- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (March 24 – 31, 2025)
The final week of March 2025 marked a historic escalation in cyber activity, with March becoming the first month on record to exceed 100 publicly disclosed ransomware attacks. The week of March 24 to March 31 was dominated by high-impact “Identity and Supply Chain” compromises. The most significant event was the alleged breach of Oracle Cloud’s SSO and LDAP systems, potentially impacting thousands of downstream tenants. Simultaneously, the automotive and higher education sectors faced severe pressure, with Jaguar Land Rover and New York University confirming major data exposures.
The landscape has shifted toward “Credential Commoditization,” where massive aggregations of infostealer data are being used to fuel automated brute-force attacks against edge infrastructure. This was exemplified by the emergence of the BRUTED framework, which systematically targets enterprise VPN solutions.
The global threat environment this week was characterized by a 223% surge in activity from the Safepay group and the continued dominance of the Qilin ransomware syndicate. Attackers are increasingly bypassing traditional EDR (Endpoint Detection and Response) by exploiting “unmanaged” devices, such as unsecured webcams and IoT sensors, to gain a foothold in corporate networks.
Geopolitically, North Korean-linked actors (tracked as Moonstone Sleet) have officially shifted from custom malware to using the Qilin RaaS platform, signaling a tactical merge between state-sponsored espionage and financial crime. In the EMEA region, the UK retail and transport sectors remain under “coordinated siege” by the Scattered Spider collective.
Oracle Cloud (Technology): Reported on March 31, a threat actor known as “rose87168” claimed to have exfiltrated 6 million records from Oracle’s Single Sign-On (SSO) and LDAP systems. The haul includes sensitive Java KeyStore (JKS) files and encrypted passwords, representing a massive risk for Oracle Cloud’s 140,000+ tenants who rely on these systems for identity federation.
New York University (Education): NYU disclosed a breach affecting 3 million applicants. A threat actor using the handle “@bestn-gy” defaced the university’s homepage and leaked sensitive demographic data, SAT/ACT scores, and financial aid details dating back to 1989.
Jaguar Land Rover (Automotive): A hacker named “Rey” (linked to the Hellcat group) claimed to have exposed 700 internal documents, including development logs and source code. The breach reportedly stemmed from compromised Jira credentials likely harvested via infostealer malware.
Bank Sepah (Finance): The “Codebreakers” collective breached this major Iranian financial institution, allegedly stealing 42 million customer records. The group demanded a $42 million Bitcoin ransom, highlighting the continued vulnerability of regional banking infrastructure to large-scale exfiltration.
SpyX (Stalkerware): A massive breach of the SpyX parental monitoring tool exposed the personal data of nearly 2 million individuals, including 17,000 iCloud usernames and passwords stored in plaintext, posing a severe privacy risk to Apple users.
| Date | Affected Organization | Sector | Incident Type | Impact |
| Mar 24, 2025 | SpyX | Tech/Mobile | Data Breach | 2M profiles; 17K iCloud credentials |
| Mar 26, 2025 | Bank Sepah | Finance | Data Extortion | 42M customer records stolen |
| Mar 28, 2025 | NYU | Education | Defacement/Theft | 3M applicant records leaked |
| Mar 29, 2025 | Jaguar Land Rover | Automotive | IP Theft | 700 docs (Source code/Jira) |
| Mar 31, 2025 | Oracle Cloud | Technology | Identity Breach | 6M SSO/LDAP records |
| Mar 31, 2025 | Utsunomiya Clinic | Healthcare | Ransomware | 140GB of medical records (Qilin) |
The “Identity as a Target” Trend:
The Oracle and NYU breaches underscore that the “Identity Provider” (IdP) is now the primary target. By compromising SSO systems, attackers gain “golden tickets” to access dozens of connected SaaS applications (Salesforce, Slack, AWS) without ever triggering a login alert.
VPN Brute-Forcing Maturity:
The release of the BRUTED framework this week has automated the discovery and exploitation of edge devices. This tool specifically scans for SonicWall, Palo Alto GlobalProtect, and Cisco AnyConnect instances. It utilizes sub-domain enumeration to find “hidden” VPN portals (e.g., vpn.company.com) and applies massive credential lists from recent breaches.
| CVE ID | Description | Severity | Mitigation Status |
| CVE-2025-24178 | Apple iOS/macOS Sandbox Escape: Allows apps to break out of sandbox. | 9.8 (Critical) | Fixed in iOS 18.4 / macOS 15.4 (Released Mar 31). |
| CVE-2025-30841 | Path Traversal in Countdown & Clock: Allows Remote Code Inclusion. | 9.9 (Critical) | Actively targeted in WordPress environments. |
| CVE-2024-36336 | AMD Ryzen AI Software Integer Overflow: Leads to privilege escalation. | 7.9 (High) | Update AMD NPU Drivers to latest version. |
| SQLi (Multiple) | PHPGurukul Bank Locker System: Remote SQL injection in critical files. | 9.8 (Critical) | Listed in CISA Bulletin SB25-090 (Mar 31). |
For Technical Audiences:
The “Identity Spring” of 2025 is here. Organizations can no longer rely on the assumption that their Identity Provider is a “secure black box.” The Oracle incident suggests that even the largest cloud providers are susceptible to credential-based pivoting. We recommend a “Zero Trust” approach where internal app access is verified by device health, not just a successful SSO login.
Meraal Cyber Security (MCS) Threat Intelligence Team
