April 18, 2025 – Cyber Briefing

👉 What are the latest cybersecurity alerts, incidents, and news?

Erlang OTP, SSH, Remote Code Execution, XorDDoS, Malware, Docker Servers, Linux, DDoS Attacks, CISA, NTLM Vulnerability, Windows Systems, CrazyHunter Group, GitHub Tools, Taiwan, Critical Sectors, State-Sponsored Hackers, ClickFix, Jani-King, Data Breach, Personal Information, KWS Manufacturing, Australia, William Buck, Cyberattack, Belgium, Service Public of Wallonia, Luxembourg, Fondation Cancer, US, Information Sharing Law, NSO Group, Mexico, Saudi Arabia, Uzbekistan, WhatsApp Hacking, Chinese Networks, Privacy Risks, Guam Hospital, HIPAA, Ransomware, Consumer Goods.

Listen to the full podcast

🚨 Cyber Alerts

1. Erlang OTP SSH Vulnerability Exposes Systems

A newly discovered critical vulnerability in Erlang/OTP SSH, tracked as CVE-2025–32433, allows unauthenticated remote code execution. The flaw, identified by researchers from Ruhr University Bochum, carries a maximum severity score of 10.0, posing significant risks to all affected devices. The vulnerability results from improper handling of pre-authentication SSH protocol messages, enabling attackers to execute commands with the same privileges as the SSH daemon, which often runs as root.

2. XorDDoS Expands Attacks to Docker Servers

XorDDoS malware has seen significant growth in its attacks, with an increasing focus on Docker servers alongside Linux systems. Between November 2023 and February 2025, 71.3% of these attacks targeted the U.S., with other countries like Japan, Canada, and Italy also heavily impacted. Initially entering through SSH brute-force attacks, the malware establishes persistence on compromised devices through scripts, enabling it to launch automatically at system startup. A new version of the XorDDoS sub-controller, along with a central controller, suggests that the malware is now being sold as a service for conducting widespread DDoS campaigns.

3. CISA Adds NTLM Flaw to Exploited List

CISA has added CVE-2025–24054 to its Known Exploited Vulnerabilities catalog due to active exploitation targeting Windows systems. The flaw, affecting the NTLM authentication protocol, allows attackers to leak NTLM hashes with little user interaction, making it an attractive target. Since March 2025, various phishing campaigns have been observed distributing malicious files to harvest NTLM hashes, with attacks reported in Poland and Romania. CISA has urged federal agencies to apply patches by May 8, 2025, to secure their systems against these evolving attacks and mitigate risks such as lateral movement and privilege escalation within compromised networks.

4. CrazyHunter Uses GitHub Tools for Attacks

The CrazyHunter hacker group has emerged as a significant threat, targeting Taiwanese healthcare, education, and industrial sectors. Since early 2025, the group has used open-source tools from GitHub, which allows them to bypass traditional security measures and deploy ransomware effectively. Their strategy includes the use of the Bring Your Own Vulnerable Driver technique, which enables them to disable security processes and take control of victim systems. Once they gain control, CrazyHunter encrypts files with the “.Hunter” extension and demands a ransom, using redundant execution methods to ensure the attack proceeds even if initial tactics fail.

5. State Hackers Use ClickFix to Deploy Malware

State-sponsored hackers from Iran, North Korea, and Russia have increasingly adopted the ClickFix tactic for malware deployment in targeted campaigns. Originally associated with cybercriminal groups, this method involves tricking victims into running malicious commands under the guise of fixing technical issues or completing tasks like CAPTCHA verifications. The attackers have used this technique to infiltrate critical sectors such as government, healthcare, and defense, focusing on regions including the Middle East, Europe, and the United States.

💥 Cyber Incidents

6. Jani-King Reports Breach Impacting Users

Jani-King International, Inc. recently informed the Attorney General of California about a data breach affecting sensitive personal information. The breach, which occurred between November 26, 2024, and December 21, 2024, resulted from an unauthorized third party accessing internal systems. The company’s investigation confirmed that the exposed data included names, Social Security numbers, and addresses. Jani-King is notifying the affected individuals and offering free credit monitoring services to protect against potential identity theft and misuse of their personal information.

7. KWS Manufacturing Reports Data Breach

KWS Manufacturing Company, LLC recently reported a potential data breach to the Attorney General of Maine. The breach was identified after suspicious activity was detected in its computer systems between January 24 and 25, 2025. Sensitive personal information, including Social Security numbers, financial details, and medical information, may have been accessed by an unauthorized third party. KWS has begun notifying affected individuals and is providing complimentary credit monitoring services to mitigate risks.

8. William Buck Investigates Cyber Incident

William Buck, a consulting company in Australia, is investigating a cyber incident involving unauthorized access to its IT systems and potentially impacted data. Upon detecting the breach, the company swiftly activated its incident response plan and mobilized its Crisis Management Team to ensure the security of its systems. External experts were brought in to assist with the investigation and ensure appropriate steps were taken in response. While a limited number of files have been identified as potentially impacted, the company is directly notifying affected clients and remains committed to keeping all stakeholders informed as more details emerge.

9. Cyberattack Hits Public Service of Wallonia

The Service Public of Wallonia (SPW) faced a major cyberattack that compromised its IT systems. In response, the organization cut off its internet access to prevent further damage and evaluate the extent of the breach. Although no sensitive data was compromised, the attack caused disruptions, including the temporary shutdown of digital services like websites and applications. The SPW is closely monitoring critical infrastructure such as roads and locks to ensure their continued safety, while advising citizens to remain vigilant against potential phishing attempts related to the incident.

10. Fondation Cancer Halts Cyberattack Attempt

The Fondation Cancer in Luxembourg reported that it successfully thwarted a cyberattack targeting its email systems. The suspicious activity was promptly detected, and the foundation collaborated with a cybersecurity service provider to contain the attack. The foundation assured stakeholders that no sensitive data was compromised or stolen, and patient services remained unaffected throughout the incident. It emphasized that the attack did not involve any financial processes or bank accounts, and reiterated its dedication to securing its systems from future cyber threats.

📢 Cyber News

11. US Cybersecurity Info Sharing Bill Extension

Two U.S. senators have introduced a bill to extend the Cybersecurity Information Sharing Act of 2015. The proposed legislation encourages companies to voluntarily share data on cybersecurity threats with the Department of Homeland Security (DHS). This law has been essential in helping federal agencies prevent cyberattacks, including major incidents like the SolarWinds breach. By extending the law for another decade, the senators aim to maintain a collaborative approach to cybersecurity between the government and private sector, ensuring continued protection against evolving cyberthreats.

12. NSO Lawyer Names Customers in Hearing

NSO Group’s lawyer, during a court hearing, confirmed that Mexico, Saudi Arabia, and Uzbekistan were clients of the company, using its Pegasus spyware in the 2019 WhatsApp hacking campaign. This marks the first time NSO Group has publicly acknowledged its clients, after years of secrecy surrounding the issue. The hack targeted over 1,200 WhatsApp users, including journalists, human rights activists, and other members of civil society, through a vulnerability in the app’s system. WhatsApp, in its lawsuit, seeks damages and an injunction against NSO Group to prevent further misuse of Pegasus and protect users’ private communications.

13. US Allies Use Chinese Networks Raising Risks

A new report reveals that several U.S. allies, including Japan and South Korea, route sensitive mobile traffic through Chinese-owned networks. These providers, such as China Mobile International, can access unencrypted mobile data, exposing users to potential surveillance. The report warns of serious risks, including real-time location tracking, interception of communications, and malware installation. It calls for urgent policy changes to secure global mobile networks and protect privacy.

14. Guam Hospital Settles HIPAA Case for 25K

Guam Memorial Hospital Authority has settled a HIPAA investigation by paying $25,000 to the federal government. The case stemmed from a ransomware incident in 2018 and a security breach in 2023, which exposed sensitive health data. The investigation revealed GMHA failed to conduct an accurate risk analysis and address cybersecurity vulnerabilities. Under the settlement, the hospital will implement a corrective action plan to improve HIPAA compliance and security measures.

15. Ransomware Surge in Consumer Goods Sector

Ransomware attacks increased by 126% in the first quarter of 2025 compared to the same period in 2024, with the consumer goods and services sector being the most targeted. This sector accounted for 13.2% of all global ransomware incidents, followed by business services and industrial manufacturing. North America bore the brunt, suffering 62% of the attacks, while Europe experienced 21%. Researchers identified a rise in sophisticated phishing campaigns targeting supply chain vulnerabilities, with attackers using double-extortion tactics, including ransom demands over $2 million, particularly from companies with cyber insurance.