Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 15-21 March
Windows vulnerability discovered that has been exploited since 2017
Trend Micro researchers have published an analysis of the ZDI-CAN-25373 flaw in Windows, which would have been exploited by at least 11 threat actor groups sponsored by states such as China, Russia, Iran and North Korea since 2017. The flaw, based on a weakness in the user interface, allows malicious command-line arguments to be hidden in shortcut (.lnk) files, making it easier to execute code undetected.
The researchers also noted that the attacks were mainly targeted at entities in North America, Europe, East Asia and Australia, with 70% of the cases linked to cyberespionage. Groups reportedly exploiting the flaw in their attacks include Water Asena (Evil Corp), Earth Kumiho (Kimsuky) and Earth Imp (Konni). Microsoft reportedly declined to release an immediate patch, arguing that the flaw would not meet the service threshold, although it may address it in future updates.
MirrorFace expands its reach beyond Japan with Operation Akairyu
The China-linked MirrorFace cyberespionage group has expanded its operations beyond Japan, now targeting entities in Europe and other regions in the context of Expo 2025. According to ESET, the campaign dubbed “Operation Akairyu” has reintroduced the ANEL backdoor, a tool previously used by MirrorFace to maintain persistent access on compromised systems.
The group has employed advanced spear phishing techniques to distribute malware, with lures related to international exposure. Once inside systems, attackers use ANEL for remote control, data exfiltration and deployment of additional payloads. This expansion indicates a strategic interest in government, technology and diplomatic sectors outside of Asia.
New C++-based IIS malware detected that mimics cmd.exe
Unit42 researchers have detected a new malware targeting Internet Information Services (IIS) servers. The malware, which was developed in C++/CLI and currently has two versions, works as a passive backdoor, integrating itself into the IIS server by logging HTTP response events. It filters incoming HTTP requests for specific headers that are used to execute commands. Commands and data are encrypted using AES and then Base64-encrypted.
The most recent version, compiled in May 2023, employs a custom cmd.exe wrapper tool to execute commands and embedded within the malware, which would also be able to patch AMSI and ETW routines to evade detection. Its sophistication and targeted nature suggest that it may have been employed in specific attacks, although attribution to a known threat actor has not occurred at this time.
Critical vulnerabilities in SCADA myPRO allow remote code execution
Researchers at Catalyst have discovered two critical flaws in mySCADA myPRO, a SCADA system used in operational technology (OT) environments. Both, identified as CVE-2025-20014 and CVE-2025-20061, have a CVSSv4 score of 9.3 according to ICS-CERT and allow command injection into the system through manipulated POST requests due to improper user input sanitization.
If exploited, attackers could execute arbitrary code and take control of industrial networks, causing operational disruptions and economic losses. The vulnerabilities have been fixed in mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1. It is recommended to apply security patches, segment SCADA networks, enforce authentication and monitor suspicious activity.
New BitM attack allows the theft of MFA-protected sessions
Researchers at Mandiant have identified a new attack called Browser in the Middle (BitM), which allows attackers to steal authenticated sessions without needing to know credentials or overcome multi-factor authentication (MFA) challenges. Unlike traditional methods such as Evilginx2, a transparent proxy in which a network operator's team server acts as an intermediary between the victim and the targeted service, BitM uses a browser controlled by the attacker to directly capture the victim's session.
This technique allows accounts to be compromised in a matter of seconds, facilitating large-scale attacks. To mitigate these risks, the researchers recommend implementing client certificates and hardware-based MFA with FIDO2, as these mechanisms make session spoofing difficult even if the attacker gains access to the user's credentials.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
