Cyware Daily Threat Intelligence, March 17, 2025

Daily Threat Briefing • Mar 17, 2025
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 17, 2025
The Black Basta gang has cooked up a relentless new tool. Its automated brute-forcing framework has been relentlessly probing edge networking devices since 2023, zeroing in on widely used edge networking devices.
Something sinister was brewing in the PyPI repository. Multiple fraudulent packages racked up tens of thousands of downloads and hid a nasty secret: code designed to siphon cloud access tokens. However, the packages have been removed.
Coinbase users are getting hit with a scam that’s all polish and bad intentions. Dressed up as an official notice about a court-ordered shift to self-custodial wallets, it nudges recipients to set up a new wallet with a recovery phrase - except it’s a trap, pre-controlled by the attackers.
Malicious apps target Microsoft 365 accounts
Cybercriminals are using malicious Microsoft OAuth apps that pretend to be Adobe and DocuSign apps to deliver malware and steal Microsoft 365 account credentials. These apps request access to less sensitive permissions to avoid detection. The phishing campaigns, which are highly targeted, were sent from compromised email accounts and targeted multiple U.S. and European industries. The attacks use RFPs and contract lures to trick recipients into opening links.
Black Basta creates automated brute-forcing tool
The Black Basta ransomware group has developed an automated brute-forcing framework, named BRUTED, to breach edge networking devices such as firewalls and VPNs. This framework has allowed Black Basta to streamline initial network access and scale up their ransomware attacks on vulnerable internet-exposed endpoints. The ransomware group has been using BRUTED since 2023 to conduct large-scale credential-stuffing and brute-force attacks on edge network devices. The framework is specifically designed to target popular VPN and remote-access products such as SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler, Microsoft RDWeb, and WatchGuard SSL VPN.
Bad PyPI packages stole cloud tokens
Cybersecurity researchers discovered a malicious campaign on the PyPI repository, where threat actors have uploaded bogus libraries pretending to be "time" related utilities. These packages, however, contain hidden functionality designed to steal sensitive data such as cloud access tokens. ReversingLabs found 20 such packages, which have been cumulatively downloaded over 14,100 times. These packages have been removed from PyPI. The packages were divided into two sets. The first set was used to upload data to the threat actor's infrastructure, while the second set implements cloud client functionalities for services like Alibaba Cloud, Amazon Web Services, and Tencent Cloud.
Credit card skimmer on WordPress site
Sucuri found a complex malware attack on a WordPress WooCommerce website, which involved a credit card skimmer, a hidden backdoor file manager, and a malicious script. The attack was designed for financial gain and long-term control of the server. The malware was communicating with two malicious IP addresses and domains, which have now been blocklisted. The impact of the malware could lead to financial loss, reputational damage, potential PCI compliance violations, loss of control, and SEO damage.
Cisco patches IOS XR bug
Cisco has fixed a high-severity DoS vulnerability (CVE-2025-20115) in its IOS XR software that affects carrier-grade routers such as the ASR 9000, NCS 5500, and 8000 series when BGP confederation is configured. The vulnerability allows unauthenticated attackers to remotely crash the BGP process via a single crafted BGP update message, leading to memory corruption and a process restart. Cisco has released security patches for affected IOS XR versions and advises customers who cannot immediately apply the patches to limit the BGP AS_CONFED_SEQUENCE attribute to 254 or fewer AS numbers.
Tomcat vulnerability exploited in the wild
A critical RCE vulnerability, identified as CVE-2025-24813, is being actively exploited in Apache Tomcat servers. This exploit allows attackers to take control of vulnerable servers with a single PUT API request. The vulnerability can be exploited under certain conditions, such as having servlet write enabled, using file session persistence with a default storage location, and the presence of a deserialization exploitation library in the application. The bug affects Apache Tomcat versions from 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.3, and 9.0.0.M1 to 9.0.98. Versions Apache Tomcat 11.0.3, 10.1.35, and 9.0.99 or later are not affected.
Phishing campaign exploits GitHub
A phishing campaign has targeted approximately 12,000 GitHub repositories with false "Security Alert" issues, deceiving developers into authorizing a malicious OAuth app that gives attackers full control over their accounts and code. The phishing issue warns users of unusual activity from Reykjavik, Iceland, and advises them to update their password, review active sessions, and enable two-factor authentication. However, the links provided lead to a GitHub authorization page for a "gitsecurityapp" OAuth app that requests risky permissions. If a user authorizes the app, an access token is generated and sent back to the app's callback address.
Large-scale Coinbase phishing campaign
A sophisticated phishing attack targeting Coinbase users is circulating, tricking recipients into setting up a new wallet using a pre-generated recovery phrase controlled by the attackers. The phishing email, which appears to pass email security checks, claims that Coinbase is transitioning to self-custodial wallets due to a court mandate. The email instructs users to import the provided recovery phrase into their new Coinbase Wallet. However, this recovery phrase is already known and controlled by the attackers, allowing them to steal any funds transferred into the new wallet.