U.S. cybersecurity agencies have released an advisory about the Medusa ransomware gang, stating it has attacked more than 300 victims in critical infrastructure sectors up to February 2025.

The advisory, jointly released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Wednesday (March 12), said the group and its affiliates have attacked organizations in the medical, education, legal, insurance, technology, and manufacturing industries. The advisory also said that the group offers affiliates “potential payments between $100 USD and $1 million … with the opportunity to work exclusively for Medusa.”

“FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents,” the advisory says.

Medusa, a ransomware-as-a-service group, first appeared in 2021, but its activity really ramped up in 2023 when it launched its leaks site and started carrying out double extortion attacks. In a recent blog published by Symantec’s Threat Hunter Team we revealed how Medusa attacks jumped by 42% between 2023 and 2024, while almost twice as many Medusa attacks were observed in January and February 2025 as in the first two months of 2024.

Global outages impacting the social media platform X yesterday (March 10) were caused by a “massive” cyberattack, according to CEO Elon Musk.

“There was (still is) a massive cyberattack against X. We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved,” Musk stated without providing more information.

Subsequently, the Dark Storm hacktivist group claimed it was behind distributed denial of service (DDoS) attacks targeting the platform. Dark Storm is a pro-Palestinian hacktivist group active since at least 2023. The group posted to their Telegram channel that they were conducting the attacks against X, sharing screenshots and links to the check-host.net site as proof.

X is now being protected by the DDoS-protection service Cloudflare. When users try to reach certain parts of the website, or if they arrive at the site from a potentially suspicious IP address, they are now prompted to fill out a form to prove they are a human user.

Meta has issued a warning about a vulnerability in the FreeType open-source font rendering library that may have been exploited in the wild.

The out-of-bounds write vulnerability (CVE-2025-27363 – CVSS score: 8.1) could be exploited to achieve remote code execution when parsing certain font files. “An out-of-bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files,” Meta said in an advisory. “The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.”

Meta did not disclose any details about how the flaw is being exploited or who is using it in attacks, stating only that the bug “may have been exploited in the wild.”

FreeType is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms.

Software developers and project administrators are urged to upgrade to FreeType 2.13.3 as soon as possible.

GitLab has issued updates for Community Edition (CE) and Enterprise Edition (EE) to address nine vulnerabilities, including two critical ruby-saml library authentication bypass flaws.

The two critical vulnerabilities in the open-source ruby-saml library (CVE-2025-25291, CVE-2025-25292) received a CVSS severity score of 8.8. Exploiting the flaws can allow attackers to bypass Security Assertion Markup Language (SAML) authentication protections. The flaws relate to how REXML and Nokogiri parse XML differently, causing the two parsers to generate entirely different document structures from the same XML input. This allows an attacker to be able to execute a Signature Wrapping attack, leading to an authentication bypass. The vulnerabilities have been addressed in ruby-saml versions 1.12.4 and 1.18.0.

Another flaw of note recently patched by GitLab is a remote code execution issue tracked as CVE-2025-27407 (CVSS score: 9.0). The issue can allow an attacker-controlled authenticated user to exploit the Direct Transfer feature, which is disabled by default, to achieve remote code execution.

The remaining vulnerabilities are low to medium-severity flaws concerning denial of service (DoS), credential exposure, and shell code injection, all exploitable with elevated privileges.

All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 3 added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities affect software from Cisco, Hitachi, Microsoft, and Progress.

The flaws include:

• CVE-2023-20118 (CVSS score: 6.5) — A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status).

• CVE-2022-43939 (CVSS score: 8.6) — An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1).

• CVE-2022-43769 (CVSS score: 8.8) — A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1).

• CVE-2018-8639 (CVSS score: 7.8) — An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018).

• CVE-2024-4885 (CVSS score: 9.8) — A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version 2023.1.3 in June 2024).

Federal Civilian Executive Branch (FCEB) agencies are urged to apply the necessary mitigations by March 24, 2025, to secure their networks.

Researchers have discovered a new malware campaign that leverages SharePoint sites to stage various components of malware used in the attack. The attack begins with a “Critical Update” email containing a HTML attachment that contains a lure to get the target to open the attachment and use the so-called ClickFix technique to run the malicious script to start the next stage of the attack chain.

Upon opening the attachment, the user is presented with a fake error message with instructions on how to fix it by carrying out a few keyboard shortcut commands, which actually gets the user to open up a PowerShell window and runs a script to initiate the downloading of the next stage of the attack from a SharePoint site.

Once downloaded and executed, it performs standard environment checks that most other modern malware carry out, such as checking to see if it is running in a virtual environment. It also checks to ensure that Python is present, if not, it will download it before running a malicious Python script that ultimately uses a component called KaynLdr to run the open-source Havoc post-exploitation command-and-control (C&C) framework (an alternative to Cobalt-Strike).

Havoc provides the attackers with all the tools required to maintain access and control of the compromised computer in a stealthy way. Back channel communications with the C&C server uses the Microsoft Graph API to help disguise the malicious activity among legitimate network traffic.

Apple on Tuesday (March 11) released emergency updates to address a zero-day vulnerability that it said was being exploited by malicious actors in “extremely sophisticated” attacks.

The vulnerability is tracked as CVE-2025-24201 and is an out-of-bounds write issue in the WebKit cross-platform web browser engine used by Apple’s Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.

“This is a supplementary fix for an attack that was blocked in iOS 17.2,” Apple said in its advisories, adding that it “is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”

Attackers can exploit CVE-2025-24201 using maliciously crafted web content to break out of the Web Content sandbox.

The vulnerability was addressed with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1.

Poland’s space agency (POLSA) disclosed on Sunday (March 2) that it had suffered a cyberattack and is investigating the incident.

Following the discovery of the attack, the agency disconnected its network from the internet. The website remains offline at the time of writing.

According to reports, “sources inside the agency, who asked to remain anonymous, claimed the attack appears to be related to an internal email compromise and that staff are being told to use phones for communication instead.”

Poland’s digital minister, Krzysztof Gawkowski, confirmed that the country’s cybersecurity services had detected unauthorized access to POLSA’s IT infrastructure and had secured the affected systems. Investigators are working to identify the attackers behind the breach, Gawkowski added.

Officials did not reveal whether the attack was carried out by ransomware groups or politically motivated hackers, or how the hackers infiltrated the system.

Medusa ransomware attacks jumped by 42% between 2023 and 2024, while almost twice as many Medusa attacks were observed in January and February 2025 as in the first two months of 2024, Symantec’s Threat Hunter Team reveals in its latest blog.

The Medusa ransomware is reportedly operated as a ransomware-as-a-service (RaaS) by a group Symantec tracks as Spearwing. The ransomware has been active since 2023, and it has used notably consistent tactics, techniques, and procedures (TTPs) in its attacks in that time. As discussed in the blog, this raises a question as to whether Spearwing does operate as a traditional RaaS, or it carries out attacks itself. It’s also possible the group works with just one or a small number of affiliates, or that they may give affiliates a playbook including what TTPs to use when deploying Medusa.

The use of PDQ Deploy, various remote access clients, and the use of the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security software are all particular hallmarks of Medusa ransomware attacks.

Spearwing, which carries out double extortion attacks, stealing data as well as encrypting the network, has amassed hundreds of victims since it became active, and the group demands ransoms ranging from $100,000 up to $15 million.

Threat actors targeting organizations in Japan since January 2025 are exploiting a remote code execution (RCE) vulnerability in the PHP-CGI implementation of PHP on Windows to gain initial access.

According to a report from Cisco Talos researcher Chetan Raghuprasad, a threat actor of unknown origin is “[utilizing] plugins of the publicly available Cobalt Strike kit ‘TaoWu’ for post-exploitation activities.”

Targets of the malicious campaign predominantly include companies across Japan’s technology, telecommunications, entertainment, education, and e-commerce sectors.

Attacks begin with the exploitation of CVE-2024-4577 (CVSS score: 9.8) to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant the attackers persistent remote access to the compromised endpoint. The threat actors then carry out reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt.

“To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs,” Raghuprasad explained. “Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.”

The attacks finish with the attackers stealing passwords and NTLM hashes from the infected hosts. However, Raghuprasad believes that the attackers’ motives extend beyond just credential harvesting and that there is a high likelihood of future attacks.

Over 1,000 WordPress websites have been infected with third-party JavaScript code that injects four separate backdoor threats, according to c/side researcher Himanshu Anand.

“Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed,” explained Anand.

The JavaScript code is served via cdn.csyndication[.]com. The four backdoors are:

• Backdoor 1 – uploads and installs a fake plugin named Ultra SEO Processor, which is then used to execute attacker-issued commands

• Backdoor 2 – injects malicious JavaScript into wp-config.php

• Backdoor 3 – adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file so as to allow persistent remote access to the machine

• Backdoor 4 – is designed to execute remote commands and fetches another payload from gsocket[.]io to likely open a reverse shell

“The use of 3rd party JavaScript as an attack vector is nothing new,” said Anand. “However, the multi-backdoor approach, which maximizes persistence for attackers, is unique. Given the widespread use of external JS libraries on all sites, we suspect this type of attack will be repeated.”

Researchers have uncovered undocumented commands in a microchip used by over 1 billion Internet of Things (IoT) devices. The undocumented commands could be leveraged for attacks, according to Tarlogic Security researchers.

The commands were discovered in the ESP32 microchip made by Chinese manufacturer Espressif. The commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

Exploitation of the commands “would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls,” explained the researchers.

The researchers found the commands using a newly developed C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs. The tool enabled the researchers to access raw Bluetooth traffic, revealing hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.

The researchers found 29 undocumented commands that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840 (CVSS score: 6.8). Espressif has yet to comment on the findings.

Researchers have revealed details of five vulnerabilities in SCADA software systems used in critical infrastructure worldwide that could have allowed for privilege escalation, DLL hijacking, and the ability to modify critical files.

The now-patched vulnerabilities were discovered in a suite of software made by ICONICS, which claims its software is embedded in “hundreds of thousands of installations running in over 100 countries worldwide and running in over 70 percent of Global 500 companies.”

Palo Alto Networks discovered the flaws in 2024 and notified ICONICS, who has since issued patches to address them. The vulnerabilities are known to affect ICONICS Suite and Mitsubishi Electric MC Works versions 10.97.2 and 10.97.3 and possibly earlier versions of the software.

“On unpatched ICONICS installations without any workarounds or remediations, these vulnerabilities could lead to escalation of privileges, [denial of service] and in specific circumstances, even full system compromise,” warned the researchers.

The vulnerabilities include DLL hijacking (CVE-2024-1182 — CVSS score: 7.0), incorrect default permission (CVE-2024-7587 — CVSS score: 7.8), uncontrolled search path element (CVE-2024-8299 and CVE-2024-9852 — CVSS score: 7.8), and dead code (CVE-2024-8300 — CVSS score: 7.0) issues.

Ever since generative artificial intelligence (GenAI) first made a big splash a couple of years ago, security researchers have frequently asked if these AI systems can be used for malicious purposes. Since then, it has become increasingly clear that cyber threat actors are taking note of how new capabilities offered by GenAI can assist in the development of content for malicious campaigns.

With this in mind, researchers looked at the recently released free DeepSeek R1 service to examine how it could be used to generate specific types of malware, namely keyloggers and ransomware. To do this, the researchers first had to overcome the built-in protections that most GenAI systems have to prevent them from doing “bad” things. Initial attempts were met with refusals, but these were easily overcome by framing the request as for educational purposes and coaxing it into carrying out the requests.

Attempts to generate a keylogger resulted in partial success. Code was produced that could work if it was manually debugged, and it required several iterations to refine its functionality to include features such as hiding its logged data file.

Generating ransomware also required multiple interactions with DeepSeek to develop a very simple ransomware that still required manual rework and would not likely be effective in use. Ultimately they found that DeepSeek was useful for some aspects of malware creation but not for creating fully working malware.

As advances in AI continue with the development of AI agents that can help automate multiple tasks, Symantec has demonstrated an example of how OpenAI’s new agent service could be used to carry out a malicious phishing attack against a target in Broadcom to highlight the potential risks posed by this new technology.