March 13, 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

Obscure#Bat Malware Campaign, Social Engineering, Rootkits, Chinese Hackers, TinyShell Backdoors, Juniper Networks Routers, Meta, Facebook, FreeType Vulnerability, Code Execution Risk, Mozilla Firefox, Root Certificate Expiration, SSRF Vulnerabilities, Holt Group Data Breach, Sensitive Consumer Information, Spain, COAG, Agrarian Organization, EU Morocco Trade, Japan, Yamagata Bank, Voice Phishing Scam, South Africa, Pam Golding Cyberattack, New Zealand, Vercoe Insurance, DragonForce Ransomware, CISA, Cybersecurity Funding, Medusa Ransomware, US Critical Infrastructure Sectors, FIIG Securities, Legal Action, ASIC, NIST HQC Algorithm, Post-Quantum Encryption, Pentera Series D.

Listen to the full podcast

🚨 Cyber Alerts

1. New OBSCURE#BAT Campaign Deploys Rootkits

Securonix researchers discovered the OBSCURE#BAT malware campaign, which targets English-speaking users through deceptive techniques. The attackers use fake CAPTCHA screens and disguised software downloads to convince victims to execute malicious batch files. Once executed, the malware deploys a sophisticated user-mode rootkit that hides malicious processes, registry entries, and files from detection tools. By leveraging obfuscation techniques, anti-analysis checks, and a fake driver, the rootkit maintains persistence on infected systems.

2. Hackers Deploy Backdoors on Juniper Routers

A China-linked cyber espionage group known as UNC3886 has been observed deploying custom TinyShell backdoors on Juniper Networks’ MX routers, specifically targeting end-of-life devices. The backdoors, which include both active and passive functionalities, allow attackers to maintain long-term access while evading detection. These backdoors, including variants like appid, irad, and lmpad, provide the attackers with remote access and the ability to disable logging, ensuring that their activities go unnoticed.

3. FreeType Flaw Leads to Code Execution Risk

Meta has issued a warning regarding a high-severity security vulnerability in the FreeType open-source font rendering library, which affects versions 2.13.0 and below. This flaw, identified as CVE-2025–27363, allows for remote code execution due to an out-of-bounds write vulnerability when parsing font subglyph structures related to TrueType GX and variable font files. The vulnerability is being actively exploited, and users are strongly advised to update their FreeType library to version 2.13.3 or higher to safeguard against potential attacks.

4. Mozilla Warns Users of Root Cert Expiration

Mozilla is advising Firefox users to update to version 128 or higher by March 14, 2025, due to the expiration of a vital root certificate. This certificate, used to verify add-ons, content signing, and DRM media, will cause disruptions in functionality if not updated. Users with older versions, including ESR 115.13, risk encountering issues such as disabled add-ons, blocked secure media playback, and missing security patches unless they update their browsers promptly.

5. Surge in Exploitation of SSRF Flaws

GreyNoise has reported a coordinated surge in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities, with over 400 IPs targeting multiple CVEs simultaneously. The attacks have been observed globally, affecting countries such as the United States, Israel, Japan, and Germany, and impacting critical platforms like Zimbra Collaboration Suite, GitLab, and VMware vCenter. The pattern of activity indicates structured exploitation, with attackers automating attempts and focusing on multiple flaws at once, suggesting advanced tactics or pre-compromise intelligence gathering.

💥 Cyber Incidents

6. HOLT Group Reports Data Breach Incident

On March 11, 2025, HOLT Group filed a notice of a data breach with the Texas Attorney General after discovering unauthorized access to sensitive consumer data. The compromised information includes names, financial account details, driver’s license numbers, and addresses. Although the exact cause of the breach is unclear, it could stem from either a cyberattack on HOLT Group or a third-party vendor’s security failure. The company has begun sending breach notification letters to affected individuals.

7. COAG Reports Hack After EU Morocco Deal

COAG, the Spanish agrarian organization, reported that its website was hacked after it called for the suspension of the EU-Morocco trade agreement. The cyberattack caused the website to be disabled for several days, replacing its content with Arabic text and playing Moroccan music in the background. The attack occurred after COAG’s strong opposition to the trade deal, which was based on a European Court of Justice ruling that found the 2019 agreement violated international law, as it lacked the consent of the Sahrawi people.

8. Yamagata Bank Suspends Transfers After Scam

Yamagata Bank has temporarily halted immediate interbank transfers via its Net EB corporate banking service following the discovery of a voice phishing scam. The scam involves automated calls impersonating the bank and instructing victims to update their Net EB account details. Once victims follow the automated instructions, the call is transferred to the scammer, who requests the victim’s email address and sends them a phishing link, which leads to a fake website.

9. Pam Golding Hit by Cyberattack Data Breach

South Africa-based real estate company Pam Golding is dealing with a cyber attack that exposed some client data. The breach occurred when an unauthorized third party accessed the company’s customer relationship management system, though no financial details were compromised. The company quickly secured the affected accounts and took immediate steps to contain the situation, including informing clients in accordance with South Africa’s data protection laws.

10. NZ Insurance Targeted in Ransomware Attack

New Zealand insurance company Vercoe Insurance Brokers has fallen victim to a cyberattack orchestrated by the DragonForce ransomware gang. The cybercriminals claim to have exfiltrated over 60 gigabytes of sensitive data, putting the company and its clients at significant risk.

📢 Cyber News

11. CISA Cuts $10 Million in Cybersecurity Funds

CISA has announced a $10 million cut in annual funding to two cybersecurity organizations, MS-ISAC and EI-ISAC, which provided vital assistance to state and local governments. This decision is part of broader budget cuts and layoffs within the agency aimed at reducing redundancy in federal cybersecurity efforts. The cuts are expected to impact the coordination and response capabilities of local governments and election infrastructure, leaving them more vulnerable to cyberattacks from nation-state actors.

12. Medusa Ransomware Hits Critical US Sectors

Medusa ransomware has significantly impacted over 300 organizations in the United States, particularly within critical infrastructure sectors. This includes industries such as medical, education, legal, insurance, technology, and manufacturing. The FBI, CISA, and MS-ISAC issued a joint advisory to inform organizations about the dangers of this ransomware operation, urging them to take immediate action to mitigate risks. Medusa operates under a Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to gain access to victim systems using phishing, unpatched vulnerabilities, and other techniques.

13. FIIG Faces Legal Action Over Data Breach

FIIG Securities is facing legal action from the Australian Securities and Investments Commission after prolonged cybersecurity failures led to a significant data breach. The breach, which went undetected for weeks, exposed the sensitive personal information of around 18,000 clients. ASIC has accused FIIG of not implementing proper cybersecurity measures and is seeking penalties and compliance orders, highlighting the importance of continuous monitoring in financial services.

14. NIST Selects HQC for Post-Quantum Encryption

NIST has announced the selection of a new encryption algorithm, HQC, as a backup to ML-KEM, the primary standard for general encryption against future quantum threats. This move ensures a secondary line of defense in case vulnerabilities are discovered in ML-KEM. HQC is based on a different mathematical foundation, known as error-correcting codes, contrasting with ML-KEM’s structured lattice approach

15. Pentera Secures $60M for Security Expansion

Pentera, a leader in Automated Security Validation, has raised $60 million in a Series D funding round led by Evolution Equity Partners, with participation from Farallon Capital Management. This investment brings the company’s total funding to $250 million and positions it for further expansion as it aims to surpass $200 million in annual recurring revenue (ARR).