Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 1-7 March
Pass-the-Cookie attacks can bypass MFA security
Pass-the-Cookie attacks allow attackers to bypass multi-factor authentication (MFA) by stealing session cookies. These cookies, such as ESTSAUTH in Microsoft, enable users to stay authenticated without re-entering their credentials. If an attacker obtains a valid cookie, they can reuse it to access the victim's account without requiring credentials or MFA. Cookie theft is often carried out using tools like LummaC2, Redline, or Racoon, which are distributed through phishing or fraudulent downloads.
To mitigate these attacks, a combination of detective controls—such as monitoring for unusual activity and behavioral analysis—along with preventive measures like conditional access policies and IP restrictions is recommended.
44 new vulnerabilities in Android, some actively exploited
Google has published the monthly Android security bulletin for the month of March 2025, addressing a total of 44 vulnerabilities, two of which would have been actively exploited. Among the flaws can be highlighted CVE-2024-43093 (CVSSv3 of 7.8), a privilege escalation vulnerability in the Framework component that could lead to unauthorized access to several directories. On the other hand, the CVE-2024-50302 (CVSSv3 of 5.5) flaw was employed in a 0-day exploit devised by Cellebrite along with the CVE-2024-53104 (CVSSv3 of 7.8) and CVE-2024-53197 flaws to access an activist's Android phone, gain elevated privileges and likely deploy the NoviSpy spyware.
All three vulnerabilities reside in the Linux kernel and were patched late last year. Google also acknowledged that both CVE-2024-43093 and CVE-2024-50302 have been exploited, although this would have been limited and targeted according to the vendor.
The company has released two levels of security patches, 2025-03-01 and 2025-03-05, to mitigate the vulnerabilities.
Detected an attack campaign targeting AWS
Unit42 researchers have detected that malicious actors are deploying new phishing campaigns linked to the TGR-UNK-0011 threat group, of unknown motivation and related to JavaGhost. These would be attacking Amazon Web Services (AWS) environments, albeit without exploiting vulnerabilities. Instead, they exploit misconfigurations in victims' environments that expose their AWS passwords to send phishing messages.
Once access to the organization's AWS account is confirmed, the attackers generate temporary credentials and a login URL to allow access to the console. The group then uses Amazon Simple Email Service (SES) and WorkMail to set up the phishing infrastructure, creating new users and configuring new SMTP credentials to send emails. Also, the threat actors create a new IAM role with a trust policy attached, allowing them to access the organization's AWS account from another AWS account under their control.
Malicious actors exploit cloud misconfigurations to spread malware
A report by Veriti Research reveals that 40% of networks allow "any/any" cloud access, exposing critical vulnerabilities. Attackers take advantage of these misconfigurations to distribute malware such as XWorm and Sliver C2 and use cloud platforms as command-and-control (C2) servers. The study shows that XWorm leverages AWS S3 storage to distribute malicious executables, while Remcos uses infected RTF files hosted in the cloud.
Additionally, some APT groups have been observed using Sliver C2 alongside Rust-based malware to establish backdoors and exploit 0-day vulnerabilities.Researchers have warned about the increasing exploitation of cloud services such as AWS, Azure, and Alibaba Cloud.
They recommend adopting a proactive security approach by restricting insecure configurations and enhancing threat monitoring.
Dark Caracal Reinforces Its Arsenal with Poco RAT in Attacks on Latin America
Researchers at Positive Technologies have uncovered a new Poco RAT campaign linked to the cybercriminal group Dark Caracal, targeting Spanish-speaking users in Latin America. This operation relies on phishing emails containing malicious PDF files that mimic legitimate financial documents, redirecting victims to download a compressed file that carries the malware.
Poco RAT, developed using POCO C++ libraries, enables attackers to execute commands, capture screenshots, manipulate processes, and gather system information, transmitting it to C2 servers. Its design avoids writing to disk and employs encrypted channels to evade detection. Dark Caracal, which previously used Bandook, has now adopted Poco RAT due to its enhanced sophistication, focusing its attacks primarily on Venezuela, Colombia, and Chile. Additionally, the group is known to leverage legitimate services like Google Drive and Dropbox, as well as URL shorteners, to further obscure its malicious payloads.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
