Cyber Security News: Microsoft Blocks Major Fraud Attempts

Key Highlights

Exploited Vulnerabilities: New flaws in Windows NTLM and Erlang/OTP SSH are being actively targeted, posing serious risks to systems worldwide.
State-Sponsored Threats: Russian and Chinese hackers are employing sophisticated phishing and malware tactics to target diplomats and organizations, highlighting the geopolitical dimensions of cyber threats.
AI-Driven Attacks: Cybercriminals are increasingly leveraging artificial intelligence to enhance their phishing and malware capabilities, making attacks more complex and harder to detect.
Major Patches Released: Apple, Atlassian, and Cisco have issued critical patches for high-severity vulnerabilities, urging users to update their systems immediately.
Fraud Prevention: Microsoft has reported blocking $4 billion in fraud attempts, underscoring the growing use of AI by attackers to perpetrate scams.

Why It Matters

These events illustrate the dynamic nature of the threat landscape, where new vulnerabilities are quickly weaponized, and attackers employ cutting-edge technologies to achieve their objectives. For penetration testers, this means prioritizing tests for credential theft, remote code execution (RCE), and phishing vulnerabilities, as well as simulating AI-generated attacks to evaluate system resilience. The increasing prevalence of identity-based attacks and state-sponsored threats further underscores the importance of robust authentication mechanisms and advanced detection capabilities.

What to Watch For

Patch Management: Ensure systems are updated promptly to address vulnerabilities like CVE-2025-24054 and CVE-2025-32433.
Identity Security: With identity-based attacks on the rise, focus on testing authentication mechanisms and configurations in SaaS platforms.
AI Threats: Incorporate AI-generated phishing simulations and test for vulnerabilities that could be exploited by AI-driven attacks.

Key News Items

New XorDDoS Variant Targets U.S. Servers
- Date: April 18, 2025
- Description: A new variant of the XorDDoS malware is compromising Docker and Linux systems in the U.S. through SSH brute-force attacks. The malware includes a “VIP” controller, indicating it may be offered as a service to expand botnet operations.
- Relevance for Penetration Testing: Test for weak SSH configurations and brute-force protections in Linux environments. Simulate botnet-style attacks to assess network resilience.
- Source: The Hacker News
Critical NTLM Flaw (CVE-2025-24054) Actively Exploited
- Date: April 17, 2025
- Description: A Windows NTLM vulnerability allows attackers to steal credentials by simply downloading a malicious file. This flaw is being exploited in phishing campaigns targeting Poland and Romania.
- Relevance for Penetration Testing: Prioritize testing for NTLM relay and pass-the-hash vulnerabilities. Assess phishing defenses to prevent credential theft.
- Sources: The Hacker News, Infosecurity Magazine
China-Backed Hackers Deploy TONESHELL v3 in Myanmar
- Date: April 17, 2025
- Description: Chinese state-sponsored hackers are using advanced tools like TONESHELL v3 and StarProxy to target organizations in Myanmar, evading detection and facilitating espionage.
- Relevance for Penetration Testing: Simulate advanced persistent threat (APT) tactics, including custom malware and lateral movement, to evaluate detection capabilities.
- Source: The Hacker News
AI-Powered Attacks on the Rise
- Date: April 17, 2025
- Description: Cybercriminals are using AI for spear-phishing, voice fraud, and malware with optical character recognition (OCR) capabilities, increasing the sophistication and scale of attacks.
- Relevance for Penetration Testing: Incorporate AI-generated phishing simulations in social engineering tests. Assess application interfaces for vulnerabilities exploitable by AI-driven attacks.
- Source: The Hacker News
State Actors Use ClickFix to Deliver Malware
- Date: April 17, 2025
- Description: North Korea, Iran, and Russia are using the ClickFix technique to trick users into executing malware by copying and pasting malicious code.
- Relevance for Penetration Testing: Test user training and endpoint protections against social engineering attacks that exploit clipboard manipulation.
- Source: The Hacker News
Critical RCE Vulnerability in Erlang/OTP SSH (CVE-2025-32433)
- Date: April 17, 2025
- Description: A critical vulnerability in Erlang/OTP SSH allows unauthenticated remote code execution, affecting systems in operational technology (OT) and IoT environments.
- Relevance for Penetration Testing: Test SSH configurations and network-exposed services for RCE vulnerabilities, especially in IoT and OT systems.
- Sources: The Hacker News, SecurityWeek
Microsoft Warns of Node.js-Powered Malware Campaign
- Date: April 17, 2025
- Description: A malware campaign uses fake installers for platforms like Binance and TradingView to distribute malware via Node.js and PowerShell, targeting the financial sector.
- Relevance for Penetration Testing: Test for malicious software installation vectors and assess PowerShell script execution controls.
- Source: The Hacker News
SonicWall Vulnerability Actively Exploited
- Date: April 16, 2025
- Description: A SonicWall SMA 100 series vulnerability (CVE-2021-20035) is being actively exploited, allowing remote code execution on outdated firmware.
- Relevance for Penetration Testing: Verify patch management processes and test for legacy vulnerabilities in VPN appliances.
- Sources: The Hacker News, SecurityWeek
Apple Patches Two Zero-Days in iPhones
- Date: April 16, 2025
- Description: Apple patched two zero-day vulnerabilities in iPhones, one enabling code execution via malicious audio files and another bypassing Pointer Authentication.
- Relevance for Penetration Testing: Test mobile applications for vulnerabilities exploitable via media files and assess iOS security controls.
- Source: The Hacker News
Privilege Escalation Flaws in Windows Task Scheduler
- Date: April 16, 2025
- Description: Four local privilege escalation vulnerabilities in schtasks.exe allow attackers to bypass User Account Control (UAC) and execute SYSTEM-level commands.
- Relevance for Penetration Testing: Test Windows environments for privilege escalation vulnerabilities, focusing on Task Scheduler misconfigurations.
- Source: The Hacker News
Midnight Blizzard Targets European Diplomats with Phishing Lures
- Date: April 15–17, 2025
- Description: The Russian state actor Midnight Blizzard is using fake wine tasting event invitations to deliver malware, targeting European diplomats for espionage.
- Relevance for Penetration Testing: Simulate targeted phishing campaigns to assess email filtering and user awareness.
- Source: Infosecurity Magazine
Senators Push for Extension of Cyber-Threat Sharing Law
- Date: April 17, 2025
- Description: Bipartisan support in Congress aims to extend the Cybersecurity Information Sharing Act for 10 years, enhancing threat intelligence sharing.
- Relevance for Penetration Testing: Stay informed on regulatory changes that may impact threat intelligence integration in testing frameworks.
- Source: Infosecurity Magazine
Identity Attacks Make Up a Third of Intrusions
- Date: April 17, 2025
- Description: IBM’s 2025 Threat Intelligence Index reports that identity-based attacks account for 30% of intrusions, driven by credential theft and AI-generated phishing.
- Relevance for Penetration Testing: Focus on testing authentication mechanisms, multi-factor authentication (MFA), and SaaS identity configurations.
- Source: Infosecurity Magazine
Microsoft Blocks $4 Billion in Fraud Attempts
- Date: April 17, 2025
- Description: Microsoft thwarted $4 billion in fraud attempts, noting the increasing use of AI by threat actors to create convincing e-commerce scams.
- Relevance for Penetration Testing: Test web applications for vulnerabilities exploitable by AI-generated content, such as fake product listings.
- Source: Infosecurity Magazine
Atlassian and Cisco Patch High-Severity Vulnerabilities
- Date: April 17, 2025
- Description: Atlassian and Cisco released patches for high-severity vulnerabilities, including remote code execution bugs, affecting their software products.
- Relevance for Penetration Testing: Test Atlassian and Cisco products for unpatched vulnerabilities and assess patch deployment processes.
- Source: SecurityWeek

Additional Notable Developments

CISA Extends CVE Program Funding: On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding to prevent the shutdown of MITRE’s Common Vulnerabilities and Exposures (CVE) program, ensuring continued vulnerability tracking. Source
BPFDoor Malware Attacks: A new wave of BPFDoor attacks targets telecom, finance, and retail sectors in multiple countries using stealth controllers. Source
Android Phones Pre-Loaded with Malware: Since June 2024, cheap Android devices from Chinese brands have been found with trojanized apps, posing risks to users. Source
AI Tool Gamma Abused: Hackers are using the AI tool Gamma to create fake presentations leading to spoofed Microsoft SharePoint logins, increasing phishing risks. Source

Analysis for Penetration Testers

The rapid exploitation of vulnerabilities like CVE-2025-24054 and CVE-2025-32433 underscores the critical need for timely patch management and proactive vulnerability scanning. The prevalence of identity-based attacks, as reported by IBM’s 2025 Threat Intelligence Index, highlights the importance of testing for weak authentication, MFA bypasses, and SaaS misconfigurations. State-sponsored threats, such as those from Midnight Blizzard and Chinese APTs, require simulating advanced phishing and malware delivery to evaluate organizational defenses. The integration of AI in attacks necessitates innovative testing approaches, such as AI-generated phishing simulations and testing for OCR-based vulnerabilities.

Recommendations

Vulnerability Management: Regularly scan for and prioritize patching of critical vulnerabilities, especially those listed in CISA’s Known Exploited Vulnerabilities Catalog.
Phishing Simulations: Conduct targeted phishing tests mimicking state-sponsored tactics, such as fake event invitations or AI-generated emails.
Identity Security: Test authentication flows, focusing on NTLM, MFA, and SaaS platforms like Entra ID and SharePoint.
Red-Blue Team Collaboration: Engage in purple team exercises to bridge offensive and defensive strategies, simulating APT scenarios.
AI Threat Testing: Develop test cases for AI-driven attacks, including fake content generation and automated credential theft.

Table of Key Vulnerabilities

Vulnerability	CVE ID	Date Reported	Description	Impact	Source
Windows NTLM	CVE-2025-24054	April 17, 2025	Allows credential theft via file download	Credential theft, pass-the-hash attacks	The Hacker News
Erlang/OTP SSH	CVE-2025-32433	April 17, 2025	Unauthenticated RCE in SSH services	Full system compromise	The Hacker News
SonicWall SMA 100	CVE-2021-20035	April 16, 2025	RCE in outdated firmware	Remote code execution	The Hacker News
Apple iOS	Multiple	April 16, 2025	Zero-days enabling code execution via audio files	Device compromise	The Hacker News
Windows Task Scheduler	N/A	April 16, 2025	Privilege escalation via schtasks.exe	SYSTEM-level access	The Hacker News

Conclusion

The infosec news from April 11 to April 18, 2025, paints a vivid picture of a dynamic threat landscape where vulnerabilities are exploited swiftly, and attackers leverage AI and state-sponsored tactics to achieve their goals. For penetration testers, these insights should guide testing strategies, emphasizing rapid vulnerability remediation, robust identity security, and defenses against sophisticated phishing and malware. By simulating these threats, testers can help ensure applications and systems remain resilient against current and emerging risks. Stay vigilant, patch promptly, and test thoroughly to stay one step ahead of the attackers.

Weekly Cybersecurity Update: April 11–18, 2025