity Training Leader.

Legal and Policy

Apple Fined €150 Million by French Regulator Over Discriminatory ATT Consent Practices

France's competition watchdog fined Apple €150 million for abusing its dominant position by implementing its App Tracking Transparency (ATT) privacy framework in a discriminatory manner.

France’s Antitrust Watchdog Fines Apple for Problems With App Tracking Transparency

France’s antitrust watchdog fined Apple 150 million euros ($162 million) over a privacy feature protecting users from apps snooping on them.

Cyber Security and Resilience Bill Will Apply to 1000 UK Firms

A thousand UK service providers will be expected to comply with the forthcoming Cyber Security and Resilience Bill.

The UK’s Cyber Security and Resilience Bill will boost standards – and increase costs

The UK's Cyber Security and Resilience Bill aims to improve cybersecurity standards but will also increase costs for UK enterprises.

UK threatens £100K-a-day fines under new cyber bill

The UK's technology secretary revealed the full breadth of the government's Cyber Security and Resilience (CSR) Bill for the first time this morning, pledging £100,000 ($129,000) daily fines for failing to act against cyberattacks.

EU Commission to Invest €1.3bn in Cybersecurity and AI

The EU Commission will invest €1.3 billion in cybersecurity and AI projects within the Digital Europe Programme (DIGITAL) work program for 2025 to 2027.

France’s Antitrust Watchdog Fines Apple for Problems With App Tracking Transparency

France’s antitrust watchdog fined Apple 150 million euros ($162 million) over a privacy feature protecting users from apps snooping on them. The Autorité de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a gatekeeper of app distribution.

Apple Fined €150 Million by French Regulator Over Discriminatory ATT Consent Practices

Apple has been hit with a fine of €150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework. The Autorité de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a gatekeeper of app distribution.

The UK’s Cyber Security and Resilience Bill will boost standards – and increase costs

If you’re a UK enterprise, you need to be aware of the forthcoming Cyber Security and Resilience Bill. It will boost standards, but also increase costs.

Microsoft Adds Inline Data Protection to Edge for Business to Block GenAI Data Leaks

Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser. The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) applications.

How Will the Splinternet Impact Cybersecurity

The idea of a “splinternet” is becoming more of a reality as countries seek to exert greater control over their digital borders and data flows. This article explores the potential impacts of a fragmented internet on cybersecurity.

How to Balance Password Security Against User Experience

If given the choice, most users are likely to favor a seamless experience over complex security measures, as they don’t prioritize strong password security. However, balancing security and usability doesn’t have to be a zero-sum game.

Critical Vulnerabilities and Targeted Attacks Dominate Cybersecurity Landscape

Cyber Attacks

Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

Hackers Looking for Vulnerable Palo Alto Networks GlobalProtect Portals

CISA Spots Spawn of Spawn Malware Targeting Ivanti Flaw

Ukraine Blames Russia for Railway Hack, Labels It "Act of Terrorism"

Microsoft Teams Vishing Used to Deploy Malware via TeamViewer

Hackers Could Unleash Chaos Through Backdoor in China-Made Robot Dogs

Hackers Using E-Crime Tool Atlantis AIO for Credential Stuffing on 140+ Platforms

Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

Hackers Could Unleash Chaos Through Backdoor in China-Made Robot Dogs

Microsoft Teams Vishing Used to Deploy Malware via TeamViewer

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms

Critical Vulnerabilities

Critical Vulnerability Found in Canon Printer Drivers

Critical auth bypass bug in CrushFTP now exploited in attacks

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

WP Ultimate CSV Importer Flaws Expose 20,000 Websites to Attacks

Apple Patches Recent Zero-Days in Older iPhones

CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability

Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices

Critical Vulnerability Found in Canon Printer Drivers

Apple Patches Recent Zero-Days in Older iPhones

CrushFTP Blames Security Firms for Fast Exploitation of Vulnerability

Research Uncover 46 Critical Flaws in Solar Power Systems From Sungrow, Growatt, and SMA

Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

Data Breaches

Oracle Hit with Lawsuit Over Alleged Cloud Breach Affecting Millions

Twitter (X) Hit by 2.8 Billion Profile Data Leak in Alleged Insider Job

Oracle warns customers of health data breach amid public denial

Check Point confirms breach, but says it was 'old' data and crook made 'false' claims

Files stolen from NSW court system, including restraining orders for violence

Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish

Oracle Hit with Lawsuit Over Alleged Cloud Breach Affecting Millions

Twitter (X) Hit by 2.8 Billion Profile Data Leak in Alleged Insider Job

Oracle warns customers of health data breach amid public denial

New Case Study: Global Retailer Overshares CSRF Tokens with Facebook

Files stolen from NSW court system, including restraining orders for violence

Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish

Ransomware & Malware

CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

Ransomware Group Takes Credit for National Presto Industries Attack

New Malware Variant RESURGE Exploits Ivanti Vulnerability

Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks

Hackers abuse WordPress MU-Plugins to hide malicious code

BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability

Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks

New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware

PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps

AI & Cybersecurity

Microsoft Using AI to Uncover Critical Bootloader Vulnerabilities

Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders

LLMs are now available in snack size but digest with care

Google adds end-to-end email encryption to Gmail

Google rolls out easy end-to-end encryption for Gmail business users

Security Operations Firm ReliaQuest Raises $500M at $3.4B Valuation

Microsoft Using AI to Uncover Critical Bootloader Vulnerabilities

AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface

The sixth sense for cyber defense: Multimodal AI

How AI is Transforming the Fight Against Data Breaches

LLMs are now available in snack size but digest with care

Untrustworthy AI: How to deal with data poisoning

Industry Reports

Sophos ranked #1 overall for Firewall, MDR, and EDR in the G2 Spring 2025 Reports

Digital Payment Security: Trends and Realities of 2025

Cybersecurity Trends for 2025

The urgent reality of machine identity security in 2025

SpyCloud’s 2025 Identity Exposure Report Reveals the Scale and Hidden Risks of Digital Identity Threats

G2 Names INE 2025 Cybersecurity Training Leader

Security Operations Firm ReliaQuest Raises $500M at $3.4B Valuation

Sophos Recognized as Top Employer in British Columbia, Canada

New Report Explains Why CASB Solutions Fail to Address Shadow SaaS and How to Fix It

Sophos ranked #1 overall for Firewall, MDR, and EDR in the G2 Spring 2025 Reports

The Evolving Landscape of Data Privacy: Key Trends to Shape 2025

IDT Corporation Partners with AccuKnox for Zero Trust Runtime IoT/Edge Security

Legal and Policy