Welcome to the weekly Threat Intelligence Digest!

In this edition, we cover a range of critical topics to keep you informed and prepared. Additionally, we will delve into the critical threats and vulnerabilities that could impact the organizations in the United Arab Emirates (UAE), with in-depth summary of the threat, expert recommendations, and references to help you safeguard your digital assets.

Active Exploitation of Critical flaw in SAP NetWeaver – Immediate Patch Recommended

Risk Rating: High

SAP has released emergency security updates for a critical vulnerability in NetWeaver product. The flaw tracked as CVE-2025-31324 (CVSS: 10 [SAP Rating]) – ‘Unauthenticated File Upload’ vulnerability in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. This component is part of the SAP NetWeaver Java stack. While not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its broad usefulness in assisting business process specialists with developing business components without the use of coding. Researchers at ReliaQuest has reported the vulnerability to SAP and also observed active exploitation in the wild. 

Successful exploitation of the vulnerability could allow threat actors to upload malicious executable files without logging in, potentially leading to remote code execution and full system compromise.

Affected Products: SAP NetWeaver (Visual Composer development server) versions - VCFRAMEWORK 7.50.

Researchers at ReliaQuest, WatchTowr, and Onapsis observed active exploitation of the vulnerability in the wild. According to ReliaQuest, exploitation occurred on systems with recent patches, likely involving an unreported RFI issue targeting public SAP NetWeaver servers. According to the WatchTowr, threat actor actively exploiting the vulnerability to drop web shell backdoors onto exposed systems and gain further access. Whereas Onapsis researchers obtained evidence of active exploitation of the vulnerability on internet-facing SAP applications.

SAP has released an emergency patch, after SAP’s regular April 2025 update, admins are recommended to apply the new patch.

If updates cannot be applied, admins are recommended to perform following mitigations:

1.       Restrict access to the ‘/developmentserver/metadatauploader’ endpoint.

2.       If Visual Composer is not in use, consider turning it off entirely.

3.       Forward logs to SIEM and scan for unauthorized files in the servlet path.

Recommendation: At the time of writing, there have been reports of exploitation of the vulnerability, So, CPX Threat Intelligence Centre recommends customers to act quickly and apply the patches to mitigate any potential threats. Furthermore, CPX Threat Intelligence Centre also recommends customers to leverage Indicators of Compromise (IOCs) provided by ReliaQuest.

Reference: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html, https://nvd.nist.gov/vuln/detail/CVE-2025-31324, https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/, https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

ConnectWise Addresses High-severity flaw in ScreenConnect – Immediate Patch Recommended

Risk Rating: Guarded

ConnectWise addressed a high-severity vulnerability in ScreenConnect product. The flaw tracked as CVE-2025-3935 (CVSS: 8.1 [ConnectWise Rating]) – ‘Improper Authentication’ vulnerability in exists due to the way ScreenConnect utilizes ASP.NET's ViewState mechanism. ASP.NET Web Forms use ViewState to maintain control and page states across web requests. This data is Base64-encoded and protected using machine keys. ScreenConnect Cloud instances are not impacted with the vulnerability. 

Successful exploitation of the vulnerability could allow a threat actor to first obtain the server's machine keys. If these keys are compromised, an attacker could then craft a malicious ViewState payload and send it to the ScreenConnect server. This could lead to the execution of arbitrary code on the server.

Affected Products: On-Premises ScreenConnect version 25.2.3 and earlier versions.

ConnectWise released the patches to mitigate the vulnerability and recommend all admins to follow some actions based on the type of On-Prem instances:

On-premise: Active maintenance customers, ConnectWise strongly recommend upgrading to the current release of 25.2.4. Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.

On-premise: Off maintenance customers, ConnectWise recommend renewing maintenance and upgrading to the newest release, 25.2.4. Please see the above instructions for how to upgrade to the newest version of ScreenConnect and to check your maintenance status.

Recommendation: At the time of writing, there have been no reports of exploitation of this vulnerability, but CPX-TIC recommend customers to act quickly and apply the patches to mitigate any potential threats.

Reference: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4

DPRK APT Group Uses Fake Crypto Firms to Spread Malware

Risk Rating: High

Silent Push Threat Analysts have discovered a sophisticated campaign initiated by the North Korean APT group Contagious Interview, involving three purported cryptocurrency consulting firms—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—that serve as fronts to spread malware. The malware strains, BeaverTail, InvisibleFerret, and OtterCookie, are distributed through fake job interview lures via these front companies, using elaborate social engineering tactics and AI-generated profiles. The campaign leverages GitHub and job listing sites for deploying malicious code aimed at cryptocurrency job seekers, aiming to steal sensitive financial information and enable remote access.

The recent discovery that the North Korean APT group Contagious Interview is using three cryptocurrency companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—as fronts to deliver malware via job interview lures poses a significant cyber threat to UAE's financial and tech sectors. This campaign employs sophisticated social engineering tactics and AI-generated profiles to lure in job seekers, spreading malware strains such as BeaverTail, InvisibleFerret, and OtterCookie.

Recommendations: CPX Threat Intelligence Centre recommends the following measures:

· Establish comprehensive monitoring of known malicious domains like lianxinxiao[.]com and implement immediate blocking in organizational firewalls to prevent command-and-control (C2) communications.

· Implement rigorous verification processes for job applicants and job postings on platforms like CryptoJobsList and Upwork to detect and avoid interactions with fake personas or dubious job offers from front companies.

·   Integrate tools that analyze AI-generated images to help identify and discard profiles created using services like Remake AI, which threat actors use to build fake identities.

· Train employees regularly on social engineering techniques, emphasizing the risks of running unknown code from received samples, especially in job interview contexts.

·       Utilize advanced security solutions with behavior analysis capabilities to detect the presence of malware strains such as BeaverTail, InvisibleFerret, and OtterCookie by monitoring unusual activities across all operating systems.

Reference: https://www.silentpush.com/blog/contagious-interview-front-companies/

Potential Exploitation of High Severity Flaw in SonicWall SMA Appliances – Immediate Patch Recommended

Risk Rating: High

SonicWall has released an update to an old high severity vulnerability affecting Secure Mobile Access (SMA) 100 series appliances. The flaw was first disclosed and patched in September 2021, tracked as CVE-2021-20035 (CVSS: 7.8) – ‘OS Command Injection’ vulnerability in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to Denial of Service (DoS). SonicWall PSIRT team has revised the bulletin to acknowledge that this vulnerability is potentially being exploited in the wild.

Researchers at Arctic Wolf tracking an ongoing VPN credential access campaign targeting SMA 100 series appliances, with a starting timeframe as early as January 2025, extending into April 2025.

Successful exploitation of the vulnerability could allow remote authenticated threat actor to inject arbitrary commands, establish persistence and widen the scope of attacks.
Affected Products: SMA 100 Series versions 10.2.1.0-17sv and earlier, 10.2.0.7-34sv and earlier, 9.0.0.10-28sv and earlier.

Recommendation: At the time of writing, there are reports of active exploitation of the vulnerability. Even CISA has added the vulnerability in to its Known Exploited Vulnerabilities (KEV) catalog. So, CPX Threat Intelligence Center recommend customers to act quickly and apply the patches to mitigate any potential threats. 

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-20035

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/

https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog

New Phishing Campaign Targets WooCommerce Users with Fake Security Patch

Risk Rating: Elevated

A recent phishing campaign has been targeting WooCommerce users by sending emails that falsely claim a critical security vulnerability in their installation. These sophisticated emails direct users to a malicious website mimicking the official WooCommerce Marketplace, where they are urged to download a fake security patch. Once installed, the malicious plugin creates a backdoor that grants attackers’ administrative access, allowing for various malicious activities including data theft and server exploitation. Users are advised to avoid downloading or installing patches from unofficial sources, as official security updates will be released directly by WordPress or WooCommerce. Patchstack has implemented measures to block such malicious installation attempts and is continuously monitoring the situation.

The sophisticated phishing campaign targeting WooCommerce users poses a significant risk to the UAE, considering its reliance on e-commerce and digital transformation. The campaign's use of convincing email and web-based phishing templates that mimic official WooCommerce communications could potentially deceive numerous users into installing a malicious plugin, leading to unauthorized administrative access and backdoor installation.

Recommendation: CPX Threat Intelligence Centre recommends the following measures:

• Always verify the authenticity of any email alerts that claim to be from WooCommerce by checking the sender's email address and confirming through official WooCommerce communication channels.
  
  
• Avoid downloading and installing plugin patches from unofficial sources and rely exclusively on updates distributed through the official WooCommerce platform.
• Thoroughly inspect any received emails for subtle domain name variations, such as IDN homograph attacks, to ensure they are genuinely from trusted sources.
• Regularly monitor your WordPress installations for unusual cronjobs, unfamiliar administrator accounts, and suspicious folders in the wp-content directory.
  
  
• Implement robust security measures by using security plugins that offer protection against unauthorized installations and actively scan for known vulnerabilities and malware.

Reference: https://patchstack.com/articles/fake-security-vulnerability-phishing-campaign-targets-woocommerce-users/

China-linked APT Group Leveraging Spellbinder Tool to Enable AitM Attacks

Risk Rating: High

Researchers at ESET identified a China-linked threat group named ‘TheWizards’, which employs a tool called Spellbinder to execute adversary-in-the-middle (AitM) attacks using IPv6 SLAAC spoofing. This enables the interception and redirection of legitimate software traffic to attacker-controlled servers, leading to the download of malicious updates. The ultimate goal is the deployment of WizardNet, a backdoor used for further infiltration and control. TheWizards have ties to the Chinese company Dianke Network Security Technology (UPSEC) and have targeted various entities in Asia and the Middle East. 

Considering the addition of new lateral movement tool (Spellbinder) in the threat actor arsenal, enables them to perform AitM attacks, which could pose a significant impact on the individuals and entities in the United Arab Emirates (UAE). This threat can harvest sensitive information, disrupt activities, and potentially lead to espionage or other malicious endeavors, especially if the targets include critical sectors like finance, government, or telecommunications prevalent in the UAE. 
Recommendation: CPX Threat Intelligence Centre recommends the following measures:
•    Implement strong network segmentation to prevent lateral movement within the network and isolate compromised devices.
•    Regularly audit and update IPv6 network configurations to reduce vulnerabilities like SLAAC spoofing.
•    Deploy endpoint detection and response (EDR) solutions to monitor and respond to malicious activities such as unauthorized software updates.
•    Educate users about the risks of software updates and ensure updates are only sourced from verified and trusted servers.
•    Utilize threat intelligence to stay informed about emerging threats and incorporate IOCs (Indicators of Compromise) related to Spellbinder and WizardNet into existing security tools.

Reference: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/

Tsunami Malware used in “Contagious Interview” campaign, attributed to DPRK (North Korea)

Risk Rating: Elevated

HiSolutions was able to further analyze a sophisticated, modular malware framework called Tsunami, which leverages the TOR network and Pastebin for command and control, integrating multiple credential stealers and cryptominer related to the "Contagious Interview" campaign, attributed to North Korea. This discovery underscores the continuous development and evolving strategies of the threat actors involved in cryptocurrency theft, highlighting the broader and more complex threats posed by the Tsunami framework. 
The Tsunami-Framework poses a significant threat to the UAE from a threat intelligence perspective.

The ongoing "Contagious Interview" campaign, linked to North Korea, is adept at stealing both common and less common cryptocurrencies. The development and deployment of this malware framework highlight the increasing sophistication and evolution of cyber threats. Given the framework's reliance on the TOR Network and Pastebin for command and control, it showcases a high degree of anonymity and resilience to takedowns.

Recommendation: CPX Threat Intelligence Centre recommends the following measures:
•    Utilize endpoint detection and response (EDR) solutions to monitor for unusual processes and detect the presence of the Tsunami-Framework.
•    Employ network segmentation and strict firewall rules to limit the ability of malware to communicate with command-and-control servers, especially those using TOR.
•    Regularly update and patch systems to minimize the exploitation of vulnerabilities that may provide an entry vector for malware.
•    Implement multi-factor authentication (MFA) to add an extra layer of security against credential theft from modules such as BraveCredentialStealer and ChromeCredentialStealer.
•    Conduct routine threat hunting exercises focused on identifying persistence mechanisms like Scheduled Tasks and Windows-Defender exclusions that are indicative of Tsunami-Malware infectionAvoid extracting untrusted archives with WinZip.

Reference: https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/ 

Multiple Hacktivist Groups Targeting Critical Infrastructure Sector Entities in the United Arab Emirates

Risk Rating: High

CPX Threat Intelligence Centre have been notified of a campaign dubbed as ‘HACK FOR HUMANITY_V4’, where multiple Hacktivist groups has made an alliance to target entities in the United Arab Emirates (UAE). The alliance has been made in retaliation to UAE sorrow expression towards Israel, and a detention of Syrian military figure ‘Issam Bouidani’, also known as "Abu Hammam", at Dubai International Airport. 

Considering, the evolving geopolitical tensions across the Middle East and adjacent regions, there have been a marked increase in cyber activity by ideologically motivated hacktivist groups. Government, Financial, Telecom, and Critical Infrastructure sectors remain particularly exposed due to their strategic importance. The Threat Intelligence Centre strongly advises organizations to adhere to the recommendations outlined in this advisory to effectively mitigate the risks posed by this threat. 

Recommendation: CPX Threat Intelligence Centre recommends the following measures:

• Implement a DDoS protection services from reputable providers.
• Configure firewalls, WAFs, and Load Balancers to drop malformed or excessive traffic, Limit requests per IP, and Block suspicious geographies or IP ranges (if applicable).
• Deploy real-time monitoring tools to detect unusual spikes or application-layer anomalies and set up alerts for abnormal patterns.
• Create an Incident Response playbook for DDoS attacks, identify key contacts, and run simulation exercises to ensure readiness.

 
Stay safe and secure, and we'll see you in next week's edition!

Note: The risk ratings assigned to each threat are based on comprehensive threat intelligence analysis and our threat intelligence team's visibility. These ratings are intended to prioritize response efforts by focusing on the most significant threats to your security infrastructure.