March 31, 2025 – Cyber Briefing

👉 What’s happening in cybersecurity today?

Crocodilus Android Trojan, Banking, Crypto Credentials, CISA, RESURGE Malware, Ivanti Vulnerability, Remote Access, Data Theft, Gamaredon Threat Group, LNK Files, Remcos Backdoor, Ubuntu, Bypass Flaws, Admin Access, Python-Based RAT, Discord, X, Data Leak, Insider Job, Hartsfield-Jackson Atlanta International Airport, Denial of Service, FBI, Oracle Health Data Breach, Samsung Germany, Customer Records, SIR Trading, Hack, Ethereum Protocol, Kansas Crypto Scam, US Judges, Personal Data, Privacy Breach Risk, HTTPS Certificate, Healthcare Organizations, Vulnerable IoT Devices.

Listen to the full podcast

🚨 Cyber Alerts

1. Crocodilus Trojan Steals Banking Credentials

A newly discovered Android Trojan named Crocodilus is targeting users in Spain and Turkey. It takes advantage of Android’s Accessibility Services to monitor app launches, display fake login overlays, and harvest sensitive data, such as banking and cryptocurrency credentials. The malware uses social engineering tactics to trick users into revealing their cryptocurrency wallet seed phrases, which allows attackers to fully access and drain their wallets.

2. RESURGE Malware Targets Ivanti Devices

A newly discovered malware variant, RESURGE, exploits a critical vulnerability in Ivanti Connect Secure (CVE-2025–0282), allowing attackers to gain unauthorized access to devices. The malware acts as a backdoor and rootkit, enabling attackers to manipulate system files, bypass integrity checks, and set up web shells for credential harvesting. CISA has identified several malicious components, including a variant of SPAWNSLOTH, which tamper with system logs to avoid detection.

3. Gamaredon Abuses LNK Files to Deploy Remcos

Cisco Talos uncovered an ongoing cyber campaign by the Gamaredon threat group targeting Ukrainian users with malicious LNK files to deploy the Remcos backdoor. The campaign uses spear-phishing tactics, exploiting sensitive geopolitical themes such as troop movements and war-related topics to lure victims. The LNK files, disguised as Office documents and distributed in ZIP archives, contain PowerShell scripts that retrieve a second-stage payload from geo-fenced servers in Russia and Germany.

4. Ubuntu Linux Security Restrictions Bypassed

Three security bypasses in Ubuntu Linux’s unprivileged user namespace restrictions allow local attackers to gain administrative privileges. Discovered by Qualys, these flaws affect Ubuntu versions 23.10 and 24.04, where unprivileged user namespaces are active. The bypass methods — via aa-exec, busybox, and LD_PRELOAD — allow attackers to create user namespaces with full administrative capabilities. Although these vulnerabilities do not give attackers full control, they can be dangerous when combined with kernel-related weaknesses.

5. Python RAT Uses Discord to Steal Credentials

A new Python-based RAT exploits Discord’s API to steal sensitive information and take control of compromised systems. By initializing a Discord bot with elevated permissions, the malware captures user messages and extracts stored passwords from Google Chrome’s local database. Stolen credentials are sent to attackers via Discord, providing full control over the affected system. The RAT also allows attackers to execute arbitrary commands remotely, take screenshots, and manipulate Discord servers by deleting and recreating channels.

💥 Cyber Incidents

6. X Data Leak Exposes 2.8B User Profiles

A massive data leak involving 2.8 billion X user profiles has emerged, allegedly stemming from an insider. The leaked data, which does not include email addresses, features sensitive details such as user IDs, profile descriptions, tweet history, follower counts, and account creation dates. The breach, which surfaced on Breach Forums, raises serious privacy concerns as it includes detailed user information over time. Despite attempts by the poster, ThinkingOne, to alert X about the breach, the company has not responded, leaving many questions unanswered.

7. ATL Airport Website Hit by DoS Attack

Hartsfield-Jackson Atlanta International Airport faced a brief DoS attack on its website Friday morning. Despite the disruption, airport operations continued as normal, and no significant issues were reported. The airport’s technology team swiftly detected the attack and implemented standard measures to restore the website’s accessibility, ensuring minimal user inconvenience. Although the source of the attack remains unclear, officials stated there was no impact on the airport’s overall services or operations.

8. FBI Investigates Oracle Health Data Breach

The FBI is investigating a data breach at Oracle Health, which exposed patient information from legacy Cerner servers. Hackers accessed these servers using compromised customer credentials, copying sensitive data to an external location. The breach impacted multiple U.S. healthcare organizations, but Oracle Health has not directly notified patients and has left that responsibility to hospitals. While the company offered support for affected organizations, its lack of transparency and communication has frustrated many hospitals seeking clarity on the situation.

9. Samsung Germany Leak Exposes 270K Customers

Samsung Germany recently suffered a significant data breach, with 270,000 customer tickets exposed online. The leaked data includes personal details such as names, addresses, and order numbers, along with transactional information like ticket IDs and agent emails. The breach stems from compromised credentials, stolen in 2021 by the Raccoon Infostealer malware, but had been sitting idle in Samsung’s system for years. Cybercriminals now have access to a vast amount of sensitive data, which could be exploited for various malicious activities, including physical theft, hyper-targeted phishing attacks, and fraudulent warranty claims.

10. SIR Trading Loses $355K in Major DeFi Hack

Synthetics Implemented Right (SIR.trading), an Ethereum-based DeFi protocol, suffered a devastating hack, losing its entire $355,000 total value locked (TVL). Blockchain security firms TenArmorAlert and Decurity identified the attack, which exploited a vulnerability in the protocol’s contract vault, utilizing Ethereum’s new transient storage feature. The attacker manipulated the callback function, redirecting funds to their own address by replacing the Uniswap pool address.

📢 Cyber News

11. FBI Recovers $8M from Kansas Crypto Scam

The FBI successfully recovered over $8 million from a cryptocurrency scam that led to the collapse of Heartland Tri-State Bank in Elkhart, Kansas. The scam involved the bank’s CEO, Shan Hanes, who wired $47 million to fraudsters posing as crypto investment brokers. The fraudulent activity devastated local investors, many of whom had invested their life savings in the bank. Following the bank’s failure, the FBI, in collaboration with multiple federal agencies, tracked the stolen funds to an offshore wallet, ultimately reclaiming the stolen assets.

12. US Judges’ Personal Data Available Online

A recent study has found that over half of U.S. appellate court judges have their personal information publicly available online. This includes sensitive details such as home addresses, phone numbers, and family information, which can be easily accessed through data broker sites. In response to increasing safety concerns, including violent retaliation against judges, there is growing momentum for legislation aimed at protecting judges’ privacy, including state bills like Vermont’s and federal laws like Daniel’s Law.

13. Canada Introduces Privacy Breach Risk Tool

Philippe Dufresne, Privacy Commissioner of Canada, introduced a new online tool to help businesses assess privacy breaches. This web-based application guides users in evaluating the sensitivity of the data involved and the likelihood of misuse. By providing risk assessments, the tool assists organizations in determining whether they need to notify affected individuals and report the breach to the Privacy Commissioner, ensuring compliance with Canada’s privacy laws.

14. New HTTPS Certificate Issuance Rules

New HTTPS certificate issuance requirements are designed to strengthen security by improving domain validation and preventing fraud. The introduction of Multi-Perspective Issuance Corroboration (MPIC) will enhance domain control verification by validating from multiple geographic locations or internet service providers, making it more resistant to attacks like BGP hijacking. Starting in 2025, these new practices will help create a more robust and trustworthy web ecosystem, ensuring better protection for users and the overall internet infrastructure.

15. Vulnerable IoT Devices Threaten Healthcare

Claroty’s latest report reveals that 89% of healthcare organizations use vulnerable Internet-of-Medical-Things (IoMT) devices. These devices, which are exposed to ransomware attacks, are connected to critical hospital systems such as information management and imaging. Alarmingly, 99% of healthcare organizations have some form of vulnerable IoMT devices in their systems, making cybersecurity a top concern for patient safety and operational continuity.