Cyber Briefing: 2025.03.03
?? What's happening in cybersecurity today?
Lumma Stealer, Fake CAPTCHA Images, Ransomware Gangs, Paragon Partition Flaws, 苹果 Kernel, Njrat Malware, 微软 Dev Tunnels, Google Ads , PayPal Checkout, Fraudulent Payment Scheme, Angel One , Amazon Web Services (AWS) , POLSA Polska Agencja Kosmiczna | Polish Space Agency , Cyberattack, Swiss Cantonal Administration, Appenzell Innerrhoden, France, Bain-de-Bretagne , Singapore, HomeTeamNS , Ransomware Attack, Financial Losses, Third-Party Cyberattacks, Mass Exploitation Surge, Legacy Systems, Meta , Confidential Information, CPPA, BACKGROUND ALERT, INC .
?Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
Cybersecurity researchers uncovered a widespread phishing campaign delivering Lumma Stealer malware through fake CAPTCHA images embedded in PDF documents. These PDFs were hosted on Webflow’s content delivery network and redirected victims to malicious websites, where they were tricked into executing PowerShell commands. The phishing scheme has affected over 1,150 organizations globally, primarily targeting sectors in North America, Asia, and Southern Europe, with attackers leveraging search engine optimization (SEO) tactics to drive traffic to their pages.
Microsoft has uncovered five vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, with one flaw (CVE-2025-0289) actively exploited by ransomware gangs. These flaws, which allow attackers to escalate privileges, were used in "Bring Your Own Vulnerable Driver" (BYOVD) attacks where malicious kernel drivers are dropped on vulnerable systems. CERT/CC warns that these flaws can also cause denial-of-service scenarios and bypass security protections by executing commands with SYSTEM-level privileges.
Security researchers have uncovered a sophisticated exploit, Trigon, which takes advantage of CVE-2023-32434, an integer overflow vulnerability in Apple's XNU virtual memory subsystem. This exploit allows attackers to bypass Apple’s kernel integrity protections, such as KTRR and PPL, by manipulating physical memory mapping techniques on A10(X) devices. The flaw was first exploited during the Operation Triangulation campaign against Kaspersky researchers, revealing serious weaknesses in iOS’s memory management.
Security researchers uncovered a new campaign exploiting Microsoft’s Dev Tunnels service to facilitate command-and-control (C2) communications for the Njrat remote access trojan (RAT). By leveraging the trusted infrastructure of Dev Tunnels, attackers can mask their activities as legitimate developer traffic, evading traditional network defenses. This allows the malware to bypass IP/DNS reputation checks and utilize TLS encryption for further obfuscation.
Security researchers have identified a coordinated attack campaign exploiting vulnerabilities in Google’s advertising ecosystem and PayPal’s merchant tools to steal sensitive user data. The attackers deploy Google Search ads that impersonate PayPal’s official support channels, directing users to fraudulent PayPal pages designed to steal payment information. These malicious ads exploit a policy gap in Google’s Misleading Ad Design policy, which permits ads that share the same root domain as the landing page. By using PayPal’s no-code checkout tool, attackers create fraudulent payment pages that appear legitimate to users.
Indian stock brokerage Angel One recently revealed a data breach involving client information stored in its Amazon Web Services (AWS) account. The breach was detected after the company received an alert from a dark web monitoring partner on February 27, which led to the discovery of compromised AWS resources. Angel One immediately secured its AWS account by changing passwords and enlisted external experts to investigate the breach's scope and root cause.
Polish cybersecurity services detected unauthorized access to the Polish Space Agency's IT infrastructure, prompting an immediate response. Minister for Digitalisation Krzysztof Gawkowski confirmed the breach and stated that the agency's systems were secured and operational efforts are underway to identify the perpetrators. POLSA has disconnected its network from the internet to protect data, while Warsaw links the attack to Russia, a claim Moscow denies.
In Switzerland, a hacker gained access to an email account belonging to Ruedi Eberle, the treasurer of Appenzell Innerrhoden. The breach was quickly contained by the cantonal administration's security system, preventing further spread and ensuring no data loss or impact on other accounts. An immediate investigation was launched, and all relevant parties were informed about the incident.
Bain-de-Bretagne, a town in Ille-et-Vilaine, France, was the target of a significant cyberattack in late February 2025. Local authorities quickly identified the breach and initiated a thorough investigation to trace its origins. There is strong suspicion that the attack originated from Russia, but conclusive evidence is still pending as experts continue their analysis. The attack disrupted town operations and forced immediate emergency response measures.
HomeTeamNS, a Singapore-based non-profit for national servicemen, was hit by a ransomware attack discovered on February 25. The attack affected servers containing employee data and vehicle details of some members. The organisation immediately isolated the servers and found no evidence of data extraction, though it continues to monitor the situation. HomeTeamNS is working with cybersecurity experts and authorities to investigate the breach while taking steps to protect affected individuals and strengthen its network security.
?? Cyber News
U.S. authorities recently recovered $31 million in cryptocurrency stolen during the 2021 Uranium Finance cyberattacks. The attacks targeted the Binance Smart Chain-based DeFi protocol, exploiting vulnerabilities in the platform’s smart contracts to drain assets and result in massive investor losses. Blockchain intelligence firm TRM Labs played a key role in helping law enforcement trace the stolen funds, leading to their successful retrieval.
Meta fired about 20 employees after an investigation found they had leaked confidential company information. The company emphasized its strict policy against internal data sharing, regardless of intent. With leaks becoming a growing issue, Meta expects further firings in the future. Although the leaked content hasn't been disclosed, Meta's CEO, Mark Zuckerberg, has voiced frustration over the situation, and the company is taking further steps to limit information leaks and protect internal discussions.
The California Privacy Protection Agency (CPPA) has mandated the closure of Background Alert, a data broker, for failing to comply with the state’s Delete Act. This unprecedented action follows the company’s failure to register with the state, despite utilizing billions of public records to create and sell personal profiles. Background Alert has been accused of making invasive inferences about individuals, which can violate privacy rights and potentially target vulnerable populations like immigrants and patients seeking reproductive care.
In 2024, third-party cyberattacks became a significant contributor to material financial losses, with 31% of insurance claims and 23% of material losses linked to these incidents. Notably, ransomware attacks targeting vendors, such as the one on CDK, caused widespread financial damage across multiple sectors, including automotive. Despite ransomware being the leading cause of losses, phishing-related claims saw a 55% decline, signaling the growing effectiveness of phishing defenses.
GreyNoise Intelligence’s 2025 report reveals how mass exploitation of vulnerabilities has surged, with attackers industrializing their methods at scale. The report identifies key exploited vulnerabilities and emphasizes the need for real-time intelligence to keep up with rapid exploitation. One of the most alarming findings is the large-scale exploitation of vulnerabilities from as far back as the 1990s, highlighting the growing importance of proactive defense mechanisms and prompt patching. GreyNoise urges organizations to move from reactive to proactive security postures to defend against these fast-moving threats.
Subscribe and Comment.
Copyright ? 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: