March 24th - 27th, 2025 Top Cybersecurity News Summary
This week's summary of the news you missed from the CyberHub Podcast and CISO James Azar.
After a week in Israel at CyberTech. I am excited to share the latest cyber news summary.
Below is this week’s summary of the CyberHub Podcast’s latest cybersecurity news and events, organized by story type. After these summaries, you’ll find a comprehensive action list with clear calls to action to help you address these evolving threats.
Critical Vulnerabilities and Exploits
Veeam Remote Code Execution Vulnerability
A remote code execution flaw (CVE-2025-23120) in Veeam Backup and Replication allows attackers to exploit deserialization weaknesses. Given Veeam’s central role in rapid incident recovery, the podcast stresses immediate patching—attackers commonly scan for these flaws as soon as they are disclosed.
GitHub Supply Chain Attack
Threat actors compromised the popular GitHub Action “tj-action/changed-files,” tampering with it to dump secrets and authentication tokens. This underscores the threat of malicious commits in open-source dependencies and the need to diligently inspect third-party code.
Kubernetes Ingress “Ingress Nightmare”
Researchers found five critical flaws (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974) in the Ingress NGINX Controller. Attackers can use these vulnerabilities to achieve remote code execution or exfiltrate sensitive cluster secrets.
Google Chrome Sandbox Escape
A newly exploited browser flaw (CVE-2025-2783) enabled remote code execution if victims clicked malicious links. Named “Operation Forum Troll,” the campaign mainly targeted Russian entities, and Google promptly released a security patch.
Microsoft Management Console Zero-Day
EncryptHub ransomware operators exploited CVE-2025-26633 in the Microsoft Management Console (MMC). This zero-day lets malicious .msc files bypass file reputation checks, enabling stealthy ransomware deployment.
CrushFTP, VMware Tools, and NIST Backlogs
CrushFTP’s newly discovered HTTP port vulnerability can give remote attackers direct server access.
VMware Tools for Windows has an authentication bypass flaw (CVE-2025-2332) requiring urgent updates.
Meanwhile, NIST struggles to keep pace with a surge in new CVEs, illustrating the overwhelming volume of newly discovered exploits.
Ransomware and Advanced Threat Campaigns
Medusa Ransomware’s Malicious Driver
Elastic Security Labs found Medusa ransomware using a malicious driver—signed with stolen certificates—to disable endpoint detection tools. The driver impersonates a legitimate CrowdStrike Falcon driver, reflecting how attackers now leverage kernel-level methods to evade discovery.
Van Helsing Ransomware-as-a-Service
A new RaaS offering called Van Helsing targets Windows, Linux, BSD, ARM, and ESXi systems. By pairing a ChaCha20-based encryption routine with flexible command-line options, it caters to both hardened criminal groups and newcomers.
Ransomware Attack Trends and Payment Dip
Although ransomware attacks are on the rise, overall ransom payments are declining as more organizations refuse to pay. However, adversaries are intensifying their focus on industrial Internet of Things (IoT) and operational technology (OT) networks.
Red Curl’s Ransomware Pivot
Corporate espionage group Red Curl now deploys ransomware (“QWCrypt”) to encrypt Hyper-V virtual machines. Traditionally known for long-term stealthy data exfiltration, Red Curl’s shift to ransomware signals broader interest among espionage operators to intensify disruption if needed.
Global Incidents and Breaches
Virginia Attorney General’s Office Breach
The Cloak ransomware gang leaked stolen data after failing to extort payment. This highlights the reputational and legal risks that follow public data leaks when ransom demands go unmet.
Ukraine CERT Alerts and Major Disruptions
Ukraine’s CERT warns of the Dark Crystal RAT targeting defense industrial workers through the Signal messaging app.
Separately, Ukraine’s National Railway Operator was forced to use manual ticketing amid a cyberattack. Although disruptions occurred, core train services continued—a testament to effective continuity measures under crisis.
Malaysia Airport Ransom Demand
Kuala Lumpur International Airport faced an IT disruption and a $10 million ransom demand. Though operations continued, the breach spotlights the importance of backup processes and transparent communication in high-profile attacks.
23andMe Files for Bankruptcy
A severe data breach—coupled with existing financial troubles—drove the genetic testing pioneer to Chapter 11 bankruptcy. Regulatory bodies advised users to delete or request the destruction of stored DNA samples, showing how critical the trust factor is in data-centric businesses.
StreamElements Third-Party Exposure
A breach at a former third-party provider leaked names, emails, and phone numbers of about 210,000 users. Although StreamElements’ main servers weren’t compromised, the incident underscores the vulnerability of external partners retaining user data.
Oracle Denies Cloud SSO Breach
A threat actor known as “Rose87168” claims to have compromised Oracle Cloud, leaking credentials and LDAP data. Oracle denied the breach, but some indicators suggest the data could be authentic, leaving customers to watch for further developments.
Astral Foods’ $1.1M Loss
A leading South African poultry producer invoked disaster recovery protocols after a cyber incident cost the company over $1 million within a week. While critical data was reportedly intact, the disruption exemplifies the steep operational toll of even short-lived breaches.
Government, Policy, and Legal Developments
Policy Discussion on Cybersecurity Reform
Professor Scott Shackelford advocates for broader government regulation, universal breach reporting, standardized frameworks for critical infrastructure, and clearer vendor accountability. The podcast host notes that excessive liability might hamper innovation but acknowledges the need for cohesive, coordinated strategies.
Clearview AI Settlement
Clearview AI settled a major class-action lawsuit over its facial recognition database for an estimated $50 million. Although the company may not afford the full payout, the settlement marks a pivotal moment in biometric data privacy legislation.
FCC Investigates Chinese Telecom Providers
The U.S. FCC is exploring whether blacklisted firms like Huawei, ZTE, Hikvision, and Dahua still operate within the U.S. through indirect avenues. This signals stricter telecom enforcement aimed at safeguarding critical infrastructure from foreign intelligence risks.
Pentagon Cyber Policy Appointment
Catherine Sutton, Chief Technology Advisor at U.S. Cyber Command, was nominated for Assistant Secretary of Defense for Cyber Policy. This civilian role will centralize and coordinate cybersecurity oversight across the Department of Defense.
Defense Contractor Fines
Morse Corp. agreed to pay $4.6 million under the False Claims Act for misrepresenting its cybersecurity maturity on government contracts. An external audit revealed a wide gap between self-reported compliance and actual practices.
Threat Actors and Malware Tools
WeaverAnt’s Zyxel Router Exploit
A China-linked APT dubbed WeaverAnt compromised Zyxel CPE routers at various Asian telecom providers. By deploying custom web shells, such as the “InMemory” shell, they achieve near-stealth infiltration and maintain persistence.
Famous Sparrow’s Advanced Attacks
This China-associated group deployed proprietary backdoors like “SparrowDoor” and the notorious “ShadowPad.” The recent activity against a U.S. trade group and Mexican research institute illustrates a continual push by Chinese-aligned attackers to expand their network footholds.
Phishing Campaign Targets Counter-Strike 2
Attackers use deceptive browser-in-the-browser pop-ups mimicking Steam logins to harvest credentials. Videos and eSports-themed websites lure gamers into unwittingly divulging passwords and even bypassing multi-factor authentication.
Business and Technology Highlights
OpenAI’s $100K Bug Bounty
OpenAI increased its top bug bounty to $100,000, hoping to attract seasoned security researchers. As AI systems grow more complex, the initiative highlights the importance of engaging with external talent to secure these emerging technologies.
Island Nets $250M, Near $5B Valuation
The enterprise browser startup Island secured a massive funding round, underscoring ongoing investor enthusiasm for specialized secure browsers. With competition from established vendors, Island’s success signals a robust market for tailor-made browser security solutions.
Comprehensive Action List
Below is a consolidated set of action items, distilled from all the stories above. Take proactive steps now to safeguard your organization and stay ahead of emerging threats:
Patch Veeam Backup and Replication Immediately
Update to the newest version to close the remote code execution gap (CVE-2025-23120).
Call to Action: Coordinate with IT teams to schedule immediate downtime and apply patches.Review GitHub Integrations
Audit GitHub Actions and personal access tokens to detect any malicious commits, especially “tj-action/changed-files.”
Call to Action: Implement strict permissions and use automated scanning tools to verify repository integrity.Harden EDR Systems Against Malicious Drivers
Examine drivers and certificates on endpoints, especially if you use CrowdStrike Falcon or similarly signed drivers.
Call to Action: Block known malicious drivers via group policy or endpoint allowlists.Evaluate Code-Signing Practices
Continuously verify that any code-signing certificates—internal or external—are legitimate and haven’t expired or been revoked.
Call to Action: Implement automated certificate lifecycle management to quickly spot anomalies.Secure Kubernetes Ingress Controllers
Apply official fixes for all “Ingress Nightmare” (CVE-2025-24513, -24514, -1097, -1098, -1974) issues before attackers can exploit them.
Call to Action: Run vulnerability scans on Kubernetes clusters and prioritize patch deployments.Update Browsers and Microsoft Systems
Patch Chrome (CVE-2025-2783) and the Microsoft Management Console (CVE-2025-26633) to block active exploitation paths.
Call to Action: Ensure automated patch updates are enabled for browsers and Windows servers alike.Secure CrushFTP, VMware Tools, and Other Critical Software
Upgrade to the latest CrushFTP v11 release to eliminate unauthorized HTTP port attacks.
Deploy VMware Tools 12.5.1 to address the authentication bypass flaw.
Call to Action: Maintain an up-to-date software inventory and institute patch cycles for critical tools.
Audit Telecom and Router Security
Remove banned or suspicious devices, patch Zyxel routers, and monitor network traffic for signs of WeaverAnt or similar APTs.
Call to Action: Perform a thorough hardware/software review of network equipment and isolate or replace untrusted devices.Implement Robust Business Continuity Plans
Prepare manual processes for ticketing, logistics, or any critical operations that could face a cyber shutdown.
Call to Action: Conduct regular drills simulating ransomware or infrastructure attacks.Review and Revoke Data Access
Especially for 23andMe or any recently compromised service, delete personal data as recommended by official advisories.
Call to Action: Perform internal data audits and confirm that ex-partners do not retain sensitive information.Segment OT and IoT Networks
Apply strict access controls and actively monitor industrial devices or sensors to prevent sabotage or data theft.
Call to Action: Deploy network segmentation, zero-trust principles, and strong device authentication.Strengthen Virtualization Security
Protect Hyper-V and ESXi environments against new ransomware variants like Van Helsing and Red Curl’s QWCrypt.
Call to Action: Enforce least-privilege for admin accounts and continuously update virtualization platforms.Hunt for Advanced Threat Actor Activity
Track TTPs of groups like Famous Sparrow, WeaverAnt, and Red Curl. Early detection can thwart sophisticated long-term intrusions.
Call to Action: Deploy threat intelligence feeds and behavioral analytics to spot abnormal network behavior.Maintain Honest Compliance and Governance
Avoid inflated cybersecurity maturity claims, as seen with Morse Corp.’s costly False Claims Act penalty.
Call to Action: Conduct third-party audits and document authentic security postures to align with regulations.Engage with Bug Bounties
Follow OpenAI’s lead by inviting ethical hackers to test your defenses. Higher rewards often yield better insights.
Call to Action: Launch or expand a bug bounty program; consider raising top payouts to attract experienced researchers.Monitor Browser Security Innovations
Track enterprise browsers (e.g., Island) for potential security enhancements over mainstream solutions.
Call to Action: Evaluate whether specialized browsers fit your environment’s security and compliance needs.Stay Current with CVEs and Reporting
Automate vulnerability scanning and intelligence gathering to keep pace with NIST’s burgeoning backlog.
Call to Action: Subscribe to CVE feeds, implement real-time vulnerability management, and regularly reassess critical systems.
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.