CybersecurityHQ News Roundup - March 4, 2025

News By Daniel Michan Published on March 4


Critical Infrastructure & ICS Security

  • ICS/OT Security Budgets Rising But Critical Areas Underfunded: 55% of organizations report budget increases over past two years, but only 9% dedicate full-time staff to ICS/OT security. Network visibility monitoring and secure remote access remain underfunded despite high ROI potential. 25% of organizations experienced security incidents involving OT or control systems in the past year. Most common attack vector: compromised IT environments allowing pivot to OT networks (57%).
  • Intel TDX Connect Addresses CPU-GPU Security Gap: New technology expands Trust Domain Extensions beyond CPUs to supporting devices including GPUs, creating encrypted hardware-protected connections with secure direct memory access. NVIDIA plans support on Blackwell platform, while Microsoft will incorporate it into future Azure confidential VMs.
  • Nine Threat Groups Active in OT Operations: Dragos identified two new groups targeting industrial systems: Iran-linked "Bauxite" (operating as CyberAv3ngers) and Russia-linked "Graphite" (also known as APT28). Four groups demonstrated advanced ICS attack capabilities. Ransomware attacks against industrial organizations increased 87% compared to 2023, with 80 different groups targeting such entities.
  • Vo1d Botnet Controls 1.6 Million Android TV Boxes: The botnet has significantly expanded with enhanced stealth and anti-detection features, including RSA encryption for C&C communications. Primarily used for proxy services and ad/click fraud, it could generate significant revenue for operators. Brazil hosts nearly 25% of infected devices, followed by South Africa (13%) and Indonesia (10%).

Vulnerabilities & Exploits

  • Broadcom Patches Three VMware Zero-Days: Vulnerabilities in VMware ESXi, Workstation, and Fusion products actively exploited in attacks. The most severe (CVE-2025-22224) is a critical VMCI heap overflow allowing attackers with local VM admin privileges to execute code as the host's VMX process. Microsoft reported the vulnerabilities, which appear used in targeted attacks.
  • Google Patches Exploited Android Vulnerabilities: March 2025 update addresses over 40 vulnerabilities, including two actively exploited: a Framework component bypass (CVE-2024-43093) and a Linux kernel vulnerability (CVE-2024-50302) likely used by Cellebrite to bypass Android lockscreens according to Amnesty International.
  • Amnesty Reveals Cellebrite Android Exploit: Technical details released on zero-day vulnerabilities used by Cellebrite to break into a Serbian student activist's locked Android device. The sophisticated exploit chain targets core Linux USB drivers, potentially affecting over a billion Android devices. Google's threat team worked to mitigate the issues.
  • Vulnerabilities Patched in Qualcomm, Mediatek Chipsets: Qualcomm's March bulletin details 14 security defects, including seven critical-severity memory corruption issues. Mediatek fixed 10 vulnerabilities across dozens of chipsets. Both companies shared patches with OEMs recommending deployment on released devices.
  • Vulnerable Paragon Driver Exploited in Ransomware Attacks: Ransomware operators using the Paragon Hard Disk Manager driver (Biontdrv.sys) to elevate privileges. The "Bring Your Own Vulnerable Driver" technique allows exploitation even when Paragon software isn't installed, since the driver is Microsoft-signed.
  • Sites Abused in Spam Campaign Exploiting Virtual Tour Software: Over 350 websites compromised in a massive campaign exploiting a reflected XSS vulnerability (CVE-2020-24901) in Krpano virtual tour software. Attackers redirect users from legitimate pages to sites promoting adult content, diet products, and online casinos.
  • CISA Warns of Oracle Agile PLM Vulnerability Exploitation: Agency added CVE-2024-20953 to its Known Exploited Vulnerabilities catalog. The high-severity deserialization issue allows low-privileged attackers to execute arbitrary code and take over the software. Federal agencies directed to address it by March 17.

Ransomware & Cybercrime

  • Qilin Ransomware Claims Lee Enterprises Attack: Group has taken credit for the February cyberattack that disrupted operations at approximately 75 local newspapers across the United States. They claim to have obtained 350GB of sensitive files and are threatening to release the data unless a ransom is paid.
  • Black Basta Leak Reveals Group's Operations: A 47MB JSON file containing over 200,000 internal chat logs has been leaked, providing insight into the ransomware group's operations from September 2023 to September 2024. Logs reveal operational procedures and suggest the group may have "crossed the line" by targeting Russian banks.
  • Mimic Raises $50M for Ransomware Defense: The startup secured Series A funding led by Google Ventures and Menlo Ventures, bringing its total raised to $77 million. The company has developed a platform for detecting and stopping ransomware attacks in real-time, along with a "Signal Generator" to safely simulate ransomware impacts for security posture improvement.
  • New Anubis Ransomware Emerges as Significant Threat: Kela warns about this new ransomware-as-a-service operation with a comprehensive affiliate program offering three distinct options. The ransomware targets Windows, Linux, NAS, and ESXi environments. While currently listing only four victims, two are healthcare institutions.
  • US Seizes $31M in Stolen Cryptocurrency: Authorities recovered approximately $31 million worth of cryptocurrency stolen during the 2021 Uranium Finance hack. Blockchain intelligence firm TRM Labs traced funds that had been laundered through Tornado Cash and multiple decentralized exchanges before being moved again in early 2024.
  • FBI Confirms North Korea Behind $1.5B Bybit Hack: The agency attributed the massive cryptocurrency exchange hack to a threat actor known as TraderTraitor (associated with Lazarus group). The attackers compromised Safe{Wallet} infrastructure by targeting a developer's machine and replacing a JavaScript file with malicious code. Only $42 million (3%) has been recovered so far.

Nation-State Activity

  • Poland's Space Agency Hit by Cyberattack: POLSA has disconnected its network from the internet following unauthorized access to its IT infrastructure. Though attack type isn't specified, the network disconnection suggests a possible ransomware incident. Given Poland's support for Ukraine, a nation-state attack cannot be ruled out.
  • CISA: No Change in Defending Against Russian Cyber Threats: Agency publicly stated there has been "no change in our posture" regarding detection and disruption of Russian APT groups, following reports that the Trump administration paused offensive cyber operations against Russia.
  • EU Sanctions North Korean Hacking Leader: The European Union imposed sanctions on Lee Chang Ho, head of North Korea's Reconnaissance General Bureau, for coordinating soldiers deployed in Ukraine and leading cyberattack units including Lazarus and Kimsuky groups. The US previously designated Lee in December 2024.
  • Hacker Behind 90+ Data Leaks Arrested in Thailand: A 39-year-old Singaporean man operating under aliases including 'Altdos' and 'Desorden' was arrested for orchestrating more than 90 data leaks targeting organizations worldwide. The suspect leveraged SQL injection tools and vulnerable RDP servers to gain unauthorized access.
  • Chinese Botnet Targets Microsoft 365 Accounts: SecurityScorecard discovered a sophisticated Chinese-linked botnet using over 130,000 compromised devices for password spraying attacks. The attacks exploit non-interactive sign-ins with Basic Authentication, which often bypass multi-factor authentication protections.
  • New "Auto-Color" Linux Malware Targets North America, Asia: Palo Alto Networks identified this backdoor malware primarily targeting universities and government entities. Once deployed, it grants operators complete remote access and uses sophisticated evasion techniques including harmless-looking file names and proprietary encryption algorithms.

Corporate Security News

  • CrowdStrike Reports 26 New Threat Groups in 2024: The company tracked 257 total adversaries, with China-linked activity surging 150% across all sectors. The "breakout time" for cybercrime intrusions dropped to just 48 minutes (from 62 minutes in 2023), with the fastest observed taking only 51 seconds. 79% of detections were malware-free, with identity-based attacks increasingly favored.
  • Aryon Security Debuts Cloud Misconfiguration Prevention: Tel Aviv-based startup emerged from stealth with $9 million in seed funding. Founded by former members of Israel's Matzov unit, the company developed a platform for identifying and remediating misconfigurations before data is deployed to the cloud.
  • Jamf to Acquire Identity Automation for $215M: Apple device management specialist announced plans to acquire the identity and access management provider. The deal will incorporate Identity Automation's cloud-based IAM platform into Jamf's ecosystem, with particular value for educational environments where roles frequently change.
  • Indian Stock Broker Angel One Discloses Breach: The company confirmed a data breach affecting client information stored in its AWS account. While specific details about compromised data weren't disclosed, Angel One assured customers their "securities, funds and credentials" remain secure. The disclosure had immediate financial consequences, with shares dropping over 11%.
  • 3.3 Million Impacted by DISA Data Breach: Employee screening giant DISA Global Solutions disclosed that hackers accessed a portion of its network between February and April 2024. The stolen information included names, Social Security numbers, driver's license numbers, and financial account information of current or former employees of organizations using DISA's screening services.
  • Skybox Security Shuts Down: The cybersecurity startup abruptly closed operations and laid off its entire workforce of approximately 300 employees, despite raising over $300 million in venture funding. Rival firm Tufin acquired Skybox's business and technology assets, launching a program to help former customers transition.

AI Security Developments

  • AI Asset Inventories Becoming Urgent: Security experts urge organizations to create comprehensive AI asset inventories as unauthorized tool usage becomes a "ticking time bomb." The need is growing as employees integrate AI tools into workflows, sometimes unknowingly exposing sensitive data to third-party models.
  • Microsoft Names Suspects in AI Hacking Lawsuit: The company identified four individuals allegedly part of Storm-2139, a network that abuses AI services to generate deepfakes and harmful content. The operation involves creators who develop tools, providers who modify and supply them, and users who generate content, often centered around celebrities and sexual imagery.
  • Quantum Computing Race Accelerates: Three tech giants unveiled breakthrough quantum chips: Google's Willow, Microsoft's Majorana 1, and Amazon's Ocelot. Each takes a different approach to solving quantum computing's fundamental challenge of error correction. Industry experts note that while Willow and Ocelot refine existing superconducting architectures, Majorana 1 represents a more experimental approach.
  • Dreadnode Secures $14M for Offensive AI Security: The startup raised Series A funding to develop tools for stress-testing AI systems against potential exploits. The company offers "Strikes" (an AI agent training ground) and "Spyglass" (an AI red teaming product for continuous auditing of deployed AI systems). The investment reflects growing concerns about AI security as technologies are deployed at scale.

Industry Analysis & Trends

  • The Hidden Cost of Compliance: Organizations in heavily regulated sectors are spending so much time responding to regulatory findings that they barely focus on actual security improvements. This counterproductive cycle stems from regulatory shortcomings including unintended consequences, rigidity, lack of timeliness, and bureaucratic inertia.
  • Why Security Failures Repeat: Despite high-profile breaches making headlines for decades, organizations continue to fall victim to the same fundamental security mistakes. Five persistent catalysts: poor network segmentation, weak credential hygiene, excessive permissions, "compliance complacence," and effective social engineering.
  • OpenSSF Releases Security Baseline for Open Source Projects: The Open Source Security Foundation established minimum security requirements for open source software. The initiative provides a tiered framework of best practices designed to grow alongside projects as they mature, with all projects encouraged to achieve at least level 1 requirements.
  • Qualcomm Extends Security Support to 8 Years: The company announced a significant extension to its security support timeline for Android devices, working with Google to enable smartphone manufacturers to provide updates for up to eight years - doubling its previous four-year window. The program includes two upgrades to the Android Common Kernel to support the extended timeframe.
  • M&A Activity Remains Strong: 28 cybersecurity merger and acquisition deals were announced in February 2025, following 405 transactions in 2024. Significant deals included A10 Networks' acquisition of ThreatX Protect, CyberArk's $165 million purchase of Zilla Security, and Drata's agreement to acquire SafeBase for $250 million.

Privacy and Regulatory Concerns

  • Gabbard Criticizes Britain's Apple iCloud Demands: Director of National Intelligence Tulsi Gabbard expressed "serious concerns" about the British government's reported demand that Apple provide backdoor access to data stored in iCloud. The controversy emerged after Apple announced it would stop offering Advanced Data Protection for British users following a secret order from British security officials.
  • Edera Banks $15M for Kubernetes Workload Isolation: Seattle-based startup secured Series A funding to develop technology that mitigates lateral movement in Kubernetes environments. The company's product uses cloud-native Type 1 hypervisor technology to provide hard isolation for each container, preventing container escapes with minimal configuration changes.
  • In Brief: Google Cloud outlined its post-quantum computing strategy for encryption products. UK water provider Southern Water disclosed that a Black Basta ransomware attack cost £4.5 million ($5.6 million). The FTC is notifying nearly 3.7 million Avast customers eligible for compensation as part of a $16.5 million settlement over deceptive privacy claims. Krispy Kreme revealed last year's ransomware attack cost approximately $11 million.