Top Cybersecurity News Weekly Summary - Week of March 31st, 2025
Your Weekend Recap of the Latest Breaches, Threats, and Cybersecurity Updates, No need for any FOMO
Happy Friday Security Gang,
If you missed any podcasts this week and have major FOMO, fear not as below you will find the latest cybersecurity stories you need to know.
Ransomware & Data Breaches
Sam’s Club (Walmart) Ransomware Allegations
The CLOP ransomware gang added Sam’s Club to its leak site, suggesting a breach involving Walmart’s membership-based retailer. Although Sam’s Club has not confirmed it, this episode underscores the broad impact of any compromise within large supply chains: untangling which interconnected systems or partners are hit often becomes a resource-draining process for affected enterprises.
Oracle Health Data Breach
Formerly Cerner, Oracle Health reported that a legacy data migration server was breached in February, involving threat actors who used compromised customer credentials. The fallout extends beyond Oracle’s direct customers, as more than thirty UAE government agencies and likely many other organizations worldwide rely on the same cloud infrastructure, highlighting the widespread repercussions of a single shared-service breach.
CheckPoint Data Allegedly for Sale
A threat actor named “core injection” posted on Breach Forums claiming to have exfiltrated Check Point credentials and source code. Although Check Point stated the stolen data is old and of limited scope, the attacker’s high price tag (around five bitcoins) indicates that stolen security vendor data can be both strategically and monetarily valuable.
Samsung’s German Ticketing Compromise
A hacker using stolen credentials—originally obtained via the “Raccoon” infostealer in 2021—accessed Samsung’s German ticketing support system, leaking over 270,000 customer records. This illustrates a recurring lesson about credential management: failing to rotate or retire known-compromised credentials can leave organizations exposed for years.
Minnesota Tribe Suffers Ransomware Attack
The Lower Sioux Indian Community experienced a crippling ransomware attack by “RansomHub,” disrupting healthcare operations, government services, and a tribal casino. The group is known for using malware with EDR kill capabilities, reminding defenders that modern ransomware can specifically target and neutralize security tools to maximize damage.
Royal Mail Investigates Potential Data Breach
Royal Mail is looking into claims that 144GB of stolen data—allegedly including PII, mailing lists, and operational details—were lifted from its third-party analytics partner, Spectus GMBH. Early indications point to stolen credentials as the attack vector, again emphasizing how vital strong authentication and vendor oversight are for every link in the supply chain.
Phishing & Social Engineering
“Lucid” Phishing-as-a-Service
Operated by a Chinese cybercriminal syndicate dubbed the Jinjin Group, Lucid enables mass SMS-based phishing by selling more than a thousand phishing domains and associated spam tools. This shift from email to text-message attacks highlights the need for organizations and users to broaden their security awareness programs to include mobile phishing risks.
Lazarus Group Targets Crypto Job Seekers
North Korea’s Lazarus Group has refined its phishing lures by masquerading as top crypto and financial firms like Coinbase and Kraken. By sending direct messages to job seekers and embedding malware in application files, Lazarus aims to steal victims’ crypto assets or gain deeper footholds, underscoring the importance of independently verifying job offers and scanning any attachments before opening.
Financial & Crypto Crimes
DOJ Seizes $8.2 Million in Romance Scam Proceeds
The U.S. Department of Justice, with help from blockchain analytics and Tether Limited, froze over $8 million in Tether (USDT) connected to romance-baiting scams. These fraudulent schemes lure victims onto fake investment platforms, and the success of this operation demonstrates how coordinated law enforcement and crypto-provider action can disrupt significant criminal revenues.
Espionage & Nation-State Attackers, Hacktivism & Geopolitical
Retaliatory Attack on the Moscow Subway
Shortly after Ukraine’s railway experienced disruption, hackers targeted Moscow’s subway website and app, defacing pages with messages referencing Ukraine’s operator. Russian authorities labeled it a “technical maintenance” issue, but the incident appears more like a classic hacktivist tit-for-tat, reflecting an ongoing trend of escalating digital conflict.
Canadian Hacker Arrested for Breaching Texas GOP
A Canadian national, Aubrey Cottle, was apprehended for allegedly hacking the hosting provider “Epik” tied to the Texas Republican Party. By stealing web server backups, he exposed sensitive personal data, which was then leaked publicly. This arrest underscores growing international collaboration to track and extradite cybercriminals, even across national borders.
Russian-Speaking Red Curl Threat Actor
Also known as Earth Caper or Red Wolf, Red Curl traditionally engaged in corporate espionage but recently began deploying the QW Crypt ransomware to encrypt virtualized infrastructures selectively. Their tactic of targeting hypervisors while preserving access demonstrates an evolution in espionage groups blending data exfiltration with disruptive ransom methods.
North Korean IT Worker Infiltration in Europe
Posing as freelance developers, North Korean operatives have reportedly secured remote IT jobs in European nations such as Germany, Portugal, and the UK. By operating under false identities and funneling earnings back to Pyongyang, they also potentially create hidden backdoors in their employers’ systems, highlighting the need for strict identity verification in remote hiring.
General Nakasone’s Insights on China’s Cyber Threat
The former NSA and US Cyber Command leader warns of China’s relentless focus on embedding backdoors into U.S. critical infrastructure. Despite years of digital espionage, political complexities hamper the implementation of strong deterrence measures, underlining the persistent and strategic nature of China’s cyber campaigns.
Indiana University Professor’s Sudden Disappearance
Renowned cryptographer XiaoFeng Wang and his wife vanished from Indiana University and their residences, with subsequent FBI raids intensifying speculation about espionage or covert departure. While official details remain scarce, the situation raises concern over foreign influence and intellectual property theft in academic settings.
Vulnerabilities & Patches You Need to Know
Solar Energy Vulnerabilities
Researchers unearthed over 90 security flaws in solar infrastructure from vendors like SunGrow, GrowWatt, and SMA, cautioning that attackers could leverage these to destabilize power grids. As renewable energy adoption rises, so does the need for timely patching and continuous monitoring of devices critical to infrastructure resilience.
Firefox Vulnerability (Similar to Chrome Zero-Day)
Mozilla released patches for CVE-2023-28557, a sandbox escape vulnerability similar to a recent Chrome zero-day actively exploited in Russia. The flaw resided in Firefox’s IPC code on Windows, underscoring once again that organizations must keep multiple browsers up to date to avoid attacks through unpatched endpoints.
Splunk Security Updates
Splunk addressed multiple severe flaws in Splunk Enterprise and its Secure Gateway app, including CVE-2025-20229, which stemmed from a missing authorization check. Enterprises dependent on Splunk are urged to patch immediately or disable non-essential features, as incomplete patching can leave systems open to remote code execution.
CrushFTP Zero-Day Confusion
A critical zero-day in the CrushFTP file transfer tool sparked friction between the vendor and security researchers. Researchers assigned their own CVE (CVE-2023-2825), but CrushFTP claimed it had requested an official number already. The resulting back-and-forth highlights the challenges in coordinated disclosure and the importance of clear, timely vendor–researcher communication.
Ivanti Zero-Day Exploited
New malware dubbed “Resurge” exploits another zero-day in Ivanti’s Connect Secure product, allowing advanced threat actors to install persistent code that survives reboots. Ivanti’s recurring appearance in exploit reports underscores the product’s continued appeal for nation-state and cybercriminal groups alike, reinforcing the need for immediate patches and robust system monitoring.
Chrome 135 and Firefox 137 Critical Patches
Google and Mozilla both pushed out major browser updates, fixing high-severity memory safety bugs and awarding sizable bounties to contributors. Rapid deployment of these patches is crucial, as they address vulnerabilities that sophisticated attackers may quickly add to their exploit toolkits.
Scanning Spikes on Palo Alto GlobalProtect Login Portal
A surge in scanning activity—over 24,000 IP addresses—targeting Palo Alto Networks’ GlobalProtect login portal raises concerns about a potential zero-day or a soon-to-be-public exploit. Though unconfirmed, administrators should watch for patches and review configurations to mitigate any emerging threats.
Cisco Patches Critical Meraki and ECE Vulnerabilities
Cisco released critical fixes for denial-of-service flaws in its Meraki MX/Z-series devices and Enterprise Chat and Email products. Attackers could reboot VPN servers or disrupt critical services, making immediate firmware updates essential to maintain stable and secure network operations.
Google Quick Share Vulnerability on Windows
Tracked as CVE-2024-10668, this bug in Google’s Quick Share utility enabled unauthorized file transfers and denial-of-service attacks on Windows. Although earlier patches attempted to resolve it, the issue persisted until the latest update; users should upgrade promptly to fully mitigate the threat.
Verizon Call Filter Flaw Exposed Call Logs
A researcher discovered that Verizon’s Call Filter APIs and JWT tokens could be manipulated to reveal other subscribers’ call histories. Although swiftly patched, the incident shows how insufficient validation and misconfigurations in back-end systems can expose customer data to malicious actors.
Threat Actors, Malware & Attack Techniques
FIN7’s Python-Based ‘Anubis’ Backdoor
Infamous for large-scale financial theft, FIN7 unveiled a new Python-based backdoor dubbed “Anubis” that can disable security software (EDR/MDR) on Windows systems. By methodically terminating protective tools, FIN7 can operate under the radar, stressing the need for layered defenses that detect abnormal process behavior.
Updated ‘Hijack Loader’ Malware
Security analysts spotted a revamped version of Hijack Loader featuring call stack spoofing and enhanced obfuscation. These changes allow it to distribute second-stage payloads while evading sandbox detections, underlining an ongoing malware trend where attackers continuously refine tactics to bypass even advanced endpoint defenses.
Regulatory & Policy
UK Free Speech Concerns
Britain’s new Online Safety Act has sparked heated debates about balancing public safety with individual rights. While proponents claim it combats harmful online content, critics cite troubling cases of citizens being investigated over mere criticisms, warning that overly broad legal measures may chill open discourse and threaten democracy.
UK’s New Critical Infrastructure Reporting Rules
The UK government expanded its incident-reporting legislation, mandating organizations labeled as critical infrastructure to notify authorities of a breach within 24 hours and submit a detailed report within 72. Though this aims to enhance swift response, some practitioners worry it prioritizes reporting over establishing unified security baselines such as NIST or CIS Top 20 controls.
French Regulator Fines Apple $162 Million
France’s competition authority imposed a substantial penalty on Apple for potentially misusing its App Tracking Transparency feature, allegedly disadvantaging smaller advertisers. The fine demonstrates Europe’s ongoing willingness to leverage privacy and antitrust frameworks against major tech companies, forcing them to reconcile user protections with competitive fairness.
23andMe Bankruptcy and FTC Warning
Genetic testing firm 23andMe raised concerns by entering bankruptcy proceedings while holding vast repositories of personal DNA data. The Federal Trade Commission stressed the company’s responsibility to maintain privacy commitments, underscoring how corporate restructurings don’t absolve businesses from data security obligations.
Tools, Solutions & Industry News
Google’s End-to-End Encryption for Enterprise Gmail
Google introduced a simplified end-to-end encryption solution for Google Workspace users, aiming to balance robust security with user-friendly integration. This enhancement reduces dependence on older protocols like S/MIME while bringing Google’s offering closer to other secure email providers in terms of accessibility and usability.
Microsoft’s AI-Driven Vulnerability Research
Microsoft revealed that AI-powered copilot tools helped its threat intelligence teams discover 20+ critical flaws in open-source bootloaders (e.g., Grub, U-Boot, BareBox). By automating code review and fuzzing, Microsoft cut manual workloads significantly, exemplifying AI’s growing role in proactive security research and rapid patch development.
GitHub Introduces Stronger Secret Protection
GitHub launched new features to detect exposed secrets—an urgent measure after identifying over 39 million secrets leaked across projects in a year. These capabilities can also be purchased as standalone tools, but experts still recommend pairing GitHub’s suite with third-party secrets-management solutions for a comprehensive approach.
Busy Month for Cybersecurity M&A
March saw 23 significant mergers and acquisitions, crowned by Google Cloud’s $32 billion buyout of Wiz. Deals involving Armis, Forcepoint, and Integrity360 reflect a market push toward integrated “best-in-suite” solutions, as security leaders increasingly seek consolidated platforms for centralized visibility and streamlined management.
ReliaQuest Secures $500M in Growth Funding
Security operations platform ReliaQuest attracted half a billion dollars in additional funding, bringing its total to around $830 million and valuing the firm at $3.4 billion. The investment underscores sustained confidence in cybersecurity, providing ReliaQuest the resources to expand its platform and scale globally to meet enterprise demands.
Child Exploitation & Law Enforcement
Major Takedown of “KidFlix” Child Exploitation Platform
Under “Operation STREAM,” German authorities and the European Cyber Crime Center dismantled what’s believed to be the largest streaming service for child sexual abuse materials, with 1.8 million users globally. Nearly 3,000 electronic devices were confiscated, exposing around 1,400 suspects, marking a major law enforcement triumph in the ongoing battle against online child exploitation.
Action Items
Rotate Credentials and Enable MFA: Prevent unauthorized lingering access (like in Samsung’s case) by regularly updating passwords and using multi-factor authentication.
Audit Your Supply Chain: Conduct thorough risk assessments of third- and fourth-party providers, emphasizing robust vendor monitoring and incident response.
Patch Crucial Systems: Apply updates for Splunk, Solar energy products, Ivanti, CrushFTP, Chrome, Firefox, and Palo Alto GlobalProtect as soon as possible.
Enhance Browser Security: Keep all endpoints on current browser versions to shield against sandbox escape flaws and zero-day exploits.
Secure Your Email and Infrastructure: Consider Google’s new end-to-end encryption for Gmail and validate core systems for inbound scanning spikes or suspicious activity.
Stay Vigilant with Ransomware Threats: Conduct tabletop exercises, segment backups, and watch out for hypervisor-targeting strains like Red Curl’s QW Crypt.
Validate Unsolicited Offers: Warn employees—especially in crypto and finance—about fake job postings, verifying company details before downloading any attachments.
Prepare for New Regulations: If operating in the UK, align incident reporting procedures with upcoming 24- and 72-hour breach notification requirements.
Adopt AI-Assisted Testing: Consider using AI-driven code analysis and threat hunting to accelerate vulnerability discovery.
Support Global Cybercrime Takedowns: Partner with law enforcement where possible, especially for crimes involving child exploitation or large-scale dark web platforms.
Stay cyber safe