Cyber News Roundup for April 25, 2025
This week, several significant cyber threats and vulnerabilities are making headlines. Russian state-backed hackers have escalated their efforts, targeting Dutch critical infrastructure in cyber sabotage attempts. Meanwhile, the U.S. White House’s shift of cybersecurity responsibilities to states is met with skepticism, as many are unprepared for the transition. A 17-year-old Microsoft Office vulnerability is also being exploited to distribute malware, highlighting the ongoing risk of legacy vulnerabilities.
Stay informed with the latest developments to protect your organization from emerging threats.
Russian state-backed hackers target Dutch critical infrastructure
Russian state-backed hackers have targeted Dutch critical infrastructure in cyber sabotage attempts during 2023 and 2024, according to the Dutch Military Intelligence and Security Service (MIVD). Though the attacks had minimal immediate impact, they mark the first known sabotage of Dutch control systems. The MIVD warns such operations are rising across Europe, aiming to gain digital access to critical systems for potential future disruption. The Netherlands, home to Europe’s largest port in Rotterdam and key NATO logistics hubs, remains strategically vital. Russian cyber activity, including prior infiltration attempts of global institutions in The Hague, is escalating. The Dutch government is boosting its military and cybersecurity investments, sharing intelligence with Ukraine, and warning that Europe must act swiftly to counter increasingly sophisticated Russian cyber threats amid global geopolitical instability. (record)
The White House’s shift of cybersecurity responsibilities to the states is met with skepticism
President Trump’s recent executive order shifts cybersecurity responsibilities from the federal government to states and localities. However, many states are unprepared for this transition. A 2023 Nationwide Cybersecurity Review revealed that only 22 of 48 participating states met recommended security standards. Compounding the issue, federal funding cuts have reduced resources for state and local officials, including a cybersecurity grant program and a key cybersecurity agency. This has left states grappling with increased cyber threats, such as ransomware attacks and foreign interference, while facing shortages of IT experts and limited budgets. Recent cyberattacks in Rhode Island, Virginia, and Massachusetts highlight the vulnerabilities in state systems. Experts warn that expecting states to manage cybersecurity independently, without adequate support, is unrealistic and could compromise national security. (Stateline)
Mandiant report details DPRK threat clusters
A report from Mandiant detailed the activities of multiple threat clusters based in the Democratic People’s Republic of Korea (DPRK). Mandiant said the threat clusters are targeting organizations and individuals in the Web3 and cryptocurrency space using a variety of social engineering techniques. These tactics include posing as investors from reputable companies on Telegram, using job-related lures to trick developers into running malware-laced projects, and conducting large-scale phishing campaigns. Mandiant highlighted that in 2023, North Korean threat actor UNC3782 conducted phishing operations against TRON users and successfully transferred more than $137 million USD worth of assets in a single day. Mandiant said these threat actors, “use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea.” (The Hacker News)
Hackers exploited 17-year-old vulnerability to weaponize word documents
A newly uncovered phishing campaign exploits a 17-year-old Microsoft Office vulnerability, CVE-2017-11882, to distribute the FormBook malware via malicious Word documents. Disguised as sales orders, these documents trigger the exploit upon opening, allowing malware to run without user interaction. Once active, the malware uses techniques like process hollowing and registry modifications to maintain persistence and evade detection, ultimately stealing credentials, keystrokes, and other sensitive data. The attack underscores the continued risk of legacy vulnerabilities and the importance of regular software patching and cautious email handling. (Cyber Security News)
Russian organizations targeted by backdoor masquerading as secure networking software updates
Recently, Kaspersky uncovered a sophisticated backdoor attack targeting Russian organizations across government, finance, and industrial sectors. The malware impersonated updates for secure networking software ViPNet. Attackers then use distributed LZH archive files containing a legitimate executable, a malicious loader, and an encrypted payload, which ultimately deploys a backdoor connected to a command-and-control server, allowing data theft and additional malware. Kaspersky emphasizes the need for layered security defenses to counter such threats. (Securelist)
Russia attempting cyber sabotage attacks against Dutch critical infrastructure
Russian state-sponsored hackers have attempted cyber sabotage against Dutch critical infrastructure over the past two years, according to the Dutch Military Intelligence and Security Service (MIVD). It represents the first known cyber sabotage attempts against control systems in the Netherlands. The MIVD warns Russia is increasingly using a “whole-of-society” approach to cyber operations, which poses a threat to NATO allies. Dutch defense officials emphasized the need to strengthen military and cybersecurity capabilities. (The Record)
Crosswalks in the crosshairs of satirical hacking
Our malicious jaywalking desk tells us that crosswalk buttons in cities like Seattle and Silicon Valley have been hijacked to play AI-generated voices of tech billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. Instead of the usual robotic “Walk” or “Wait,” pedestrians were greeted with Bezos promoting Amazon Prime or joking about billionaires moving to Florida if taxed—classic parody wrapped in high-tech mischief.
The culprit? A mix of social commentary and shoddy security. The devices, made by crosswalk hardware giant Polara, are managed via a Bluetooth-enabled app called the Polara Field Service app. It was publicly available and protected only by the worst password in tech history—1234. Pranksters easily reprogrammed the devices to play custom, AI-generated audio.
While some call it “harmless fun,” the stunt raises serious issues. Visually impaired pedestrians depend on these audio cues to cross safely. Swapping them for tech tycoon impersonations isn’t just a laugh—it’s a hazard. It also highlights the risks of default credentials in critical infrastructure.
The app has since been pulled from app stores, but archived versions remain, meaning this could happen again. Municipal crews now face the tedious task of manually updating credentials on thousands of devices, one intersection at a time. So, let this be a friendly PSA: customizable crosswalk audio? Great. Billionaire bedtime banter at intersections? Not so much. And for the love of pedestrians—change your default passwords. (The Register)
CISA warns threat hunting staff to stop using Censys & VirusTotal
The Cybersecurity and Infrastructure Security Agency (CISA) has recently directed its threat hunting personnel to discontinue the use of two key cybersecurity tools: Censys and VirusTotal. The cessation of Censys occurred in late March, while the use of VirusTotal was scheduled to end on April 20, 2025. These tools have been integral to CISA’s threat detection and analysis operations. VirusTotal aggregates data from multiple antivirus engines to identify malicious files and URLs, aiding in rapid malware detection. Censys scans the IPv4 internet to catalog exposed devices and services, providing visibility into potential vulnerabilities across federal networks.
The discontinuation is part of broader reductions within the agency’s cyber defense initiatives. In an internal notification dated April 16, CISA acknowledged the importance of these tools and assured staff that alternative solutions are being explored to minimize operational disruptions. The move has raised concerns among cybersecurity experts, who fear that the loss of these centralized tools could impair CISA’s ability to efficiently triage and respond to cyber threats. This development follows a recent incident where CISA briefly indicated it would cease support for the CVE Program, responsible for tracking cybersecurity vulnerabilities, before reversing that decision. (Cyber Security News)
Judge limits evidence about NSO Group customers ahead of trial
Ahead of the trial on damages in its lawsuit between WhatsApp and NSO Group, Northern District of California Judge Phyllis Hamilton ruled that both parties will be prohibited from presenting evidence about their customers’ identities. This includes any implications that those users were suspected criminals. In this ruling, Judge Hamilton said NSO cannot present itself as both helping “its clients fight terrorism and child exploitation, and on the other hand say that it has nothing to do with what its client does with the technology.” The judge also ruled that WhatsApp cannot bring evidence about other lawsuits about NSO’s Pegasus spyware use related to the death of Washington Post journalist Jamal Khashoggi. This case was first brought in 2019 and now set to start trial on April 28, 2025. (Cyber Scoop)
A critical vulnerability in Erlang/OTP SSH allows unauthenticated remote code execution
Erlang/OTP SSH is widely used in systems that demand high availability and concurrency, particularly in telecommunications, IoT, and embedded devices. Its integration into Erlang’s ecosystem makes it a preferred choice for developers building distributed systems requiring secure remote access.
A critical vulnerability in Erlang/OTP SSH, tracked as CVE-2025-32433, allows unauthenticated remote code execution on affected devices. Discovered by researchers at Ruhr University Bochum, it carries a maximum CVSS score of 10.0. The flaw stems from improper handling of pre-authentication SSH messages, enabling attackers to run commands—often as root—via the SSH daemon. Horizon3’s security team confirmed the exploit is easy to reproduce and could soon see public proof-of-concepts. All systems using Erlang/OTP’s SSH are impacted. Erlang, relies on the OTP stack for components like SSH. Users are urged to upgrade to versions 25.3.2.10 or 26.2.4 immediately. For systems that can’t be patched, access should be limited to trusted IPs or SSH disabled altogether.
A researcher uncovers 57 risky Chrome extensions with a combined 6 million users
Security researcher John Tuckner has uncovered 57 risky Chrome extensions with a combined 6 million users, many of which have excessive permissions and could be used for surveillance or malicious activity. These extensions—often unlisted from the Chrome Web Store and only installable via direct link—claim to offer privacy or ad-blocking services but can monitor browsing behavior, access cookies, modify search results, and execute remote scripts. The most notable, Fire Shield Extension Protection, is heavily obfuscated and communicates with a suspicious domain, unknow.com. Tuckner found multiple extensions linked to the same domain, raising concerns about their potential use as spyware. Google is currently investigating the report, and users are advised to remove any of the flagged extensions and reset their passwords as a precaution. Some extensions have been taken down, but others remain active. (Bleeping Computer)
Cisco Webex bug lets hackers gain code execution via meeting links
Cisco has issued security updates for a high-severity vulnerability in the Webex app that allows unauthenticated attackers to execute remote code via malicious meeting invite links. The flaw stems from improper input validation in the Webex custom URL parser and affects all operating systems and configurations. Attackers can exploit the bug by tricking users into clicking a crafted link and downloading files, enabling arbitrary command execution with user-level privileges. Discovered to be low complexity, this vulnerability poses significant risk, and Cisco urges users to update immediately, as there are no available workarounds to prevent exploitation. (BleepingComputer)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
