Updates for 55 vulnerabilities, including four zero-day flaws, in Microsoft’s February 2025 Patch Tuesday
Microsoft’s February 2025 Patch Tuesday delivers security updates for 55 vulnerabilities, including four zero-day flaws — two of which are actively exploited. The fixes include three critical remote code execution vulnerabilities, as well as patches for privilege escalation, security bypass and denial-of-service flaws.
Notably, Microsoft has addressed CVE-2025-21391, an elevation of privilege bug that allows attackers to delete targeted files, and CVE-2025-21418, which enables threat actors to gain SYSTEM privileges. Additionally, two publicly disclosed zero-days were patched: CVE-2025-21194, a hypervisor vulnerability allowing UEFI bypass, and CVE-2025-21377, an NTLM hash disclosure flaw that could facilitate remote authentication attacks.
Researchers linked CVE-2025-21194 to the PixieFail vulnerabilities impacting Microsoft Surface and hypervisor products. Microsoft has not disclosed exploitation details for these flaws but urges users to apply updates promptly. Other fixes include patches for Microsoft Dynamics 365 Sales and Microsoft Edge vulnerabilities.
FERRET malware deployed by North Korean hackers on macOS devices using fake job interviews
North Korean attackers behind the "Contagious Interview" campaign are using fake job interviews to deploy FERRET malware on macOS devices.
Victims are tricked into installing malicious software under the guise of virtual meeting tools like VCam or CameraAccess. The attack chain drops BeaverTail, a JavaScript-based stealer, which can then install a Python backdoor called InvisibleFerret. The malware, linked to prior campaigns targeting cryptocurrency users, includes variants such as FRIENDLYFERRET_SECD and FROSTYFERRET_UI, which establish persistence and execute commands.
Attackers also exploit GitHub repositories to distribute malware beyond job seekers, expanding their reach to developers. Additionally, a malicious npm package, postcss-optimizer, remains active, spreading BeaverTail across Windows, macOS, and Linux. This campaign coincides with other North Korean operations, including APT37's recent spear-phishing attacks distributing RokRAT malware via compromised messaging platforms.
North Korean hacker group Kimsuky using spear-fishing emails to attack PowerShell
North Korean hacking group Kimsuky has been caught using a new PowerShell-based attack to hijack devices by tricking victims into executing malicious code.
Disguising themselves as South Korean officials, they build trust with targets before sending spear-phishing emails containing a PDF lure. Victims are then directed to a fake registration page that instructs them to run PowerShell as an administrator and execute a provided script, which installs a remote access tool and registers the device with a hardcoded PIN. This tactic aligns with a broader trend of social engineering attacks, similar to the macOS-based Contagious Interview campaign.
Meanwhile, U.S. authorities have exposed a fraudulent scheme where an Arizona woman, Christina Marie Chapman, helped North Korean IT workers secure remote jobs in over 300 U.S. companies. By hosting a laptop farm and using stolen identities, she enabled these operatives to bypass security measures and siphon $17.1 million in illicit earnings. The FBI warns that some of these workers have begun extorting companies by holding proprietary data hostage.
Lee Newspapers suffers a cyberattack that impacted U.S. operations with widespread outage
Lee Enterprises, a major U.S. newspaper publisher with a revenue of over $600 million, has confirmed that a cyberattack caused a widespread outage impacting its operations.
The attack disrupted business applications, forcing network shutdowns that affected printing, delivery, and access to editorial systems. VPNs used for secure connections also failed, leaving reporters and editors unable to retrieve their files. While the company is investigating the extent of the breach, it warns that such probes can take weeks or longer to complete. Several publications have posted maintenance notices on their websites, alerting readers to subscription and E-edition access issues.
Law enforcement has been notified, though details remain undisclosed to avoid compromising investigations. Lee Enterprises, which operates 77 daily newspapers and numerous digital platforms, previously suffered a cyberattack in 2020 linked to Iranian attackers aiming to spread disinformation before the U.S. presidential election.
BadIIS malware installed on IIS servers by threat actor DragonRank in an SEO manipulation campaign
Threat actors have been targeting Internet Information Services (IIS) servers in Asia to carry out an SEO manipulation campaign that installs BadIIS malware, redirecting users to illegal gambling sites for financial gain.
The campaign affects IIS servers in countries like India, Thailand, Vietnam and Japan, targeting government, university, technology and telecom sectors. Compromised servers deliver altered content, redirecting users to gambling sites or connecting them to rogue servers hosting malware or credential-harvesting pages.
The activity is attributed to DragonRank, a Chinese-speaking threat group linked to previous SEO fraud campaigns and IIS server compromises. Researchers identified similarities between BadIIS variants used by DragonRank and another entity, Group 11, which injects malicious JavaScript and alters HTTP responses to manipulate search traffic.
