April 10, 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

AWS EC2, Sensitive Metadata, IAM Credentials, AkiraBot, AI, Spam, Gladinet CentreStack, Remote Code Execution, APT32, GitHub, Poisoning Attack, CatB, Microsoft Distributed Transaction Coordinator, Sensata Technologies, Ransomware Attack, U.S. Office of the Comptroller of the Currency, Oregon Department of Environmental Quality, Algerian Hackers, Morocco, Fund, Ministry of Employment, Cyberattack, Brazil, Unidas Group, Hacktivist Message, CISA, Senator Wyden, Telecom Cybersecurity, Operation Endgame, Smokeloader, Portnox, Cloud Security, Zero Trust, IPFire, Post Quantum Cryptography, Non-Human Identity.

Listen to the full podcast

🚨 Cyber Alerts

1. SSRF Exploits Target AWS EC2 Instances

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to access sensitive EC2 Metadata. The attackers used this flaw to retrieve IAM credentials from the older IMDSv1 endpoint, escalating privileges to control AWS services and potentially compromise sensitive data. The malicious activity, identified between March 13 and 25, 2025, followed a systematic approach, including rotating query parameters and subpaths to exfiltrate data.

2. AkiraBot Spams 80K Sites Using AI Messages

AkiraBot, an AI-powered spamming tool, has successfully targeted over 80,000 websites since its inception in September 2024. Initially, the bot focused on Shopify-hosted sites but later expanded to include websites built on platforms like GoDaddy, Wix, and Squarespace. It generates unique spam messages using OpenAI’s GPT-4o-mini model, making the content appear more personalized and harder to filter out. By leveraging tools to bypass CAPTCHA protections, AkiraBot can mimic legitimate user activity, making it difficult for network detection systems to identify.

3. Hackers Exploit Gladinet CentreStack Flaw

Hackers have exploited a vulnerability in Gladinet CentreStack’s file-sharing software since March 2025. The issue, identified as CVE-2025–30406, allows attackers to execute remote code by abusing a hardcoded machineKey. Gladinet issued a security fix on April 3, 2025, urging users to update or rotate the key to prevent further exploitation. CISA has included this flaw in its Known Exploited Vulnerabilities catalog, with a deadline for federal organizations to apply fixes by April 29, 2025.

4. APT32 Targets Chinese Cybersecurity

APT32, also known as OceanLotus, has used GitHub to launch a targeted attack on Chinese cybersecurity professionals. The attackers embedded malicious code in Visual Studio project files, exploiting automatic loading mechanisms. They posed as a security researcher, sharing backdoored tools to bait victims within China’s cybersecurity community. The incident emphasizes the evolving threat landscape where even trusted platforms can be weaponized by state-sponsored actors.

5. CatB Ransomware Uses MSDTC for Payload

CatB ransomware, identified in late 2022, has gained attention for its sophisticated evasion tactics. Linked to the ChamelGang espionage group, it combines ransomware with cyber espionage to divert focus from its main objectives. The attack uses the Microsoft Distributed Transaction Coordinator (MSDTC) for stealthy payload execution and file encryption. Organizations must update security patches, use intrusion prevention, and regularly back up data to mitigate this growing threat.

💥 Cyber Incidents

6. OCC Reports Major Breach of Executive Emails

The U.S. Office of the Comptroller of the Currency (OCC) has reported a major email breach. Hackers gained unauthorized access to approximately 100 senior officials’ email accounts, compromising over 150,000 emails dating back to June 2023. The exposed data included highly sensitive financial information related to federally regulated institutions, potentially undermining public confidence in the sector. The OCC quickly responded, isolating the compromised systems and terminating unauthorized access, while launching an investigation into the breach’s full scope.

7. Oregon DEQ Cyberattack Disrupts Services

The Oregon Department of Environmental Quality (DEQ) experienced a cyberattack on Wednesday, forcing the agency to shut down its computer systems. As a result, vehicle inspection stations will remain closed through Friday, disrupting services. However, the DEQ’s online environmental data system, hosted on a separate server, was not affected by the attack. While no ransom demands have been made, the agency is working with cybersecurity experts to investigate and contain the breach.

8. Hackers Leak Data From Moroccan Agencies

Algerian hacker group JabaRoot DZ has launched a series of cyberattacks on Moroccan institutions, exposing sensitive data. The breach primarily targeted the Ministry of Economic Inclusion and the National Social Security Fund (CNSS) database, compromising information such as employee pay slips and salary declarations. The Ministry attempted to downplay the incident, claiming no sensitive data was compromised, but JabaRoot DZ quickly challenged these claims by releasing over 3,000 pay slips.

9. Cyberattack on Unidas Division Exposes Gaps

A cyberattack on the Unidas group’s Ouro Verde division disrupted over 250 devices in Paraná, Brazil. The hack was claimed by NexusQassamy, a Turkish-speaking hacktivist group, which displayed a political message accusing Israel of genocide in Gaza. Despite acknowledging the incident, Unidas has refused to comment on the attack further, revealing concerns about the company’s cybersecurity preparedness. The group’s Telegram post linked the attack to a broader political statement, emphasizing their support for Sharia law and the rise of Islam.

10. Ransomware Attack Hit Sensata Operations

Sensata Technologies, a Massachusetts-based industrial tech manufacturer, recently experienced a ransomware attack that severely disrupted its operations. The attack, which began on Sunday, forced the company to take its network offline, affecting key areas like manufacturing, shipping, receiving, and support functions. Sensata notified the U.S. Securities and Exchange Commission about the incident and revealed that preliminary investigations found evidence of stolen files.

📢 Cyber News

11. Wyden Blocks CISA Nominee Over Telecom Probe

Senator Ron Wyden has placed a hold on Sean Plankey’s nomination to lead CISA until a 2022 report on U.S. telecom cybersecurity is released. Wyden has criticized CISA for withholding the report, which details serious security issues at telecom companies. The senator believes the public has the right to know about these vulnerabilities, especially after the Salt Typhoon hack. Wyden’s move follows a history of cybersecurity concerns in the telecom sector, compounded by CISA’s refusal to act on security deficiencies.

12. Global Crackdown Targets Smokeloader Users

Following Operation Endgame, law enforcement continues to target Smokeloader botnet customers. The botnet, operated by the actor “Superstar,” was used for malicious activities, including ransomware deployment. A database seized last year linked online aliases to real-world identities, allowing authorities to arrest and interrogate suspects. Europol’s ongoing efforts involve international collaboration to dismantle the malware ecosystem and prosecute those involved.

13. Portnox Raises $37.5M for Cloud Security

Portnox, a Texas-based network access security startup, raised $37.5 million in Series B funding, bringing its total funding to $60 million. The investment, led by Updata Partners, supports Portnox’s cloud-native platform that offers zero trust access control and compliance enforcement. Portnox Cloud allows organizations to manage authentication and risk mitigation across their IT assets from a central location. With nearly 1,000 customers, the company is poised to eliminate the need for on-premises systems and strengthen network security for businesses.

14. IPFire 2.29 Adds Post Quantum Cryptography

The release of IPFire 2.29 introduces significant security improvements, including support for post-quantum cryptography. This version enhances IPsec VPN tunnels with ML-KEM, a quantum-resistant encryption method. The core toolchain has been upgraded with glibc 2.41 and Binutils 2.44, boosting system efficiency. Security updates and interface improvements provide better privacy and system performance, making IPFire a more secure solution for the future.

15. Non-Human Identity Surge Threatens Security

The surge in non-human identities (NHIs), including service accounts and AI agents, is creating major security risks. These machine credentials now far outnumber human identities in DevOps environments, increasing exposure to attacks. In 2024, more than 23 million secrets were leaked, marking a 25% rise from the previous year. Additionally, collaboration tools like Slack and Jira have become key sources of secret leakage, further complicating security efforts.