Cybersecurity Threats and Trends - 05/01/2025

In partnership with

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

2. Master AI tools, tutorials, and news in just 3 minutes a day

3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Sign up and start learning AI

While you were busy wondering if that zero-day patch would break production, the cyber underworld kept brewing up new ways to ruin your week. Let's sift through the latest digital debris, shall we?

3. DarkWatchman & Sheriff Malware Target Russia & Ukraine

Primary Threat: Financially motivated group Hive0117 using DarkWatchman RAT in phishing campaigns against Russian entities. Separately, a new backdoor called Sheriff targeted Ukraine's defense sector, hosted on a major news portal (ukr.net).

Risk: High.

DarkWatchman (a fileless JavaScript RAT) enables keylogging and payload deployment. Sheriff backdoor focuses on stealthy data exfiltration and screenshots, using Dropbox for C2. The use of a legitimate news portal for hosting Sheriff highlights sophisticated TTPs. F6 detailed the DarkWatchman campaign, while IBM X-Force reported on Sheriff.

Detection and Remediation Tips:

• Enhance email security filtering to detect phishing attempts with malicious archives.

• Train users to be wary of unexpected password-protected attachments.

• Monitor network traffic for connections to known malicious infrastructure or unusual destinations like Dropbox.

• Employ EDR solutions capable of detecting fileless malware and suspicious script execution.

• Segment networks to limit lateral movement.

4. Harrods Becomes Latest UK Retailer Hit by Cyberattack

Primary Threat: Attempted unauthorized access leading to IT system restrictions at luxury retailer Harrods.

Risk: Medium.

Following attacks on M&S and Co-op, this incident highlights a potential trend targeting UK retailers. While Harrods stated the attack was contained and stores remain open, the need to restrict internet access suggests a significant event. The full impact (data breach, ransomware) is currently unknown, but reputational damage and operational disruption are key risks. Harrods confirmed the attempt directly to BleepingComputer.

Detection and Remediation Tips:

• Retailers should review and bolster security controls, particularly around initial access vectors like phishing and social engineering.

• Implement robust monitoring and incident response plans.

• Ensure network segmentation is in place to limit the blast radius of any potential breach.

• Keep customers informed as appropriate, managing communications carefully.

5. State-Sponsored Hackers Weaponize ClickFix Social Engineering Tactic

Primary Threat: Russian GRU-linked APT28 (Fancy Bear) targeting French government, defense, research, and financial entities since 2021.

Risk: High.

These state-sponsored attacks focus on espionage and intelligence gathering. ANSSI's report details campaigns targeting Roundcube servers and using phishing with low-cost infrastructure for stealth. The persistence and sophistication of APT28 pose a significant threat to national security and critical infrastructure.

Detection and Remediation Tips:

• Patch known vulnerabilities, especially in email servers like Roundcube.

• Monitor for TTPs associated with APT28, including the use of specific malware and infrastructure patterns.

• Implement strong authentication and access controls.

• Enhance network monitoring and threat hunting capabilities.

• Follow guidance from national CERTs (like ANSSI) regarding state-sponsored threats.

6. ISA Warns of Exploited Broadcom Fabric OS Flaw

Primary Threat: Active exploitation of CVE-2025-1976, an arbitrary code execution vulnerability in Broadcom Brocade Fabric OS (versions 9.1.0 - 9.1.1d6).

Risk: High.

Although requiring admin privileges initially, this flaw allows attackers to execute OS commands or modify the OS itself on critical SAN switches. Broadcom's bulletin confirms active exploitation. A compromise of SAN infrastructure can lead to major data access disruption or manipulation. CISA added this to the KEV catalog.

Detection and Remediation Tips:

• Update affected Brocade Fabric OS installations to version 9.1.1d7 or later immediately.

• Restrict administrative access to SAN switches and monitor admin activities closely.

• Ensure robust authentication mechanisms are in place for accessing Fabric OS.

• Review logs for any signs of compromise or unauthorized command execution.

IN SUMMARY:

This week's digital battlefield saw zero-days getting burned, WordPress plugins turning traitor, malware adapting with nation-state tactics, retailers facing disruption, and the usual state-sponsored espionage. Patching remains king, but vigilance against phishing and robust monitoring are the knights protecting the realm.

🚨 Key Takeaways: 

✔️ Commvault & Broadcom zero-days under active exploitation demand immediate patching.
✔️ Fake WordPress security plugins prove trust is a vulnerability.
✔️ DarkWatchman & Sheriff malware highlight evolving stealth and targeting.
✔️ UK retailers (Harrods) continue to be attractive targets.
✔️ APT28 espionage campaigns persist against Western nations (France).

🔎 Immediate Actions:

✔️ Patch Commvault Web Server (CVE-2025-3928) & Broadcom Fabric OS (CVE-2025-1976) ASAP.
✔️ Audit WordPress plugins meticulously; remove anything suspicious.
✔️ Enhance email filtering and user training against sophisticated phishing.
✔️ Review network segmentation, especially for retail and critical infrastructure.
✔️ Monitor for APT28 TTPs and follow national CERT guidance.

💡 Stay vigilant, patch promptly, and remember: assuming you haven't been breached is probably the biggest vulnerability of all. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)