April 17, 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

CISA, Oracle Cloud, Credential Compromise, Windows Task Scheduler, Logs, Mustang Panda, Government Entities, ToneShell Malware, Apple, iOS Vulnerabilities, Agent Tesla, PowerShell Scripts, ZKsync, Admin Account, Unclaimed Tokens, Ameriprise Financial, Ex-Employee, Client Data, France, Alain Afflelou, Cyberattack, Service Provider, Switzerland, Rhône FM, Data Breach, Personal Information, CVE Foundation, Vulnerability Tracking, DPP Law, Fined, Sensitive Client Data, Kansas Hospitals, Physical Therapist,Sued, Patient Data, Compromised Network Devices, SMBs, Malware, Wire Fraud.

Listen to the full podcast

🚨 Cyber Alerts

1. CISA Warns of Oracle Cloud Access Risks

The Cybersecurity and Infrastructure Security Agency (CISA) warned of possible unauthorized access to a legacy Oracle Cloud environment. The agency raised concerns over the exposure of sensitive credentials like passwords, usernames, and encryption keys. Attackers could use these credentials to escalate privileges, access cloud platforms, or initiate phishing campaigns. CISA urges organizations to audit systems, reset passwords, and enforce phishing-resistant multi-factor authentication to protect against threats.

2. Windows Task Scheduler Flaws Enable Attacks

Researchers have identified critical vulnerabilities in the Windows Task Scheduler that could allow attackers to escalate their privileges and erase evidence of malicious activities. The flaws exist in the “schtasks.exe” binary, which manages scheduled tasks on both local and remote computers. By exploiting these vulnerabilities, attackers can bypass User Account Control (UAC) prompts, allowing them to run commands with high-level (SYSTEM) privileges without user consent. The vulnerabilities also allow attackers to overwrite security logs and task event logs, making it difficult for organizations to detect unauthorized actions.

3. ToneShell Used in Mustang Panda Attacks

Mustang Panda, a China-sponsored espionage group, continues to target government entities and military organizations in East Asia and Europe with evolving malware. Security researchers have found that the group is using weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deliver ToneShell malware. This technique leverages DLL sideloading, allowing the malware to bypass security measures by exploiting the trust in signed executables. Recent investigations have revealed several variants of ToneShell, with each one incorporating subtle modifications to evade detection, demonstrating the group’s ongoing efforts to refine its attack strategies.

4. Apple Fixes Actively Exploited Flaws in iOS

Apple recently released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two critical vulnerabilities, CVE-2025–31200 and CVE-2025–31201, which had been actively exploited. The first flaw, a memory corruption vulnerability in Core Audio, could allow code execution when processing maliciously crafted media files, while the second vulnerability in the RPAC component allowed attackers to bypass Pointer Authentication. Apple has fixed these issues by improving bounds checking and removing the vulnerable section of code.

5. Agent Tesla Malware Uses PowerShell Scripts

Palo Alto Networks researchers have uncovered a multi-stage spam campaign involving Agent Tesla malware. The attack begins with a socially engineered email that contains a JavaScript file, which initiates the infection. The PowerShell script then delivers the Agent Tesla malware directly into system memory, bypassing traditional detection methods. Symantec and VMware Carbon Black have enhanced their defenses, advising organizations to update security measures and provide employee training to prevent infections.

💥 Cyber Incidents

6. Hacker Exploits ZKsync Admin Account for $5M

On April 15, a hacker compromised a ZKsync admin account, minting $5 million worth of unclaimed tokens. The attacker exploited an administrative function tied to ZKsync’s airdrop contracts, minting 111 million ZK tokens, increasing the total supply by 0.45%. Despite the scale of the attack, ZKsync confirmed no user funds were affected and worked with the Security Alliance (SEAL) for recovery. Following the breach, the ZK token saw a volatile price drop of 7% over the 24-hour period, reflecting market concerns.

7. Ameriprise Ex-Employee Exposes Customer Data

Ameriprise Financial, a prominent Fortune 500 company, revealed that a former employee exposed the personal information of over 4,600 customers. The breach occurred during a transition between 2018 and 2020 when the former financial advisor moved to LPL Financial and shared more data than allowed. While the exact details of the exposed information were not fully disclosed, it is likely that names, addresses, phone numbers, and email addresses were compromised. In response, Ameriprise has implemented stronger security measures and offered impacted customers free credit monitoring services to mitigate potential risks.

8. Alain Afflelou Breach Exposes Customer Info

Alain Afflelou, a French eyewear and hearing aid company, suffered a cyberattack through one of its service providers. The attack exploited a vulnerability in the provider’s system, which granted unauthorized access to the company’s customer relationship management tool. Personal data such as names, addresses, phone numbers, and purchase details were exposed, though no sensitive financial or medical information was compromised. The company emphasized that no banking or social security numbers were accessed, and they are investigating the incident further while implementing measures to prevent recurrence.

9. Cyberattack Disrupts Rhône FM Broadcast

Rhône FM, a popular Swiss radio station based in Vaud, fell victim to a cyberattack that impacted its broadcasting operations. The cyberattack occurred during the night from Monday to Tuesday, with hackers encrypting the station’s servers and demanding a ransom for the release of the data. Despite the significant disruption, the station’s technical team acted swiftly and managed to resume broadcasting in a limited format by 6:30 AM Tuesday.

10. Legends International Reports Data Breach

Legends International, LLC recently reported a data breach after discovering unauthorized activity on its IT systems on November 9, 2024. The company confirmed that sensitive personal information, including Social Security numbers and financial account details, had been accessed during the incident. To mitigate the impact, Legends began notifying affected individuals on April 15, 2025, offering them 24 months of complimentary identity protection services. The company is still investigating the breach to determine the full extent of the data accessed.

📢 Cyber News

11. CVE Foundation Launches CVE Program

The CVE Foundation has officially launched to ensure the long-term stability and independence of the CVE Program. This program has been the cornerstone of global cybersecurity for 25 years, providing essential tracking of software vulnerabilities. Following the expiration of MITRE’s U.S. government contract, there were concerns about a potential breakdown in vulnerability management, which could leave defenders vulnerable to emerging threats. By creating the CVE Foundation as an independent non-profit, stakeholders aim to safeguard the program’s future and ensure that cybersecurity professionals worldwide can continue relying on the CVE system for effective threat identification and response.

12. DPP Law Fined After Ransomware Exposes Data

DPP Law, a law firm based in Bootle, UK, was fined £60,000 after cybercriminals breached its systems and published confidential client data on the dark web. The breach, which involved over 32GB of sensitive information, included court bundles, police body camera footage, and details on 791 affected clients, including those involved in criminal, family, and police-related cases. Hackers gained access by brute-forcing a vulnerable admin account without multi-factor authentication, then moved laterally across the network to steal the data.

13. Kansas Hospitals Sued Over Data Breach

The University of Kansas Hospital Authority and Lawrence Memorial Hospital are facing a class action lawsuit. The case stems from a breach by a physical therapist employed by KU Health who accessed over 400 patients’ private medical data. The lawsuit claims the therapist targeted women who had undergone breast augmentation surgery, viewing sensitive files including nude photos and personal information. Despite discovering the breach, KU Health allegedly delayed notifying patients and law enforcement, leading to claims of negligence, privacy violations, and emotional distress.

14. Compromised Devices Lead Attacks on SMBs

In 2024, compromised network edge devices such as VPNs, firewalls, and remote access appliances were the primary points of initial compromise in 30% of incidents targeting small and medium-sized businesses. VPNs alone accounted for 19% of these breaches and were particularly exploited in ransomware and data exfiltration events. The vulnerability of these devices is heightened by their lack of essential security tools, such as endpoint detection and response (EDR), which makes them easy targets for threat actors.

15. Less Malware and Higher Wire Fraud in 2024

In 2024, the data security landscape showed improvements, with a noticeable decline in malware usage and an increase in compromised credentials. Ransomware attacks were less frequent, and recovery times improved, resulting in lower payment amounts and reduced forensic investigation costs. However, wire fraud became a significant concern, with fraudulent transfers rising by over 300%, reaching a total of $109 million. Healthcare continued to lead the industry with the highest number of incidents, accounting for 36% of the total, highlighting ongoing challenges in securing sensitive data.