Cybersecurity Threats and Trends - 04/15/2025

From healthcare targeting to hallucinated code, the digital underworld continues to demonstrate remarkable creativity in its pursuit of your data...

Author

J.W. Croley
April 15, 2025

Today's cyber roundup features a concerning collection of resilient remote access trojans, persistent VPN vulnerabilities, and AI-generated security risks that would make even the most seasoned security professionals question their defense strategies.

1. ResolverRAT Campaign Targets Healthcare, Pharma via Phishing and DLL Side-Loading

Primary Threat: Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical organizations. The malware leverages DLL side-loading techniques to establish persistence and evade detection, according to security firm Mandiant. The initial infection vector involves targeted phishing emails containing malicious attachments that appear to be related to medical research or pharmaceutical regulations.

Risk: Data exfiltration, intellectual property theft, and potential disruption of critical healthcare services.

Detection and Remediation Tips:

  • Implement advanced email filtering solutions to detect and block phishing attempts.

  • Deploy application control policies to prevent unauthorized DLL loading.

  • Conduct regular security awareness training focused on healthcare-specific phishing scenarios.

  • Monitor for unusual outbound network connections, especially those using encrypted channels.

  • Implement network segmentation to isolate critical healthcare systems from general corporate networks.

2. Fortinet: Hackers Retain Access to Patched FortiGate VPNs Using Symlinks

Primary Threat: Fortinet has disclosed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after security patches have been applied. The technique, detailed in a security advisory, exploits symbolic links in the SSL-VPN component to bypass security measures. This allows attackers to continue accessing sensitive information despite administrators believing their systems were secured after patching.

Risk: Persistent unauthorized access, data theft, and potential for further exploitation.

Detection and Remediation Tips:

  • Apply Fortinet's additional hardening measures beyond the initial patch.

  • Conduct a thorough investigation of potentially compromised FortiGate devices.

  • Reset all VPN user credentials and implement multi-factor authentication.

  • Monitor for unusual access patterns to FortiGate management interfaces.

  • Consider implementing additional network monitoring at VPN egress points.

3. Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft

Primary Threat: Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures the stolen information is associated with valid online accounts before proceeding with the attack. These campaigns use real-time validation checks to verify email addresses and passwords against target services, according to researchers at Cofense, allowing attackers to focus their efforts only on valid credentials and avoid triggering security alerts with failed login attempts.

Risk: More efficient credential theft, reduced detection rates, and higher success rates for account takeovers.

Detection and Remediation Tips:

  • Implement DMARC, SPF, and DKIM email authentication protocols.

  • Deploy adaptive multi-factor authentication that triggers on suspicious login attempts.

  • Utilize anti-phishing solutions that can detect and block real-time validation attempts.

  • Monitor for unusual API calls or web requests that might indicate validation checks.

  • Educate users about this sophisticated phishing technique and how to identify it.

Did you know...?

The concept of certificate lifespans has been steadily decreasing over the years. In 2015, the maximum validity period for SSL/TLS certificates was 5 years. By 2020, it had decreased to 398 days. The newly approved 47-day lifespan represents a 88% reduction in certificate validity periods over a 14-year span, fundamentally changing how organizations must approach certificate management.

4. Hertz Confirms Customer Info, Drivers' Licenses Stolen in Data Breach

Primary Threat: Car rental giant Hertz Corporation has confirmed it suffered a data breach affecting its Hertz, Thrifty, and Dollar brands. The incident, disclosed in a regulatory filing , involved the theft of customer data including drivers' license information. The breach has been linked to the recent Cleo zero-day attacks that have impacted multiple organizations using the Cleo file transfer software.

Risk: Identity theft, fraud, and potential for secondary targeted attacks.

Detection and Remediation Tips:

  • Monitor credit reports and financial accounts for suspicious activity.

  • Consider placing credit freezes or fraud alerts with major credit bureaus.

  • Be vigilant for phishing attempts that leverage stolen personal information.

  • Implement document verification procedures that go beyond driver's license information.

  • For organizations using Cleo software, apply all available security patches immediately.

5. AI-Hallucinated Code Dependencies Become New Supply Chain Risk

Primary Threat: Researchers have discovered a new supply chain risk where AI coding assistants are "hallucinating" non-existent code dependencies. This phenomenon, detailed in a comprehensive report, occurs when AI tools suggest importing or using libraries and functions that don't actually exist, leading developers to create vulnerable applications based on these fabricated components. Cornell University Research reveals that up to 15% of AI-suggested dependencies in certain contexts were completely fabricated.

Risk: Introduction of vulnerable code, broken applications, and potential for deliberate exploitation.

Detection and Remediation Tips:

  • Implement strict verification procedures for all AI-suggested code dependencies.

  • Use software composition analysis (SCA) tools to validate the existence and security of dependencies.

  • Establish coding standards that require manual verification of AI-suggested imports.

  • Maintain up-to-date dependency registries as trusted reference sources.

  • Train developers to recognize and verify AI-generated suggestions before implementation.

6. SSL/TLS Certificate Lifespans Reduced to 47 Days by 2029

Primary Threat: The CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029. This decision, announced in their latest ballot results , will require organizations to implement automated certificate management to avoid service disruptions. The change aims to improve security by reducing the window of vulnerability for compromised certificates but creates significant operational challenges.

Risk: Increased risk of certificate expiration, service outages, and operational overhead.

Detection and Remediation Tips:

  • Begin implementing automated certificate management solutions immediately.

  • Develop comprehensive certificate inventories across all environments.

  • Establish monitoring systems for certificate expiration with adequate warning thresholds.

  • Consider adopting certificate automation standards like ACME protocol.

  • Plan for gradual transition through the intermediate certificate lifespan reductions.

IN SUMMARY:

From sophisticated RATs targeting healthcare to persistent VPN vulnerabilities and AI-generated security risks, this week's threats demonstrate the increasingly complex and resilient nature of the cybersecurity landscape. Attackers continue to find ways to maintain access, validate targets, and exploit emerging technologies with alarming efficiency.

🚨 Key Takeaways:
✔️ Healthcare sectors face targeted attacks using sophisticated malware.
✔️ Patching alone may not be sufficient to remove persistent attackers from networks.
✔️ Phishing campaigns are becoming more efficient through real-time validation.
✔️ Data breaches continue to expose sensitive personal information at major corporations.
✔️ AI tools introduce new risks through "hallucinated" code dependencies.
✔️ Certificate management will require significant automation as lifespans decrease dramatically.

🔎 Immediate Actions:
✔️ Apply Fortinet's additional hardening measures for FortiGate devices.
✔️ Implement advanced email filtering to detect real-time validation attempts.
✔️ Check if your organization was affected by the Cleo zero-day attacks.
✔️ Verify all AI-suggested code dependencies before implementation.
✔️ Begin planning for automated certificate management.
✔️ Deploy healthcare-specific security controls if in that sector.

💡 Stay vigilant, patch thoroughly, and remember—just because you've applied a patch doesn't mean the attacker has checked out. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)