Cybersecurity Threats and Trends - 07/04/2025

This week's threats highlight the diverse and evolving tactics employed by cybercriminals and nation-state actors.

Learn AI in 5 minutes a day

What’s the secret to staying ahead of the curve in the world of AI? Information. Luckily, you can join 1,000,000+ early adopters reading The Rundown AI — the free newsletter that makes you smarter on AI with just a 5-minute read per day.

And By:

Not All AI Notetakers Are Secure. Here’s the Checklist to Prove It.

You wouldn’t let an unknown vendor record your executive meetings, so why trust just any AI?

Most AI notetakers offer convenience. Very few offer true security.

This free checklist from Fellow breaks down the key criteria CEOs, IT teams, and privacy-conscious leaders should consider before rolling out AI meeting tools across their org.

While you're busy trying to remember if you used your pet's name or your childhood street as your "secure" password, cybercriminals are building AI-powered tools to crack both in under a minute.

Welcome to this week's digital security nightmare… where your outdated defenses are someone else's easy payday.

1. Qantas Data Breach Exposes 6 Million Customers in Scattered Spider Campaign

Primary Threat: Major Australian airline hit by sophisticated cyberattack exposing customer data as part of broader campaign targeting aviation sector.

Risk: HIGH

Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. The breach has affected approximately 6 million customers, with the airline confirming that names, email addresses, phone numbers, birth dates, and frequent flyer numbers were compromised. While credit card information and frequent flyer account passwords were reportedly not exposed, the scale of the breach is significant. Security researchers have linked this incident to the notorious "Scattered Spider" threat group, which has recently shifted its focus to the aviation sector after previously targeting retail and insurance companies. This attack follows similar breaches at Hawaiian Airlines and WestJet, suggesting a coordinated campaign against the airline industry.

Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) is known for conducting social engineering and identity-based attacks, commonly using phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. The group has previously partnered with ransomware operations such as RansomHub, Qilin, and DragonForce, and has successfully breached high-profile organizations including MGM Resorts, Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.

Detection and Remediation Tips:

  • If you're a Qantas customer, monitor your accounts for suspicious activity and be alert for targeted phishing attempts

  • Change passwords for any accounts that share credentials with your Qantas account

  • Enable multi-factor authentication on all accounts, especially those containing personal or financial information

  • Be particularly vigilant about social engineering attempts via phone, email, or text claiming to be from Qantas

  • Consider placing a security freeze on your credit reports to prevent identity theft

  • Review third-party access to your personal data and revoke unnecessary permissions

  • Monitor your frequent flyer accounts for unauthorized activity or point transfers

2. Cisco Removes Critical Backdoor from Unified Communications Manager

Primary Threat: Hardcoded root SSH credentials discovered in widely-used enterprise communications platform.

Risk: CRITICAL

Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. The vulnerability, tracked as CVE-2025-20309 with a maximum CVSS score of 10.0, affects Cisco Unified CM and Unified CM Session Management Edition (SME) Engineering Special (ES) releases. According to security researchers, the flaw is due to the presence of static user credentials for the root account that were reserved for use during development but mistakenly left in production releases.

This critical vulnerability is particularly concerning as Cisco Unified CM is widely deployed in enterprise environments for managing IP phones, video conferencing systems, and other communication services. An unauthenticated, remote attacker could exploit this vulnerability to gain complete control over affected systems, potentially compromising the entire communications infrastructure of an organization. The backdoor could allow attackers to intercept sensitive communications, deploy malware, or use the compromised systems as a foothold for lateral movement within corporate networks.

Detection and Remediation Tips:

  • Immediately upgrade vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or apply the emergency patch

  • Conduct a thorough security audit of all Cisco Unified CM systems in your environment

  • Implement network segmentation to limit access to management interfaces

  • Monitor system logs for unauthorized access attempts or suspicious activities

  • Review and strengthen access controls for all communications infrastructure

  • Consider implementing additional security monitoring for critical communication systems

  • Verify that all development or testing credentials have been removed from other production systems

3. North Korean Hackers Target Web3 with Sophisticated Nim Malware

Primary Threat: State-backed threat actors using novel malware written in Nim programming language to target cryptocurrency organizations.

Risk: HIGH

Security researchers at SentinelOne have discovered that North Korean threat actors are targeting Web3 and cryptocurrency-related businesses with sophisticated malware written in the Nim programming language. The malware, dubbed "NimDoor," employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. The researchers noted that the malware uses a novel persistence mechanism that takes advantage of SIGINT/SIGTERM signal handlers to reinstall itself when terminated or when the system reboots.

The attack chain begins with social engineering, where targets are approached on messaging platforms like Telegram and invited to Zoom meetings scheduled via Calendly. Victims receive emails with supposed Zoom meeting links and instructions to run a "Zoom SDK update script," which executes an AppleScript that delivers additional malicious payloads. The malware can gather system information, run arbitrary commands, and extract credentials from web browsers including Arc, Brave, Google Chrome, Microsoft Edge, and Mozilla Firefox, as well as data from Telegram.

In a related campaign called "BabyShark," the same North Korean group has been using the "ClickFix" social engineering tactic to deliver remote access tools. This technique tricks users into executing malicious PowerShell commands through various deceptive methods, including fake CAPTCHA verification pages and bogus defense research job portals.

Detection and Remediation Tips:

  • Implement strict verification procedures for meeting invitations, especially those requiring software updates

  • Train employees to recognize social engineering tactics, particularly those targeting cryptocurrency operations

  • Deploy advanced endpoint protection solutions capable of detecting process injection techniques

  • Implement application allowlisting to prevent unauthorized code execution

  • Regularly back up cryptocurrency wallet seed phrases using secure, offline methods

  • Consider using dedicated hardware security devices for cryptocurrency storage

  • Implement network monitoring to detect unusual WebSocket communications

Did you know...?

The Nim programming language used by North Korean hackers in the NimDoor malware was created in 2008 but has only recently gained popularity among threat actors. What makes Nim particularly attractive for malware development is its unique ability to execute functions during compile time, allowing attackers to blend complex behavior into a binary with less obvious control flow. This results in compiled binaries where developer code and Nim runtime code are intermingled even at the function level, making analysis and detection significantly more challenging for security researchers. North Korean threat actors have previously experimented with Go and Rust for similar reasons, but Nim's obfuscation capabilities represent a concerning evolution in their technical sophistication.

4. Fake Crypto Wallet Extensions Flood Firefox Store, Stealing Seed Phrases

Primary Threat: Over 40 malicious browser extensions impersonating popular cryptocurrency wallets discovered in Firefox's official add-ons store.

Risk: HIGH

Researchers at Koi Security have identified more than 40 fake extensions in Firefox's official add-ons store that are impersonating popular cryptocurrency wallets from trusted providers. These malicious extensions pretend to be legitimate wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, but contain code designed to steal wallet credentials and sensitive data, including seed phrases.

Many of these browser add-ons are clones of open-source versions of legitimate wallets with added malicious logic. The researchers found evidence suggesting that a Russian-speaking threat group is behind the campaign, which has been active since at least April 2025. The malicious code in these extensions monitors for sensitive data inputs, specifically targeting strings longer than 30 characters to filter for wallet keys and seed phrases, which are then exfiltrated to attacker-controlled servers.

To appear legitimate, the threat actors use the real logos of the brands they impersonate and populate their listings with hundreds of fake five-star reviews. Some extensions also have numerous one-star reviews reporting the scam, likely from users who have already lost their cryptocurrency. Despite Mozilla having developed an early detection system for crypto scam extensions, these malicious add-ons continue to be available in the Firefox store.

Detection and Remediation Tips:

  • Verify the authenticity of browser extensions before installation by checking the developer's identity and website

  • Install cryptocurrency wallet extensions only from the official websites of the wallet providers

  • Check user reviews carefully, looking for patterns of fake positive reviews or warnings from other users

  • Consider using hardware wallets instead of browser-based solutions for storing significant cryptocurrency assets

  • Regularly audit installed browser extensions and remove any that are unnecessary or suspicious

  • Never enter your seed phrase into any website or application unless you are absolutely certain of its legitimacy

  • Enable additional security features like approval requirements for transactions in your legitimate wallet applications

5. New FileFix Attack Bypasses Windows Security Protections

Primary Threat: Novel attack technique exploits browser behavior to bypass Windows Mark of the Web (MoTW) protection.

Risk: HIGH

Security researcher mr.d0x has developed a new attack technique called "FileFix" that allows malicious scripts to bypass the Mark of the Web (MoTW) protection in Windows by exploiting how browsers handle saved HTML webpages. This technique builds on a previous FileFix method that tricked users into pasting disguised PowerShell commands into the File Explorer address bar.

The new attack involves social engineering victims into saving an HTML page using Ctrl+S and renaming it to .HTA (HTML Application), which automatically executes embedded JScript via mshta.exe. The researcher discovered that when HTML files are saved as "Webpage, Complete" (with MIME type text/html), they do not receive the MoTW tag that normally triggers security warnings, allowing script execution without any alerts to the user.

While the attack requires convincing users to save and rename a file, attackers could design effective bait such as a malicious website prompting users to save multi-factor authentication (MFA) backup codes. The page would instruct the user to press Ctrl+S, choose "Webpage, Complete," and save the file with an .hta extension, resulting in the execution of malicious code when opened.

Detection and Remediation Tips:

  • Consider disabling or removing the 'mshta.exe' binary from your environment (found in C:\Windows\System32 and C:\Windows\SysWOW64)

  • Enable file extension visibility on Windows to make it easier to identify suspicious file types

  • Implement email filtering to block HTML attachments

  • Train users to be suspicious of websites asking them to save and rename files

  • Deploy application control policies that prevent execution of .HTA files

  • Consider using browser policies that prevent saving webpages as "Webpage, Complete"

  • Ensure endpoint protection solutions are updated to detect this attack technique

6. International Criminal Court Hit by "Sophisticated" Cyberattack

Primary Threat: Second targeted cyberattack in recent years against international tribunal investigating war crimes.

Risk: HIGH

The International Criminal Court (ICC) has announced that it is investigating a new "sophisticated and targeted" cyberattack that targeted its systems last week. This is the second such incident in recent years, following a previous cybersecurity breach in September 2023 that was later confirmed to be an espionage attempt.

The ICC stated that the attack was swiftly discovered, confirmed, and contained through the Court's alert and response mechanisms. While the organization has not provided specific details about the nature of the attack, its impact, or whether any data was accessed or exfiltrated, the timing is notable. The ICC has been involved in high-profile investigations, including issuing arrest warrants for Russian President Vladimir Putin related to crimes associated with Russia's invasion of Ukraine, and for Israeli Prime Minister Benjamin Netanyahu for alleged war crimes during the Palestine conflict.

The previous attack in 2023 was described as "a serious attempt to undermine the Court's mandate" and occurred amid "broader and heightened security concerns," including "daily and persistent attempts to attack and disrupt its systems" and an "almost successful attempt to infiltrate a hostile intelligence officer into the Court under the guise of an intern."

Detection and Remediation Tips:

  • Organizations involved in international justice or human rights work should review their security posture

  • Implement advanced threat protection solutions capable of detecting sophisticated nation-state attacks

  • Conduct regular security assessments and penetration testing of critical systems

  • Develop and practice incident response plans for targeted cyberattacks

  • Consider implementing strict vetting procedures for all personnel, including temporary staff and interns

  • Segment networks to isolate systems containing sensitive case information

  • Implement robust monitoring for unusual access patterns or data exfiltration attempts

IN SUMMARY:

From sophisticated social engineering campaigns targeting the aviation industry to backdoors in enterprise communications systems, and from cryptocurrency theft through fake browser extensions to novel techniques for bypassing Windows security protections, the threat landscape continues to expand.

The targeting of international institutions like the ICC further demonstrates that no organization is immune from cyberattacks, particularly those involved in politically sensitive work. As attackers continue to innovate, organizations must remain vigilant and proactive in their security measures.

🚨 Key Takeaways:

✔️ The aviation industry is facing a coordinated campaign by the Scattered Spider threat group, with Qantas being the latest victim in a series of attacks
✔️ Critical vulnerabilities in widely-used enterprise systems like Cisco Unified CM can provide attackers with root-level access to communications infrastructure
✔️ North Korean hackers continue to target cryptocurrency and Web3 organizations with increasingly sophisticated malware and social engineering tactics
✔️ Browser extension stores remain a significant attack vector, with Firefox's store currently hosting dozens of malicious cryptocurrency wallet extensions
✔️ Novel attack techniques like FileFix demonstrate how attackers can bypass established security controls by exploiting subtle behaviors in common software
✔️ High-profile international organizations face persistent and sophisticated attacks, likely from nation-state actors seeking to compromise sensitive information

🔎 Immediate Actions:

✔️ Review third-party access to customer data systems and implement strict access controls and monitoring
✔️ Audit communications infrastructure for vulnerable Cisco Unified CM installations and apply the latest security patches
✔️ Train employees to recognize social engineering tactics, particularly those involving meeting invitations and software updates
✔️ Verify the authenticity of browser extensions, especially those related to cryptocurrency wallets
✔️ Consider disabling or removing the 'mshta.exe' binary to prevent FileFix attacks and similar techniques
✔️ Implement advanced threat protection solutions capable of detecting sophisticated nation-state attacks
✔️ Enable multi-factor authentication across all systems, particularly those containing sensitive information

💡 Remember, in cybersecurity, you don't have to outrun the bear – you just have to outrun the organization with default passwords and unpatched systems. Unfortunately, that's getting harder every day. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)