Attackers target Microsoft 365 ecosystem, root cause of recent GitHub attack identified, ten Pen Test findings that IT teams often ignore...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility
Recent reports indicate that threat actors are actively exploiting two critical vulnerabilities in Cisco’s Smart Licensing Utility, potentially compromising affected systems.
The two critical-rated vulnerabilities in question are listed below:
CVE-2024-20439 (CVSS score: 9.8) – The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
CVE-2024-20440 (CVSS score: 9.8) – A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API.
The impacted versions 2.0.0, 2.1.0, and 2.2.0, have been patched by Cisco in September 2024. Version 2.3.0 of Cisco Smart License Utility is not susceptible.
As of March 2025, threat actors have been observed attempting to actively exploit the two vulnerabilities.
Cyber Attacks
Attackers Leverage Fake CAPTCHAs and Malvertising to Distribute Lumma Infostealer Malware
Cybercriminals are employing deceptive tactics, such as fake CAPTCHA pages and malicious advertising (malvertising), to distribute the Lumma infostealer malware. This large-scale campaign exploits vulnerabilities in the digital advertising ecosystem, exposing thousands of users to credential theft and financial losses.
Users were directed to attacker-controlled sites and prompted to complete a range of fake authentication challenges. This resulted in them running a malicious PowerShell command on their device that ultimately installed the Lumma Stealer remote access trojan.
It was noted that executables were the most popular malware delivery type (43%), followed by archive files (32%).
Attackers Exploit Microsoft 365 Ecosystem for Business Email Compromise
Attackers are conducting business email compromise (BEC) campaigns by exploiting the trusted infrastructure of Microsoft 365 to execute credential harvesting and account takeover (ATO). Unlike traditional phishing, which relies on lookalike domains or email spoofing, attackers operate entirely within Microsoft’s ecosystem, bypassing security measures by using phishing lures that appear authentic. Because the phishing emails originate from a legitimate Microsoft domain, this lets attackers evade traditional detection methods, including domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms.
Medusa Ransomware Employs Malicious Driver to Evade Anti-Malware Protections
The Medusa ransomware-as-a-service (RaaS) operation has been observed utilizing a malicious driver, dubbed ABYSSWORKER, to disable anti-malware tools through a bring your own vulnerable driver (BYOVD) attack. In this method, the attackers deploy a loader packed with HeartCrypt, a packer-as-a-service, alongside a driver named “smuol.sys,” which mimics a legitimate CrowdStrike Falcon driver (“CSAgent.sys”). This driver is signed with likely stolen, revoked certificates from Chinese companies, allowing it to bypass security systems undetected. Once active, ABYSSWORKER can perform various operations, including terminating processes and drivers, effectively silencing different endpoint detection and response (EDR) vendors.
In Other News...
10 Critical Network Pentest Findings IT Teams Often Overlook
A recent analysis of over 10,000 automated internal network penetration tests conducted by vPenTest has identified several critical security gaps commonly overlooked by IT teams. These vulnerabilities, often stemming from misconfigurations, missing patches, and weak passwords, can be exploited by attackers to gain unauthorized access, escalate privileges, and compromise sensitive data. Read the full list here.
If you conduct a pen test – make sure you do something with the findings!
Root Cause of GitHub Actions Supply Chain Attack Identified
A recent supply chain attack targeting GitHub Actions has been traced back to the compromise of the ‘reviewdog/action-setup’ action, which subsequently led to the breach of ‘tj-actions/changed-files.’ This cascading attack affected over 23,000 repositories, exposing Continuous Integration/Continuous Deployment (CI/CD) secrets.