CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
- CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability
- CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
- CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
For more details: CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA
US charges Chinese hackers linked to critical infrastructure breaches
The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
Their victim list includes US federal and state government agencies, foreign ministries of multiple governments in Asia, U.S.-based dissidents, as well as a prominent religious organization in the United States.
According to the Justice Department “These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s MPS and Ministry of State Security (MSS) and on their own initiative. The MPS and MSS paid handsomely for stolen data,”. The DOJ charged two MPS officers and eight employees of Anxun Information Technology (also known as i-Soon) with involvement in these attacks and seized the domain used by i-Soon to advertise its hacker-for-hire services.
The State Department is also offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for information that could help locate or identify the defendants.
For more details: US charges Chinese hackers linked to critical infrastructure breaches
Silk Typhoon hackers now target IT supply chains to breach networks – Microsoft Threat Intelligence
Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives. Microsoft says the threat actors have created a “CovertNetwork” consisting of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, which are used to launch attacks and obfuscate malicious activities. Microsoft has listed updated indicators of compromise and detection rules that reflect Silk Typhoon’s latest shift in tactics at the bottom of its report.
| Recommended Actions |
| 1. |
Ensure all public facing devices are patched. It’s important to note that patching a vulnerable device does not remediate any post-compromise activities by a threat actor who gained privileged access to a vulnerable device. |
| 2. |
Validate any Ivanti Pulse Connect VPN are patched to address CVE-2025-0282 and run the suggested Integrity Checker Tool as suggested in their Advisory. Consider terminating any active or persistent sessions following patch cycles. |
| 3. |
Defend against legitimate application and service principal abuse by establishing strong controls and monitoring for these security identities. |
|
- Audit the current privilege level of all identities, users and service principals. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose.
|
|
- Investigate and remediate any risky OAuth apps.
|
|
- Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant. If they are no longer required, they should be removed.
|
|
- If applications must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online.
|
| 4. |
Monitor for service principal sign-ins from unusual locations. |
| 5. |
Defend against credential compromise by building credential hygiene, practicing the principle of least privilege, and reducing credential exposure. |
| 6. |
Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable multifactor authentication (MFA) for medium-risk ones. |
| 7. |
Ensure that VPN access is protected using modern authentication methods. |
| 8. |
Identify all multi-tenant applications, assess permissions, and investigate suspicious sign-ins. |
For more details: Silk Typhoon targeting IT supply chain | Microsoft Security Blog
Silk Typhoon hackers now target IT supply chains to breach networks
Threat Actor ‘JavaGhost’ Targets AWS Environments in Phishing Scheme
A long-running threat actor known as JavaGhost is targeting misconfigured AWS instances to obtain access keys, enabling them to send out phishing messages that skate by email defenses with ease.
Palo Alto Networks’ Unit 42 published research on Feb. 28, entitled “JavaGhost’s Persistent Phishing Attacks From the Cloud,” that tracks the threat actor’s AWS environment-targeting between 2022 and 2024. But Margaret Kelley, the research blog’s author as well as a digital forensics and incident response senior consultant at Unit 42, wrote that JavaGhost has been active for more than five years. The members were previously dedicated to defacing websites, but in 2022 they “pivoted to sending out phishing emails for financial gain.”
| Recommended Actions |
| Secure Access Keys: |
Regularly rotate and securely store AWS access keys. Avoid hardcoding them in your applications. |
| Enable Multi-Factor Authentication (MFA): |
Require MFA for all IAM users to add an extra layer of security. |
| Monitor and Audit: |
Use AWS CloudTrail to monitor API calls and set up alerts for unusual activities. |
| Implement Least Privilege: |
Grant the minimum permissions necessary for users and applications to perform their tasks. |
| Regularly Update and Patch: |
Keep your AWS environment and applications up-to-date with the latest security patches. |
| Use AWS Config: |
Enable AWS Config to continuously monitor and record your AWS resource configurations. |
| Educate Your Team: |
Train your team to recognize phishing attempts and follow best security practices. |
For more details: ‘JavaGhost’ Targets AWS Environments in Phishing Scheme
AI-Fueled Tax Scams on the Rise
As AI-driven scams surge this tax season, taxpayers face unprecedented challenges in safeguarding their personal and financial information. Taxpayers are increasingly targeted with plausible, highly convincing emails, texts and calls. In one alarming trend, fraudsters use AI-generated voice scams to impersonate IRS agents or tax professionals with voices and conversation that sound realistic. With the ability to create and widely spread these realistic voice scams, taxpayers have to be vigilant to ensure they don’t get tricked by scammers this year. According to a recent study conducted by LifeLock, the leader in identity theft protection in the U.S. and part of Gen™ (NASDAQ: GEN), 56% of individuals have already encountered AI-powered tax scams featuring realistic voices.
| Recommended Actions |
| 1. |
Use Reputable Tax Preparation Services Use Reputable Tax Preparation Services : Ensure your tax preparer has a valid Preparer Tax Identification Number (PTIN) and is authorized to file returns. |
| 2. |
Verify Communications: The IRS will never reach out via email, text or social media to request personal or financial information – but scammers will. If you think the IRS or your tax preparer is trying to reach you, call them directly instead of responding to the message. Better yet, establish a safe word to use with your tax preparer to help make sure it’s really them when they reach out to you. |
| 3. |
Be Cautious with Personal Information: Avoid sharing sensitive data over the phone or online unless you are certain of the recipient’s identity. |
| 4. |
Monitor Financial Accounts: Regularly check bank and credit accounts for unauthorized transactions. |
| 5. |
Report Suspicious Activity: If you suspect a tax-related scam, report it to the IRS and the Federal Trade Commission (FTC) promptly. |
For more details: AI-Fueled Tax Scams on the Rise
BadBox malware disrupted on 500K infected Android devices</b
The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices.
The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones.
These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. It is estimated that the botnet has grown to over 1,000,000 infections, impacting Android devices in 222 countries, with most located in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%). The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide. HUMAN’s Satori Threat Intelligence team states that “v Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more.”
For more details: BadBox malware disrupted on 500K infected Android devices
Reference: CISA, Darkreading, Bleepingcomputer, Microsoft
