- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (March 17 – 24, 2025)
The week of March 17 to March 24, 2025, was characterized by a surge in “Ideological Extortion” and high-impact supply chain compromises. The most prominent event was the New York University (NYU) data breach on March 22, where threat actors defaced the university’s infrastructure to leak records of 3 million applicants. Additionally, the discovery of a critical supply chain vulnerability in a widely used GitHub Action surfaced, impacting over 23,000 repositories. This week also saw the first major wave of exploitations targeting the Windows Fast FAT and NTFS zero-days (CVE-2025-24985 and CVE-2025-24993), which were weaponized by ransomware groups shortly after the monthly patch cycle. The period ended with the initial reports of unauthorized access at Oracle Cloud, signaling the beginning of a broader identity-based campaign that would escalate in the following week.
The global landscape remains dominated by “Vulnerability-to-Exfiltration” (V2E) cycles, where the time between zero-day disclosure and active exploitation has shrunk to under 48 hours. This week, we observed a 42% increase in attacks against the higher education and research sectors, driven by both financial gain and political activism. Geopolitically, Iranian state-sponsored actors intensified their use of “living-off-the-land” (LotL) techniques against telecommunications hubs in Yemen and government offices in Iraq, utilizing hijacked internal emails to propagate custom backdoors. In the retail sector, the focus has shifted toward the exploitation of legacy WordPress plugins, with over 1,200 unique attacks recorded against e-commerce themes this week.
New York University (NYU): On March 22, a hacker group identifying as “Computer Niggy Exploitation” (@bestn-gy) compromised NYU’s internal data warehouse. The attackers defaced the university’s homepage with charts of SAT/ACT scores and demographic data, alleging continued race-based admissions practices. The breach exposed sensitive PII and financial aid details for 3 million applicants dating back to 1989.
SpyX (Stalkerware): A massive breach of the SpyX parental monitoring platform was uncovered this week, exposing the personal data of approximately 2 million users. The leak included 17,000 iCloud usernames and passwords stored in plaintext, highlighting the severe security risks inherent in “gray-market” surveillance software.
Ukrzaliznytsia (Ukraine Railway): On March 20, the Ukrainian national railway suffered a “multi-level” cyber attack that paralyzed its online ticket sales portal. While train operations were maintained through backup protocols, the incident was described as a highly systematic effort to disrupt civilian logistics.
GitHub Action Supply Chain: Researchers disclosed a compromise of the tj-actions/changed-files GitHub Action. Between March 14 and March 15, malicious code was injected into version tags, allowing attackers to exfiltrate CI/CD secrets from over 23,000 repositories. Organizations are now in the recovery phase, rotating thousands of leaked cloud tokens and API keys.
National Defense Corporation (NDC): Reports surfaced on March 19 regarding a massive data exfiltration event where the Interlock Ransomware Group claimed to have stolen 4.2TB of sensitive defense data from NDC and its subsidiary AMTEC.
| Date | Affected Organization | Sector | Incident Type | Impact |
| Mar 17, 2025 | SpyX | Tech/Surveillance | Data Breach | 2M records; 17K iCloud credentials |
| Mar 19, 2025 | National Defense Corp | Defense | Ransomware | 4.2TB of defense data stolen |
| Mar 20, 2025 | Ukrzaliznytsia | Transport | Infrastructure | Online ticket systems offline |
| Mar 22, 2025 | NYU | Education | Ideological Breach | 3M applicant records leaked |
| Mar 23, 2025 | Ascom | Manufacturing | Ransomware | 44GB of internal reports stolen |
| Mar 24, 2025 | Oracle Cloud | Technology | Initial Compromise | Preliminary reports of SSO access |
The “Ideological Hacker” Resurgence:
The NYU breach marks a shift where data theft is used as a tool for “social auditing.” By leaking demographic and performance data, the threat actors aimed to force a public conversation on university policy. This suggests that high-profile institutions must now guard not only against financial theft but also against “whistleblower-style” breaches where the data is curated to support a specific narrative.
Cloud Identity Probing:
The first signals of the Oracle Cloud/SSO campaign appeared this week. Attackers are moving away from traditional server exploits to focus on Single Sign-On (SSO) and LDAP configurations. By targeting the “Identity Provider” (IdP), actors can gain broad access to downstream SaaS applications without triggering traditional perimeter alerts, a trend that is becoming the hallmark of early 2025 cybercrime.
| CVE ID | Description | Severity | Mitigation Status |
| CVE-2025-24985 | Windows Fast FAT RCE: Zero-day exploit in core file system driver. | 8.8 (High) | Actively Exploited. Part of March Patch Tuesday. |
| CVE-2025-24993 | Windows NTFS RCE: Unauthenticated code execution via malformed file systems. | 8.8 (High) | CISA KEV Addition. Priority patching required. |
| CVE-2025-0927 | Ubuntu Linux Heap Overflow: Vulnerability in HFS+ file system implementation. | 7.8 (High) | Patch via apt upgrade available as of March 23. |
| CVE-2024-54525 | Apple visionOS/macOS Logic Issue: System file modification via crafted backups. | 8.8 (High) | Update to visionOS 2.2 / macOS Sequoia 15.2. |
| CVE-2025-29980 | eTRAKiT.Net SQL Injection: Unauthenticated RCE as MS SQL account. | 9.8 (Critical) | Disable CRM feature until patched. |
.rar attachments to telecommunications targets.For Technical Audiences:
tj-actions/changed-files GitHub Action between March 14–20, rotate all secrets (AWS, Azure, GCP, GitHub) associated with that repository immediately.The convergence of the SpyX breach and the NYU leak highlights a “Privacy Crisis” in the spring of 2025. Data that was previously considered “safely stored” in university warehouses or “privately monitored” via stalkerware is being dumped en masse. We predict that the stolen iCloud credentials from the SpyX breach will be used in the coming weeks for targeted “Celebrity/VIP” social engineering campaigns. Organizations should warn their high-profile employees about a potential increase in “Account Recovery” phishing attempts.
Meraal Cyber Security (MCS) Threat Intelligence Team