San Mateo, CA, April 7, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Cryptographer: CALEA backdoors enabled Volt Typhoon hack
According to cryptographer Matt Blaze, the 1994-enacted Communications Assistance for Law Enforcement Act (CALEA), which required companies to make their equipment compatible with court-ordered wiretaps, paved the way for Volt Typhoon’s major telecom hack. Blaze said that the architectural safeguards of the 1990s no longer exist. At a recent House Oversight and Government Reform Committee hearing, he stated that the systems are “designed to be remotely programmed, configured and managed often over the internet and at the same time the backhaul for wiretaps to law enforcement is no longer through dedicated leased lines but rather through internet connections that anyone potentially could get access to… And there are now intermediaries that serve essentially as wiretapping clearing houses between law enforcement and telecom providers … The job of the illegal eavesdropper has actually gotten significantly easier and to put it bluntly, something like Salt Typhoon was inevitable and will likely happen again unless significant changes are made to our infrastructure and our approach to protecting it.” Read more.
Microsoft: Tax-themed phishing attacks ramp up
Cybercriminals appear to be attempting to cash in on tax season. Microsoft warns that several phishing campaigns use “tax-related themes” to infect victims with malware and steal login credentials. “These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection,” Microsoft said in a report shared with The Hacker News. Email attacks use PDF attachments containing a URL that leads victims to a phony Docusign page with the option to view or download the document. “When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor,” Microsoft said. If access is allowed, the victim is sent a JavaScript file that downloads a Microsoft Software Installer that deploys malware. Users who are not deemed to be valuable enough to infect are sent a benign PDF document. Read more.
Ukraine blames Russia for railway cyberattack
The Ukrainian government has indicated that Russian-backed hackers are to blame for a recent cyberattack on Ukrzaliznytsia, the country’s state-owned railway system. Yevheniia Nakonechna, Head of the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), gave a press briefing about the incident, in which she called the incident “an act of terrorism.” Oleksandr Pertsovskyi, Chairman of the Board of Ukrzaliznytsia, said that “the cyber-attack on the company was targeted and meticulously planned,” but also went on to say that no trains were halted and operations are now fully back online. The attack used custom malware and was found to display “characteristics of Russian intelligence services.” Read more.
Triada trojan found preinstalled on fake Android phones
Kaspersky reports that a new version of the Triada trojan has been found preinstalled on thousands of Android devices. When the device is set up, the trojan steals data. The malware is turning up on counterfeit versions of Android-based smartphone models sold through online retailers at low prices. According to Kaspersky, the new version of Triada is more evasive than previous incarnations and can steal accounts, send and delete messages, track browsing history, swap links, hijack cryptocurrency wallets, block network connections, and more. The highly capable malware has been shown to have been used to steal at least $270,000 in cryptocurrency. The researchers believe that the retailers may not even be aware that they are selling weaponized devices and that the supply chain is compromised. Read more.
Oracle accused of obfuscation after dual breach reports
Oracle is under fire for how it is handling two security breaches, one of which seems to be still taking place despite the company denying it ever happened. A breach of Oracle Health that affected patient data was disclosed. However, the company has not provided much insight into the incident, and, according to TechCrunch, even employees are feeling left in the dark about the hack. The second breach relates to Oracle Cloud servers. A hacker posted on a cybercrime forum offering data from 6 million Oracle Cloud customers and provided data samples that customers said were genuine. While Oracle has denied that the cloud had been breached, experts believe that the company is “attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay.” Read more.
Firefox 137 patches critical memory flaws
Firefox 137, the latest version of Mozilla’s web browser, has been released and its arrival fixes many bugs including multiple high-severity vulnerabilities “that could potentially allow remote attackers to execute arbitrary code, trigger denial of service conditions, or elevate privileges on affected systems.” The patched vulnerabilities include CVE-2025-3028, a “high-impact use-after-free vulnerability” that “could be triggered when JavaScript code runs while transforming a document with the XSLTProcessor” to allow for the execution of arbitrary code. CVE-2025-3030 is a “critical memory safety bug present in Firefox 136 and other Mozilla products” that could also be used to execute code. CVE-2025-3034, a memory-corrupting vulnerability, was also fixed. All resolved issues affect all earlier browser versions, and updates for them have also been issued. Read more.
150,000 legitimate websites hijacked to push gambling
A campaign that infects legitimate websites with malicious JavaScript has compromised around 150,000 sites to promote Chinese-language gambling platforms. C/side documented their findings, reporting that “the threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser.” The firm says that “the campaign involves infecting websites with malicious JavaScript that’s designed to hijack the user’s browser window to redirect site visitors to pages promoting gambling platforms.” A variant of the campaign has also been found to be impersonating legitimate gambling sites via official logos and branding. According to c/side security analyst Himanshu Anand, “this attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation… Client-side attacks like these are on the rise, with more and more findings every day.” Read more.
DarkCloud emerges as top-tier Windows info stealer
DarkCloud malware emerged in 2022, and researchers are warning that it has been upgraded steadily since, making it one of the most prevalent and dangerous threats among Windows-targeting info stealers. Able to extract browser data, FTP credentials, screenshots, keystrokes, and financial information from infected systems, DarkCloud uses a “multi-stage infection process designed to evade detection.” DarkCloud is primarily spread via phishing campaigns, malvertising, and watering hole attacks. Infection campaigns frequently target HR administrators. “The impact has been significant, with numerous organizations falling victim to its data theft capabilities, losing browser data, cryptocurrency wallets, and credentials to attackers operating through Telegram channels.” Harvested data is exfiltrated through Telegram bots.. Read more.
U.S. seizes $8.2 million in romance scam crackdown
TRM Labs has reported that U.S. authorities have recovered $8.2 million from scammers who used romance baiting tactics, also known as pig butchering schemes, to fool victims into making fraudulent investments. To track down the funds, TRM Labs says “the FBI used blockchain intelligence to trace the flow of funds across multiple platforms and networks – from centralized exchanges, to Ethereum and TRON, through DeFi protocols, and into final storage wallets… Despite complex laundering methods, the investigation revealed common routing patterns and wallet reuse that helped agents piece together the full laundering scheme.” Romance scammers use dating sites and social media to groom victims until they have their trust, then introduce them to fake investment opportunities that the criminals profit from. Read more.
Windows 11 testing remote boot crash recovery
Microsoft is testing a new tool within Windows 11 that is “designed to remotely deploy fixes for buggy drivers and configurations that prevent the operating system from starting.” Called Quick Machine Recovery, the tool is part of the company’s Windows Resiliency Initiative program. “With system failures, devices can sometimes get stuck in the Windows Recovery Environment (Windows RE), severely impacting productivity and often requiring IT teams to spend significant time troubleshooting and restoring affected machines,” Microsoft said. “With quick machine recovery, when a widespread outage affects devices from starting properly, Microsoft can broadly deploy targeted remediations to affected devices via Windows RE—automating fixes and quickly getting users to a productive state without requiring complex manual intervention.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
