• Umer Wajih
• April 22, 2025
• No Comments

Threat Landscape Summary (April 14 – 21, 2025)

Executive Summary:

This week saw significant activity involving the active exploitation of vulnerabilities in widely used software from Apple and Microsoft, prompting urgent patching recommendations. CISA added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including critical flaws in Apple products and a Windows NTLM bug. Advanced Persistent Threat (APT) groups, notably Russia-linked APT29 and North Korea-linked Lazarus, continue sophisticated campaigns targeting diplomatic entities and job seekers, respectively. Several new malware variants and campaigns were observed, including misuse of Node.js for malware delivery, RATs targeting specific sectors like healthcare, and ongoing ransomware activity impacting various organizations. Numerous advisories were also issued for Industrial Control Systems (ICS).

Threat Details

1. Actively Exploited Vulnerabilities:
   • Apple Zero-Days (CVE-2025-31200, CVE-2025-31201): Apple released emergency patches for iOS, iPadOS, macOS, tvOS, and visionOS to fix two zero-days exploited in targeted attacks. CVE-2025-31200 is a memory corruption flaw in Core Audio, allowing code execution via malicious media files. CVE-2025-31201 is an authentication bypass in the RPAC component. Both were added to CISA’s KEV catalog with a remediation date of May 8, 2025.
   • Microsoft Windows NTLM Flaw (CVE-2025-24054): A medium-severity NTLM hash disclosure spoofing vulnerability, patched in March 2025, is being actively exploited. Attackers use malicious. library-MS files (often delivered via phishing emails with ZIP archives) to leak NTLM hashes upon file download/extraction, facilitating credential theft and potential lateral movement. Campaigns have targeted government and private institutions. CISA added this to the KEV catalog with a remediation date of May 8, 2025.
   • Microsoft Windows CLFS Zero-Day (CVE-2025-29824): Patched in the April 2025 Patch Tuesday, this elevation of privilege vulnerability in the Common Log File System Driver was confirmed to be exploited in the wild, potentially by the RansomEXX ransomware gang, to gain SYSTEM privileges.
   • Ivanti Connect Secure Flaw (CVE-2025-22457): Added to CISA’s KEV catalog earlier in April, this critical stack buffer overflow vulnerability continues to be relevant, having been exploited by suspected China-nexus groups (UNC5221) as a zero-day.
   • Erlang/OTP SSH RCE (CVE-2025-32433): Public exploits are now available for this critical pre-authentication remote code execution vulnerability, impacting devices using Erlang/OTP SSH implementations.
   • SonicWall SMA 100 Series Flaw (CVE-2021-20034): An older vulnerability (patched in 2021) affecting SMA 100 series appliances is reportedly being actively exploited.

2. APT Activity & Malware Campaigns:
   • APT29 (Midnight Blizzard/Cozy Bear): This Russia-linked group targets European diplomatic entities using phishing lures (e.g., wine-tasting invitations) to deliver new malware, including GRAPELOADER (initial access/fingerprinting) and updated WINELOADER variants (backdoor).
   • Lazarus Group: The North Korean APT uses fake job offers and the “ClickFake” technique to trick victims into executing malware, recently deploying the GolangGhost backdoor.
   • China-Nexus Actors (UNC5174, MirrorFace, UNC5221): Groups linked to China continue targeting various sectors. UNC5174 targets Linux systems with modified SNOMED malware and the new VShell RAT. MirrorFace targeted a European diplomatic institute. UNC5221 exploited the Ivanti zero-day (CVE-2025-22457).
   • SideCopy: This suspected Pakistan-linked group expanded attacks against Indian targets, deploying numerous RATs (Xeno, Spark, CurlBack, Action, ReverseRAT, Cheex, Geta).
   • Node.js Malware Delivery: Threat actors are actively misusing Node.js in malvertising campaigns (e.g., fake cryptocurrency trading software) to download installers containing malicious DLLs or JavaScript (JSC) files that steal information and establish persistence.
   • Multi-Stage Malware Attacks: Campaigns observed using .JSE and PowerShell scripts to deploy infostealers and RATs like Agent Tesla, XLoader, and Remcos RAT, often via phishing emails.
   • ResolverRAT: A new RAT targeting healthcare and pharmaceutical organizations using advanced in-memory execution and evasion techniques.
   • BPFDoor: A newly discovered controller component associated with these backdoor targets the telecommunications sector in Asia and the Middle East.
   • HellCat Ransomware: Targeted organizations (including Asseco Poland) by exploiting Jira credentials previously stolen by infostealer malware.

3. Other Notable Vulnerabilities & Advisories:
   • ICS Vulnerabilities: CISA released numerous advisories for vulnerabilities in ICS products from vendors like Siemens, Schneider Electric, Yokogawa, Growatt, Lantronix, Mitsubishi Electric, ABB, Rockwell Automation, etc., affecting energy, water/wastewater, and manufacturing sectors.
   • Oracle Critical Patch Update (April 2025): Addressed 378 new vulnerabilities across various Oracle products.
   • ASUS AiCloud Routers: A critical authentication bypass vulnerability (no CVE assigned yet in reviewed reports) allows unauthorized function execution if AiCloud is enabled.
   • Fortinet FortiSwitch: A critical vulnerability (CVE not specified in summary reports) allowing remote admin password changes was patched.
   • Apache Tomcat (CVE-2025-24813): This RCE vulnerability, exploitable via partial PUT requests, has seen active exploitation and PoC circulation. Added to CISA KEV.

Recommendations

1. Prioritize Patching: Immediately apply security updates for vulnerabilities mentioned, especially those added to the CISA KEV catalog:
   • Apple products (iOS, macOS, etc.) for CVE-2025-31200 & CVE-2025-31201.
   • Microsoft Windows for NTLM flaw CVE-2025-24054 and CLFS flaw CVE-2025-29824.
   • Ivanti Connect Secure/Policy Secure/ZTA for CVE-2025-22457 (ensure upgrade and factory reset if previously vulnerable).
   • Oracle products per the April 2025 CPU.
   • ASUS routers (disable AiCloud if not needed, update firmware).
   • Apache Tomcat servers for CVE-2025-24813.
   • Fortinet FortiSwitch devices.
   • SonicWall SMA 100 appliances for CVE-2021-20034.
   • Systems using Erlang/OTP SSH (patch CVE-2025-32433).
   • Review and patch relevant ICS vulnerabilities identified by CISA advisories.
2. Enhance Phishing Defenses: Educate users about sophisticated phishing lures, including fake job offers, event invitations, and malvertising disguised as legitimate software downloads. Implement robust email filtering and web security solutions.
3. Secure Authentication: Enforce Multi-Factor Authentication (MFA) universally. Monitor for NTLM usage and prioritize migrating to Kerberos. Scrutinize authentication logs for anomalies.
4. Monitor and Control Software Execution: Monitor for unauthorized or suspicious execution of Node.js (node.exe) and PowerShell scripts. Enable enhanced script block logging for PowerShell. Use application control solutions to restrict software execution.
5. Endpoint and Network Security: Ensure Endpoint Detection and Response (EDR/XDR) solutions are deployed and updated. Segment networks to limit lateral movement. Restrict outbound command-and-control (C2) communications. Audit credentials for privileged accounts. Secure collaboration platforms like Jira and review access controls.
6. Review Cloud Security: Organizations using Oracle Cloud should review CISA’s guidance on potential legacy credential risks.
7. ICS/OT Security: Owners and operators should review CISA’s ICS advisories relevant to their environments and apply recommended mitigations and patches promptly.

CONTACT INFORMATION

For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.

• Website: www.meraal.me
• Email: Office@meraal.me , Naveed@meraal.me
• Phone: +92 42 357 27575, +92 323 497 947

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.