Cybersecurity Threats and Trends - 06/03/2025

Today's cyber roundup features critical vulnerabilities, cloud security warnings, and sophisticated social engineering tactics...

In partnership with

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

It's that time of the week again when I share the latest cybersecurity developments that have caught my attention. As usual, I've sifted through the noise to bring you six significant threats and trends that deserve your immediate attention.

1. New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch

Primary Threat: Google has released emergency out-of-band fixes to address three security issues in its Chrome browser, including one that is being actively exploited in the wild. The high-severity flaw, tracked as CVE-2025-5419, has been identified as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine.

Risk: HIGH

What makes this vulnerability particularly concerning is that Google's Threat Analysis Group (TAG) discovered it being actively exploited just days before the patch was released. The flaw allows remote attackers to potentially exploit heap corruption via a crafted HTML page, which could lead to arbitrary code execution or information disclosure. Google has been characteristically tight-lipped about the nature of the attacks or the threat actors behind them, likely to prevent additional exploitation while users update.

Detection and Remediation Tips:

  • Update Chrome immediately to version 137.0.7151.68/.69 for Windows and macOS, or 137.0.7151.68 for Linux

  • Ensure all Chromium-based browsers (Edge, Brave, Opera, Vivaldi) are also updated when patches become available

  • Consider using browser isolation technologies for high-risk users

  • Implement network monitoring for unusual post-exploitation activities

  • Enable automatic updates for all browsers across your organization

2. Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub

Primary Threat: Cybersecurity researchers have uncovered a new cryptojacking campaign targeting publicly accessible DevOps web servers associated with Docker, Gitea, and HashiCorp Consul and Nomad. Cloud security firm Wiz, tracking the activity as JINX-0132, reported that the attackers are exploiting known misconfigurations and vulnerabilities to deploy cryptocurrency miners.

Risk: MEDIUM

What sets this campaign apart is the attackers' use of off-the-shelf tools downloaded directly from GitHub repositories rather than their own infrastructure, making attribution more difficult. The campaign has compromised Nomad instances managing hundreds of clients, with combined CPU and RAM resources that would cost tens of thousands of dollars per month. According to Shodan data, there are over 5,300 exposed Consul servers and more than 400 exposed Nomad servers worldwide, creating a substantial attack surface.

Detection and Remediation Tips:

  • Audit your DevOps infrastructure for exposed APIs and management interfaces

  • Implement proper authentication for all DevOps tools, especially those with default insecure configurations

  • Deploy network segmentation to isolate management interfaces from untrusted networks

  • Monitor for unusual CPU usage that might indicate cryptomining activity

  • Review HashiCorp's security documentation for proper Consul and Nomad configuration

3. New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora

Primary Threat: Two information disclosure vulnerabilities have been discovered in the core dump handlers of major Linux distributions. The Qualys Threat Research Unit identified race condition bugs in apport (Ubuntu) and systemd-coredump (RHEL, Fedora), tracked as CVE-2025-5054 and CVE-2025-4598, that could allow local attackers to steal sensitive information including password hashes.

Risk: MEDIUM

These race conditions enable attackers to exploit SUID programs and gain read access to the resulting core dumps. In a proof-of-concept demonstration, Qualys researchers showed how a local attacker could exploit the coredump of a crashed unix_chkpwd process to obtain password hashes from the /etc/shadow file. While the vulnerabilities require local access and have a moderate CVSS score of 4.7, they represent a significant privilege escalation path that could be combined with other attacks.

Detection and Remediation Tips:

  • Apply security updates for affected Linux distributions immediately

  • Consider disabling core dumps for SUID binaries by running "echo 0 > /proc/sys/fs/suid_dumpable" as root

  • Implement least privilege principles for all user accounts

  • Monitor for unusual process crashes, especially of privileged processes

  • Review your incident response procedures for potential credential compromise scenarios

Did you know...?

The Evilginx phishing framework used by Russian hackers in this week's attacks has a fascinating technical history. First released publicly in 2017, Evilginx revolutionized phishing by introducing a man-in-the-middle approach that could bypass traditional multi-factor authentication. Unlike conventional phishing kits that simply clone login pages, Evilginx acts as a reverse proxy between the victim and the legitimate service, intercepting not just credentials but also session cookies and authentication tokens. This allows attackers to hijack authenticated sessions even when MFA is used. The tool gained notoriety in 2018 when it was featured at Black Hat, and by 2020, it had evolved to version 2.0 with enhanced capabilities to evade detection.

Today, Evilginx is widely regarded as one of the most sophisticated open-source phishing tools available, capable of defeating most forms of MFA except for hardware security keys! A sobering reminder that not all multi-factor authentication methods provide equal protection against modern phishing techniques.

4. Russian Hackers Breach 20+ NGOs Using Evilginx Phishing via Fake Microsoft Entra Pages

Primary Threat: Microsoft has exposed a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that has breached over 20 non-governmental organizations (NGOs) in Europe and the United States. The group deployed sophisticated phishing campaigns using fake Microsoft Entra authentication portals created with the Evilginx phishing kit to steal credentials.

Risk: HIGH

Active since at least April 2024, Void Blizzard primarily targets organizations aligned with Russian government objectives, including those in government, defense, transportation, media, NGOs, and healthcare sectors. The recent campaign involved sending spear-phishing emails claiming to be from the European Defense and Security Summit with PDF attachments containing malicious QR codes. Once credentials are stolen, the group uses Exchange Online and Microsoft Graph to enumerate and exfiltrate emails and cloud-hosted files.

Detection and Remediation Tips:

  • Implement phishing-resistant multi-factor authentication for all cloud services

  • Train users to be suspicious of QR codes in emails, especially those leading to authentication pages

  • Deploy email security solutions with advanced attachment scanning

  • Monitor for unusual API calls to cloud services, particularly bulk data access patterns

  • Review Microsoft's security recommendations for protecting against AiTM (Adversary-in-the-Middle) attacks

5. Cartier Discloses Data Breach Amid Fashion Brand Cyberattacks

Primary Threat: Luxury fashion brand Cartier has notified customers of a data breach that exposed personal information after its systems were compromised. According to notification letters shared by recipients on social media, hackers gained temporary access to Cartier's systems and obtained limited customer information.

Risk: MEDIUM

The compromised data includes names, email addresses, and countries of residence, though Cartier emphasizes that more sensitive information like passwords, credit card numbers, and banking details were not affected. This breach is part of a concerning trend of cyberattacks targeting luxury fashion brands, with Dior, Adidas, and Victoria's Secret all disclosing security incidents in the past month. The timing and similarities suggest a coordinated campaign against high-profile retail brands.

Detection and Remediation Tips:

  • Monitor for phishing attempts that may leverage the stolen customer information

  • Review security controls for customer data, especially for luxury retail operations

  • Implement additional monitoring for retail websites and customer databases

  • Consider segmenting customer data to limit exposure in case of a breach

  • Evaluate third-party service providers that may have access to customer information

6. The North Face Warns Customers of April Credential Stuffing Attack

Primary Threat: Outdoor apparel retailer The North Face is warning customers that their personal information was stolen in credential stuffing attacks targeting the company's website in April. According to a data breach notification filed with the Vermont Attorney General, the company discovered unusual activity on April 23, 2025, and confirmed a "small-scale credential stuffing attack" against its website.

Risk: MEDIUM

The exposed data includes full names, purchase histories, shipping addresses, email addresses, dates of birth, and telephone numbers, though payment information was not compromised. What makes this incident particularly noteworthy is that it's the fourth credential stuffing incident The North Face has suffered since 2020, highlighting the ongoing failure to implement adequate authentication protections. The company's parent corporation, VF Outdoor, previously disclosed a ransomware attack in December 2023 that impacted 35 million customers.

Detection and Remediation Tips:

  • Enforce multi-factor authentication for all customer accounts

  • Implement rate limiting and other anti-automation measures on login pages

  • Monitor for credential stuffing attempts using web application firewalls

  • Consider passwordless authentication options for consumer-facing websites

  • Review your breach notification procedures and timeline compliance

IN SUMMARY:

From actively exploited browser vulnerabilities and sophisticated nation-state phishing campaigns to Linux security flaws and retail sector data breaches, this week's threats demonstrate the diverse attack surface that organizations must defend. The rise in targeted attacks against luxury retail brands and the continued exploitation of DevOps misconfigurations highlight how attackers are constantly seeking new vectors while refining established techniques like credential stuffing and phishing.

🚨 Key Takeaways:

✔️ Google's emergency Chrome patch addresses an actively exploited zero-day vulnerability in the V8 JavaScript engine.
✔️ DevOps infrastructure remains vulnerable to cryptojacking due to exposed APIs and default insecure configurations.
✔️ Linux core dump handlers contain race conditions that could allow local attackers to steal password hashes.
✔️ Russian state-sponsored hackers are using sophisticated Evilginx phishing to bypass traditional MFA protections.
✔️ Luxury fashion and retail brands are experiencing a wave of targeted cyberattacks, suggesting a coordinated campaign.
✔️ The North Face's repeated credential stuffing incidents highlight the importance of implementing proper authentication controls.

🔎 Immediate Actions:

✔️ Update Chrome and all Chromium-based browsers to the latest versions immediately.
✔️ Audit your DevOps infrastructure for exposed APIs and implement proper authentication controls.
✔️ Apply security updates for affected Linux distributions and consider disabling core dumps for SUID binaries.
✔️ Implement phishing-resistant MFA, such as hardware security keys, for high-value cloud service accounts.
✔️ Review security controls for customer data, especially for retail operations handling personal information.
✔️ Enforce multi-factor authentication and implement anti-automation measures to prevent credential stuffing attacks.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)