This week’s newsletter covers significant cyber threats, including a surge in scanning for PAN GlobalProtect VPNs, ongoing attacks targeting Apache Tomcat, a critical vulnerability in Apache Parquet, and multiple breaches affecting organizations such as Oracle and the State Bar of Texas. Recommendations for mitigation and security measures are emphasized throughout the article. Affected: Palo Alto Networks, Apache, Oracle, State Bar of Texas, Ivanti, Verizon, Stripe, North Korean IT sector, 23andMe
Keypoints :
- Increased scanning attempts on Palo Alto Networks’ GlobalProtect VPN suggest potential imminent attacks.
- Recent attacks on Apache Tomcat servers involve brute-force access, malware deployment, and credential theft.
- A critical RCE vulnerability in Apache Parquet could impact major platforms like Hadoop and cloud services.
- Confusion regarding CVE assignments has emerged over a critical flaw in CrushFTP, highlighting industry transparency issues.
- Federal cybersecurity officials alert organizations about the Resurge malware targeting Ivanti products.
- Oracle faced a breach incident with conflicting reports regarding the compromise of old and recent client data.
- The State Bar of Texas has reported a data breach tied to INC ransomware with ongoing threats from the attackers.
- Privacy risks arose from a Verizon flaw allowing unauthorized access to incoming call logs.
- A new skimming campaign targeting Stripe’s API has been detected, potentially affecting many merchants.
- Counterfeit Android devices loaded with Triada malware have been discovered, primarily affecting Russian users.
- GitHub has introduced security updates following the leakage of 39 million secrets from repositories.
- Google has implemented end-to-end encryption for enterprise Gmail users, enhancing email security.
- North Korean IT workers have extended their reach into Europe, posing risks to various sectors.
- The FTC emphasizes the importance of existing privacy policies for any potential buyer of 23andMe.
MITRE Techniques :
- T1078 – Valid Accounts: Attackers exploit valid accounts to gain access to Apache Tomcat management interfaces.
- T1210 – Exploitation of Remote Services: The RCE vulnerability (CVE-2025–30065) in Apache Parquet allows arbitrary code execution.
- T1071 – Application Layer Protocol: The new skimming campaign leverages the Stripe API to intercept payment information.
- T1060 – Registry Run Keys / Startup Folder: Infection persistence achieved through JSP file backdoors on compromised systems.
- T1505 – Server Software Component: Malware executables disguised as kernel processes for continued access and crypto-mining.
- T1203 – Exploitation for Client Execution: Attacks on Ivanti products exploit known vulnerabilities for malicious actions.
Indicator of Compromise :
- [IP Address] 24,000 unique IP addresses scanning for Palo Alto Networks’ GlobalProtect VPNs
- [CVE] CVE-2025–30065: Critical RCE vulnerability in Apache Parquet
- [CVE] CVE-2025–2825: Critical vulnerability in CrushFTP versions 10 and 11
- [CVE] CVE-2025–0282: Vulnerability exploited by the Resurge malware in Ivanti products
- [Email Address] contact@stripe.com: Used in attack scenarios related to skimming campaigns
Full Story: https://medium.com/ml4den/cybersecurity-news-review-week-14-2025-666433f1de38?source=rss——cybersecurity-5
Views: 4