Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.
Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.
“This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors,” the company said in a report.
The driver in question, “smuol.sys,” mimics a legitimate CrowdStrike Falcon driver (“CSAgent.sys”). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked certificates from Chinese companies.
Source: The hacker news
Link: https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html
Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility
Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center.
The two critical-rated vulnerabilities in question are listed below –
- CVE-2024-20439 (CVSS score: 9.8) – The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system
- CVE-2024-20440 (CVSS score: 9.8) – A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API
Successful exploitation of the flaws could enable an attacker to log in to the affected system with administrative privileges, and obtain log files that contain sensitive data, including credentials that can be used to access the API.
Source: The hacker news / Bleeping computer / Securityweek / SANS internet storm center
Link: https://thehackernews.com/2025/03/ongoing-cyber-attacks-exploit-critical.html
Link: https://www.securityweek.com/hackers-target-cisco-smart-licensing-utility-vulnerabilities/
Veeam and IBM Release Patches for High-Risk Flaws in Backup and AIX Systems
Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution.
The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds.
“A vulnerability allowing remote code execution (RCE) by authenticated domain users,” the company said in an advisory released Wednesday. Security researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in version 12.3.1 (build 12.3.1.1139).
According to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam’s inconsistent handling of deserialization mechanism, causing an allowlisted class that can be deserialized to pave the way for an inner deserialization that implements a blocklist-based approach to prevent deserialization of data deemed risky by the company.
This also means that a threat actor could leverage a deserialization gadget missing from the blocklist – namely, Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary – to achieve remote code execution.
Source: The hacker news / Bleeping computer / Securityweek / Watchtower Labs blog
Link: https://thehackernews.com/2025/03/veeam-and-ibm-release-patches-for-high.html
Link: https://www.securityweek.com/veeam-patches-critical-vulnerability-in-backup-replication/
Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories’ CI/CD Secrets Exposed
The supply chain attack involving the GitHub Action “tj-actions/changed-files” started as a highly-targeted attack against one of Coinbase’s open-source projects, before evolving into something more widespread in scope.
“The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,” Palo Alto Networks Unit 42 said in a report. “However, the attacker was not able to use Coinbase secrets or publish packages.”
The incident came to light on March 14, 2025, when it was found that “tj-actions/changed-files” was compromised to inject code that leaked sensitive secrets from repositories that ran the workflow. It has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6).
According to Endor Labs, 218 GitHub repositories are estimated to have exposed their secrets due to the supply chain attack, and a majority of the leaked information includes a “few dozen” credentials for DockerHub, npm, and Amazon Web Services (AWS), as well as GitHub install access tokens.
“The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action,” security researcher Henrik Plate said.
“However, drilling down into the workflows, their runs and leaked secrets shows that the actual impact is smaller than anticipated: ‘Only’ 218 repositories leaked secrets, and the majority of those are short-lived GITHUB_TOKENs, which expire once a workflow run is completed.”
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html