This week’s Cyber News Roundup brings you the latest cybersecurity headlines, where new risks and vulnerabilities continue to emerge. From Forescout’s report on the riskiest connected devices to advanced phishing campaigns, these incidents highlight the need for stronger, more proactive security strategies. RedSeal helps organizations mitigate these evolving threats by offering robust network visibility and risk exposure management to stay ahead of cybercriminals. Read on to catch up on the critical threats making waves this week.
A new report reveals routers’ riskiness
Forescout’s 2025 Riskiest Connected Devices report reveals routers are now the riskiest devices in enterprise networks, responsible for over half of the most critical vulnerabilities. Device risk overall has jumped 15% from last year. While computers hold the most bugs, routers, firewalls, and ADCs top the list for severity, often exploited as zero-days. The top 20 riskiest device types now include 12 newcomers like PoS systems and healthcare workstations. IoMT devices also carry major threats. Retail leads in risk exposure, followed by finance, government, healthcare, and manufacturing. Over 50% of non-legacy Windows devices across sectors still run Windows 10, nearing end-of-support. There’s also a shift away from encrypted SSH to unencrypted Telnet. Forescout warns modern threats span IT, IoT, OT, and IoMT, demanding broader, cross-domain security strategies. (SecurityWeek)
Windows Defender Antivirus Bypassed Using Direct Syscalls & XOR Encryption
Researchers have uncovered a method to bypass Windows Defender antivirus by using direct system calls (syscalls) combined with XOR encryption, as detailed in a recent cybersecurity study. By employing shellcode encryption and injecting malicious code into both local and remote processes, they avoided detection from Defender’s static and dynamic analysis. Direct syscalls allowed them to bypass user-mode API monitoring, while XOR encryption obscured the shellcode, making it harder to detect. The approach, tested in a controlled lab, highlights the need for stronger defenses against such advanced evasion tactics, as traditional antivirus solutions struggle to counter these sophisticated methods. (Cyber Security News)
Nissan Leaf cars can be hacked for remote spying and physical takeover
Researchers at PCAutomotive, a pentesting and threat intelligence company specializing in the automotive and financial sectors, services industries revealed the hacking potential last week at Black Hat Asia 2025. Focusing on the second generation Nissan Leaf made in 2020, they were able to “use the infotainment system’s Bluetooth capabilities to infiltrate the car’s internal network. They were then able to escalate privileges and establish a command and control channel over cellular communications to maintain stealthy and persistent access to the EV directly over the internet, up to and including being able to control the steering when while a car was in motion. (Security Week)
Infosec experts warn of China Typhoon retaliation against tariffs
Referring to the White House imposition of tariffs on China, cybersecurity advisor Tom Kellermann warns that China may “retaliate with systemic cyber attacks as tensions simmer over.” Speaking to The Register, he points out how the various “Typhoon” campaigns “have given them a robust foothold within critical infrastructure that will be used to launch destructive attacks. Trade wars were a historical instrument of soft power. Cyber is and will be the modern instrument of choice.” In a separate interview with The Register, Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said, “to the extent that China is holding back on conducting certain types of cyberattacks, it may feel less restrained now.” (The Register)
U.S. Comptroller suffers ‘major incident’
On Tuesday, the U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC) characterized their recent email system breach as a “major incident.” In late February, Microsoft alerted officials to the incident which abused an OCC email administrator account. The initial investigation found no evidence of impact on the financial sector and concluded that only a “limited number” of email accounts were affected. However, new reports from Bloomberg and Microsoft indicate that 103 email accounts with emails totaling 150,000 were compromised and contained highly sensitive financial information. The attack commenced in May of last year, nine months prior to its discovery. It remains unclear who is behind the attack. (SecurityWeek)
Phishing kits now vet victims in real-time
Threat actors have been spotted employing a new evasion tactic called ‘Precision-Validated Phishing.’ This new technique uses real-time email validation through either validation service API calls or JavaScript code to ensure phishing content is shown only to pre-verified, high-value targets. If an invalid target is identified, they are either presented with an error message or directed to benign sites. Email security firm Cofense said this new tactic is blocking visibility for researchers who typically enter fake or controlled email addresses to map the credential theft campaign. Ultimately, this reduces detection rates and prolongs the lifespan of phishing operations. (Bleeping Computer)
Hackers target bugs in EC2 sites to steal AWS credentials
F5 Labs has observed hackers exploiting Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS Elastic Cloud Compute (EC2) instances. The attackers are using credentials from extracted EC2 Metadata to escalate their privileges and access S3 buckets and other AWS services. The attacks are targeting instances running on AWS’s older metadata service, IMDSv1, that allows anyone with access to retrieve the metadata. The system has been superseded by IMDSv2, which requires session token authentication to protect websites. F5 researchers said that the malicious activity culminated between March 13 and 25, 2025 and behavioral patterns strongly suggest that it was carried out by a single threat actor. (Bleeping Computer)
Google’s latest Android update addresses two zero-days
Google’s April 2025 Android Security Bulletin addresses multiple critical vulnerabilities, including two zero-days—CVE-2024-53150 and CVE-2024-53197—actively exploited in targeted attacks. Both impact the Linux kernel’s ALSA USB-audio driver and pose serious risks to Android devices running versions 12 through 15. CVE-2024-53150 allows information disclosure via an out-of-bounds read, while CVE-2024-53197 enables privilege escalation through memory corruption triggered by malicious USB devices. These flaws may bypass standard device locks and resemble methods used by surveillance firms. Google and Samsung have released urgent patches, with fixes included in the 2025-04-05 security level. The continued targeting of Android underscores the ecosystem’s security challenges, with Google reporting a significant rise in zero-day attacks. Users are urged to update devices immediately to avoid exploitation. (Cyber Security News)
AI outphishes human red teams
Move over chess grandmasters—AI has now leveled up to out-hustle human red teams in the world of phishing. According to cybersecurity firm Hoxhunt, their AI phishing agent, code-named JKR (yes, like “Joker”), beat human-crafted phishing attempts by 24% in March. That’s a glow-up from last year, when JKR lagged 31% behind. Think of it as a Skynet-meets-email moment. JKR adapts like a social engineering ninja, customizing bait with user-specific context like job roles and locations. It’s not just phishing—it’s precision phishing, in bulk. Hoxhunt says this could make mass phishing campaigns as effective as today’s spear-phishing attempts. Great.
The Anti-Phishing Working Group also reported a global spike in phishing sites and smishing scams, including hilariously off-target toll collection texts. So, while humans still bring creativity, AI brings scale, 24/7 hustle, and zero need for coffee. Experts say defending against AI-driven threats will still require one vital element: human judgment. We’d have more good judgment if it weren’t constantly busy cleaning up after bad judgment.
Windows Remote Desktop Service Vulnerability Let Attackers Execute Malicious Code Remotely
Critical vulnerabilities in Windows Remote Desktop Services (RDS), specifically CVE-2025-24035 and CVE-2025-24045, both rated with a CVSSv3 score of 8.1. These Remote Code Execution (RCE) flaws could allow unauthorized attackers to execute malicious code over a network, potentially compromising entire systems. CVE-2025-24035 stems from improper memory handling, while CVE-2025-24045 requires an attacker to win a race condition, though Microsoft deems exploitation “more likely” for both. Successful attacks could severely impact confidentiality, integrity, and availability. The article notes additional vulnerabilities addressed by Microsoft, including six actively exploited flaws, urging organizations to apply patches and follow security best practices like enabling Network Level Authentication and restricting RDP access to mitigate risks.
WhatsApp vulnerability could facilitate remote code execution
Meta has patched a serious vulnerability in the WhatsApp desktop app for Windows that could let attackers trick users into executing malicious code via spoofed file types. The flaw involved MIME type manipulation, making harmful files appear safe (like images or documents). While there’s no evidence it has been exploited in the wild, users are urged to update to version 2.2450.6 to stay protected. (SecurityWeek)
CISA Warns of CrushFTP Vulnerability Exploitation in the Wild
A critical authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161, has been actively exploited by remote attackers following a disrupted disclosure process, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, affecting unpatched versions of CrushFTP v10 and v11, allows unauthenticated access with a CVSSv3.1 severity score of 9.8, posing a significant risk of full system compromise. Initially disclosed responsibly by Outpost24 with a 90-day non-disclosure period, the process was undermined when VulnCheck published a separate CVE (CVE-2025-2825) without coordination, accelerating exploitation after a proof-of-concept exploit emerged. As of March 30, 2025, 815 systems remained unpatched, down from 1,800 two days prior, highlighting the urgency for organizations to apply updates as federal agencies face a mitigation deadline of April 28, 2025. This incident follows a pattern of file transfer software vulnerabilities, with CrushFTP previously targeted by a zero-day exploit in April 2024. (Infosecurtiy Magazine)
PoisonSeed campaign weaponizes CRM system
Researchers at Silent Push found a new campaign that uses customer relationship management and bulk email systems to send out phishing emails with crypto seed phrases to potential victims. These emails claim to be from Coinbase, urging users with self-custodial wallets to transfer assets. The seed phrases are included in transfer instructions for setting up new wallets, which grants threat actors access to them. It’s estimated that Coinbase users have lost roughly $46 million in crypto assets since mid-March. The campaign has used a variety of providers to spam people, including Hubspot, Mailchimp, Mailgun, SendGrid, and Zoho. (Security Week)
State-backed actors could have exploited ESET flaw
The cybersecurity firm ESET confirmed a flaw reported by Kaspersky researchers that could be used by threat actors to plant a malicious DLL and execute it with ESET’s antivirus scanner to bypass system defenses. ESET patched the issue and maintains it didn’t find any evidence of it being exploited in the wild. However, Kaspersky researchers claim the suspected state-backed threat group ToddyCat used the flaw in a campaign, using a modified version of EDRSandBlast to load the malicious DLL under the name TCDSB to execute payloads. ESET said it hasn’t seen the suspected DLLs to review them, but regardless, the approach would have required admin privileges to perform the attack. (The Record)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
