11 April, 2025
Welcome to the weekly Threat Intelligence Digest!
In this edition, we cover a range of critical topics to keep you informed and prepared. Additionally, we will delve into the critical threats and vulnerabilities that could impact the organizations in the United Arab Emirates (UAE), with in-depth summary of the threat, expert recommendations, and references to help you safeguard your digital assets.
Researchers have observed an evolution in the tactics, techniques, and procedures (TTPs) of North Korean-nexus adversary ‘Lazarus Group’ to run a renowned campaign ‘Contagious Interview.’ The new campaign intensified adversary efforts in the npm ecosystem, expanding the ‘Contagious Interview’ by distributing additional malicious packages, which deploy BeaverTail malware and introduce new modules with RAT loader functionalities. These operations are marked by advanced obfuscation techniques using hexadecimal encoding to evade detection, indicating an evolution in their tactics. Despite account suspensions, these actors persist in creating new npm accounts and leveraging GitHub and Bitbucket repositories, sustaining a significant threat to developer systems.
The continued activity highlights the imperative for robust supply chain security measures, emphasizing proactive defense and monitoring strategies to mitigate these sophisticated threats. Considering the usage of widely used repositories like npm, GitHub, and Bitbucket for malware dissemination by North Korean threat actors, particularly under the Contagious Interview operation, signals a persistent and evolving threat with the potential to significantly impact entities in the United Arab Emirates (UAE). It also exposes a broad spectrum of potential victims, amplifying the risk of widespread supply chain attacks.
Recommendations: CPX Threat Intelligence Centre recommends the following measures:
· Strictly use npm packages/frameworks well consolidated within the community.
· Ensure that all Operating Systems are updated regularly with the latest security patches.
· Educate employees about the risks of phishing and fake job interview schemes since these packages could be used during fake interviews.
The Android developer team addressed multiple vulnerabilities affecting the android system. Within the addressed flaws, two of them are exploited in the wild. CVE-2024-53150 (CVSS: 7.8 CISA Rating) and CVE-2024-53197 (CVSS: 7.8 CISA Rating), both flaws affect the Linux kernel behind Android. Successful exploitation of the vulnerabilities could lead to an out-of-bounds access, leading to unauthorized data access. Researchers identified that active exploitation of the vulnerability has occurred in the wild.
Successful exploitation of the vulnerabilities could lead to an out-of-bounds access, leading to unauthorized data access.
Affected Products: Android Security Patch version before 2025-04-05.
Recommendation: At the time of writing, there have been reports of exploitation of CVE-2024-53150 & CVE-2024-53197. So, CPX Threat Intelligence Centre recommend customers to act quickly and apply the patches to mitigate any potential threats.
Reference: https://source.android.com/docs/security/bulletin/2025-04-01
SAP addressed three (3) critical and five (5) high severity vulnerabilities affecting its multiple products. The critical flaws are tracked as CVE-2025-27429 (CVSS: 9.9) – ‘Code Injection’ vulnerability in SAP S/4HANA (Private Cloud), CVE-2025-31330 (CVSS: 9.9) – ‘Code Injection’ vulnerability in SAP Landscape Transformation (Analysis Platform), and CVE-2025-30016 (CVSS: 9.8) – ‘Authentication Bypass’ vulnerability in SAP Financial Consolidation. The high-severity flaws are tracked as CVE-2025-0064 (CVSS: 8.8) – ‘Improper Authorization’ vulnerability in SAP BusinessObjects Business Intelligence platform, CVE-2025-23186 (CVSS: 8.5) – ‘Mixed Dynamic RFC Destination’ vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP, CVE-2024-56337 (CVSS: 8.1) – ‘Time-of-check Time-of-use (TOCTOU) Race Condition’ vulnerability in Apache Tomcat within SAP Commerce Cloud, CVE-2025-30014 (CVSS: 7.7) – ‘Directory Traversal’ vulnerability in SAP Capital Yield Tax Management, and CVE-2025-27428 (CVSS: 7.7) – ‘Directory Traversal’ vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection).
Successful exploitation of the vulnerabilities could allow threat actor with user privileges can inject arbitrary ABAP code, bypassing authorization checks, access admin account due to improper authentication checks, and enable full control over sensitive data.
Affected Products:
· SAP S/4HANA (Private Cloud) versions S4CORE 102, 103, 104, 105, 106, 107, 108
· SAP Landscape Transformation (Analysis Platform) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731
· SAP Financial Consolidation version FINANCE 1010
· SAP BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430, 2025
· SAP NetWeaver Application Server ABAP versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53,KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93
· SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211
· SAP Capital Yield Tax Management versions CYTERP 420_700, CYT 800, IBS 7.0, CYT4HANA 100
· SAP NetWeaver and ABAP Platform (Service Data Collection) versions ST-PI 2008_1_700, 2008_1_710, 740
Recommendation: At the time of writing, there have been reports of exploitation of the presented vulnerabilities. So, CPX Threat Intelligence Centre recommend customers to act quickly and apply the patches to mitigate any potential threats.
Reference: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
Researchers have identified post-compromise exploitation of a zero-day privilege escalation vulnerability in the Windows Common Log File System, affecting a few targets in sectors including IT, real estate, finance, software, and retail across many countries. The attack, attributed to ‘Storm-2460’ threat actor, involves exploitation of ‘CVE-2025-29824’ (Microsoft has patched as of April 8, 2025), to deliver ‘PipeMagic’ malware. Microsoft urges rapid patch application and recommends several defensive measures, including utilizing Microsoft Defender's advanced features, to mitigate the threat.
The newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, poses significant risks to UAE's IT infrastructure. Although the initial targets were outside the region, the propagation of this exploit indicates a broader threat landscape. The PipeMagic malware, which utilizes this vulnerability, could be leveraged by ransomware groups to gain privileged access, and deploy ransomware extensively.
Recommendations: CPX Threat Intelligence Center recommends the following measures:
· Immediately apply security updates for CVE-2025-29824 released by Microsoft on April 8, 2025, to mitigate the zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS).
· Enable cloud-delivered protection in your antivirus solution, such as Microsoft Defender Antivirus, to defend against rapidly evolving attacker tools and techniques.
· Use device discovery in Microsoft Defender for Endpoint to improve network visibility and onboard unmanaged devices to prevent exploiting blind spots.
· Run Endpoint Detection and Response (EDR) in block mode with Microsoft Defender for Endpoint to automatically remediate threats detected post-breach.
· Activate full automated investigation and remediation in Microsoft Defender for Endpoint to promptly address and mitigate breaches and reduce alert noise.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824
We hope the insights and recommendations help you to stay ahead of potential threats and enhance your organization's cybersecurity posture. Remember, staying informed and proactive is key to defending against ever-evolving cyber threats. If you have any questions or need further assistance, don't hesitate to reach out to our Threat Intelligence Centre.
Stay safe and secure, and we'll see you in next week's edition!
03 April, 2025
Cisco Addresses Critical and High Severity Flaws in Multiple Prod...
Read now
©CPX 2025. All rights reserved. Privacy policy | Terms of use
