Cybersecurity Threats and Trends - 04/29/2025

Another week, another digital battlefield littered with the remnants of compromised systems and shattered assumptions.

Author

J.W. Croley
April 29, 2025

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

While you were busy wondering if that email from HR was really about mandatory fun day, the cyber underworld was innovating. Let's dive into the latest dispatches from the front lines, shall we?

1. Critical SAP NetWeaver Vulnerability Under Active Exploitation

Primary Threat: A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer is being actively exploited by threat actors. The vulnerability allows unauthenticated attackers to upload arbitrary files and achieve remote code execution. Security researchers at ReliaQuest discovered that over 1,200 internet-exposed SAP NetWeaver instances are vulnerable, with 474 servers already compromised with webshells.

Risk: CRITICAL

This vulnerability affects Fortune 500 and Global 500 companies, with attackers dropping web shells named "cache.jsp," "helper.jsp," or using random names to maintain persistence. The ease of exploitation and high-value targets make this a prime concern for enterprise environments.

What you should do:

  • Apply SAP's security update immediately if you haven't already

  • Restrict access to the "/developmentserver/metadatauploader" path

  • Disable Visual Composer if it's not being used

  • Monitor logs for suspicious file upload activities

  • Conduct a thorough investigation if you suspect a compromise

2. Darcula Phishing Kit Adds GenAI Capabilities

Primary Threat: The notorious Darcula phishing kit has evolved to incorporate generative AI capabilities, according to security researchers at Netcraft who reported the development. This enhancement allows threat actors to create more convincing phishing pages with minimal effort, dynamically generating content that mimics legitimate websites with frightening accuracy.

Risk: HIGH

The AI-enabled Darcula suite significantly lowers the technical barrier for creating sophisticated phishing campaigns. The kit can now automatically generate convincing content, adapt to different brands, and create personalized phishing lures that are increasingly difficult to distinguish from legitimate communications.

What you should do:

  • Implement DMARC, DKIM, and SPF email authentication protocols

  • Deploy anti-phishing training that specifically addresses AI-generated content

  • Use email security solutions with AI detection capabilities

  • Enable MFA wherever possible to mitigate credential theft

  • Consider implementing FIDO2 passwordless authentication

3. North Korean Hackers Spread Malware via Fake Crypto Firms

Primary Threat: North Korea-linked threat actors have established front companies in the cryptocurrency consulting industry to distribute malware through fake hiring processes. Security researchers at Silent Push said the attackers are using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread BeaverTail, InvisibleFerret, and OtterCookie malware families.

Risk: HIGH

These sophisticated social engineering campaigns target cryptocurrency developers and professionals with job interview lures. The malware can establish persistence on Windows, Linux, and macOS hosts, stealing sensitive data and potentially compromising cryptocurrency wallets.

What you should do:

  • Verify the legitimacy of companies before engaging in job interviews

  • Be suspicious of cryptocurrency-related job offers that seem too good to be true

  • Implement strict application whitelisting policies

  • Use dedicated devices for cryptocurrency transactions

  • Monitor for suspicious network connections to known C2 domains

Did you know...?

The first "cyberattack" actually took place in 1834 in France, long before computers existed. Two brothers hacked the French Telegraph System by bribing a telegraph operator to create deliberate errors in government messages. These errors contained coded information about the previous day's market movements, allowing the brothers to gain a financial advantage. When the scam was uncovered after two years, they went to trial but were never convicted because there were no laws against the misuse of data networks at that time. This historical incident is considered the first instance of hacking because it demonstrated the possibility of exploiting data systems for unauthorized purposes.

4. Lumma Stealer Evolves with Advanced Evasion Techniques

Primary Threat: The Lumma Stealer malware has evolved with sophisticated code flow obfuscation and anti-sandbox techniques. Trellix researchers tracked recent campaigns distributing Lumma via obfuscated PowerShell scripts that inject the malware into legitimate Windows processes like RegSvcs.exe.

Risk: HIGH

Lumma is distributed as Malware-as-a-Service (MaaS) on the dark web and is designed to steal sensitive data from web browsers, email applications, cryptocurrency wallets, and other personally identifiable information. Its advanced evasion techniques make it particularly difficult to detect.

What you should do:

  • Implement application control policies to prevent unauthorized PowerShell execution

  • Deploy EDR solutions capable of detecting process injection techniques

  • Regularly back up critical data and store it offline

  • Monitor for suspicious RegSvcs.exe process behavior

  • Keep all security solutions updated with the latest detection signatures

5. Russian Threat Actors Target Microsoft 365 Accounts

Primary Threat: Suspected Russian threat actors are targeting Microsoft 365 accounts using novel tactics. Volexity researchers discovered that the attackers are exploiting a previously unknown technique to bypass MFA and gain persistent access to cloud resources.

Risk: CRITICAL

This campaign primarily targets government agencies, defense contractors, and critical infrastructure organizations. The attackers gain initial access through spear-phishing emails with malicious attachments, then use their novel technique to maintain persistent access even after password changes.

What you should do:

  • Implement conditional access policies for Microsoft 365

  • Enable security defaults in Azure AD

  • Review sign-in logs for suspicious activities

  • Implement privileged access workstations for administrative tasks

  • Consider a zero-trust architecture for sensitive cloud resources

6. Marks & Spencer Breach Linked to Scattered Spider Ransomware

Primary Threat: British multinational retailer Marks & Spencer has suffered a significant breach linked to the Scattered Spider hacking collective. BleepingComputer reports that the attackers deployed the DragonForce ransomware to encrypt virtual machines after stealing Windows domain credentials.

Risk: HIGH

The attack has caused widespread disruption to M&S operations, including contactless payment systems and online ordering. Scattered Spider (also known as Octo Tempest, 0ktapus, and other names) is known for sophisticated social engineering tactics and has previously targeted major organizations like MGM Resorts.

What you should do:

  • Implement network segmentation to limit lateral movement

  • Secure domain controllers with enhanced monitoring

  • Deploy EDR solutions with ransomware protection capabilities

  • Create and test offline backups of critical systems

  • Develop and regularly practice incident response plans

IN SUMMARY:

This week's threats highlight the evolving sophistication of cyber attackers, from nation-state actors creating fake companies to distribute malware, to the integration of AI in phishing kits. The critical SAP NetWeaver vulnerability and Russian targeting of Microsoft 365 accounts represent the most urgent threats requiring immediate attention.

🚨 Key Takeaways:
✔️ Patch your SAP NetWeaver instances immediately.
✔️ Be extremely cautious of cryptocurrency-related job offers
✔️ Implement robust MFA and conditional access for cloud services
✔️ Deploy advanced EDR solutions capable of detecting process injection
✔️ Maintain offline backups of critical systems

🔎 Immediate Actions:
✔️ Review your organization for vulnerable SAP NetWeaver instances
✔️ Check Microsoft 365 sign-in logs for suspicious activities
✔️ Update your phishing awareness training to include AI-generated content
✔️ Verify the legitimacy of any recent job applicants in technical roles
✔️ Review your ransomware readiness plans.

Until next time, stay vigilant, patch relentlessly, and remember: in cybersecurity, paranoia isn't a disorder—it's a job requirement.

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)