Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 19-25 April
Microsoft patch for CVE-2025-21204 triggers another vulnerability
Researcher Kevin Beaumont has revealed that Microsoft's patch for vulnerability CVE-2025-21204 (CVSSv3 7.8 according to the vendor), related to symlinks, inadvertently introduces a new security flaw.
The original fix was to create the C:\inetpub folder to prevent unauthorized users from tampering with it. However, Beaumont discovered that a user without administrative privileges can create a symbolic link from C:\inetpub to another file, such as notepad.exe, which causes future Windows security updates to not be applied correctly, generating errors or altering changes.
This situation allows non-administrators to block system updates, exposing the system to additional risks. Beaumont reported this vulnerability to Microsoft two weeks ago, but to date has not received a response.
TAG-124: malicious infrastructure to spread malware
Researchers at Recorded Future have identified that multiple threat actors, including ransomware groups such as Rhysida and Interlock, and state entities such as TA866 (Asylum Ambuscade), are using the TAG-124 malicious infrastructure to distribute malware in a highly targeted manner.
This traffic distribution system (TDS) operates by collecting browser data, geolocation and user behavior to redirect victims to malicious payloads while avoiding detection. TAG-124 has been key in attacks on critical sectors, such as healthcare and finance, and has been linked to SEO poisoning campaigns and compromise of legitimate websites.
Its use allows malicious actors to specialize in later stages of the attack, increasing the effectiveness of their extortion campaigns.
New phishing attacks exploit Google's infrastructure
Nick Johnson of Ethereum Name Service (ENS) detected a DKIM replay phishing attack. The attackers first registered a domain and created a Google account for me@domain. They then created a Google OAuth application using the entire phishing message as the name, with lots of whitespace to separate it from Google's notification of the attacker's account login.
After login, Google automatically sent a security alert that the attackers forwarded to victims, passing all checks. The message urged users to access a supposed support portal, an exact duplicate of the real one, where their Google account credentials were requested.
The fraudulent portal was hosted on sites.google.com, Google's free website creation platform, instead of accounts.google.com, raising suspicions of phishing.
Fixed two actively exploited 0-day bugs in Apple products
Apple has released emergency security updates patching two actively exploited 0-day flaws against specific target iOS devices. The vulnerabilities are in CoreAudio (CVE-2025-31200, CVSSv3 of 7.5) and RPAC (CVE-2025-31201, CVSSv3 of 6.8), both affecting iOS, macOS, tvOS, iPadOS and visionOS.
- The first can be exploited by processing an audio stream in a malicious media file to execute remote code on the vulnerable device.
- The second allows attackers with read or write access to bypass pointer authentication (PAC).
While the list of affected devices is extensive, including older and newer models, both flaws have been fixed in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1 and visionOS 2.4.1.
Apple recommends users to apply the corresponding updates as soon as possible.
RedGolf's operational infrastructure exposed
A briefly exposed server has been discovered that revealed a collection of tools and scripts linked to the KeyPlug malware used by the RedGolf (APT41) group. This provided access to advanced tactics, including scripts aimed at Fortinet devices and specific targets.
Notable tools included Python scripts for version recognition using JavaScript hashes, identification of Internet-facing systems and exploitation of flaws in Fortinet's WebSocket CLI. Also discovered were an encrypted PHP webshell for remote execution, a reverse shell in PowerShell and an ELF binary that functioned as an HTTP listener.
The server shared a TLS certificate issued by WolfSSL with five other servers hosted by Vultr, evidence of a broader infrastructure. The exposure was detected by @Jane_0sint on X and analyzed by Hunt.io's team of researchers.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
