03/12/2025-03/19/2025 Critical mySCADA myPRO Flaws, GitHub Action Hack, Malicious PyPI Packages Stole Cloud Tokens And More.

1. Critical mySCADA myPRO Flaws Could Let Attackers Take Over Industrial Control Systems

Cybersecurity researchers have disclosed two critical flaws in mySCADA myPRO, a SCADA system used in operational technology (OT) environments. These vulnerabilities could allow attackers to take control of affected systems.

Swiss security firm PRODAFT warns that exploitation could lead to severe operational disruptions and financial losses. Both flaws, rated 9.3 on the CVSS v4 scale, involve OS command injection via specially crafted POST requests:

• CVE-2025-20014 – Exploits a version parameter.
• CVE-2025-20061 – Exploits an email parameter.

Successful attacks could enable arbitrary code execution. The flaws stem from improper input sanitization and have been patched in:

• mySCADA PRO Manager 1.3
• mySCADA PRO Runtime 9.2.1

PRODAFT stresses the need for stronger SCADA security. Organizations should apply patches, isolate SCADA from IT networks, enforce strong authentication, and monitor for threats.

2. GitHub Action Hack Likely Led to Another in Cascading Supply Chain Attack

A cascading supply chain attack started with the compromise of reviewdog/action-setup@v1, leading to the breach of tj-actions/changed-files, exposing CI/CD secrets.Attackers modified tj-actions/changed-files, writing secrets to workflow logs in 23,000 repositories. If public, these logs could have leaked critical credentials.

Wiz researchers believe the root cause was reviewdog/action-setup, which was compromised to inject base64-encoded payloads dumping secrets to logs. Since tj-actions/eslint-changed-files used this action, attackers likely stole its Personal Access Token (PAT).

Other potentially affected actions:

• reviewdog/action-shellcheck
• reviewdog/action-composite-template
• reviewdog/action-staticcheck

Mitigation: Developers should check for reviewdog/action-setup@v1 references, remove affected actions, delete logs, and rotate secrets. To prevent future breaches, pin actions to commit hashes and use GitHub’s allow-listing feature.

Swift action is needed to minimize risk from leaked CI/CD secrets.

3. Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Cybersecurity researchers warn of a malicious campaign targeting PyPI users with fake “time”-themed packages designed to steal cloud access tokens.

ReversingLabs identified 20 such packages, downloaded over 14,100 times, including acloud-client (5,496 downloads) and snapshot-photo (2,448 downloads). These packages either upload stolen data or impersonate cloud service clients (AWS, Alibaba Cloud, Tencent Cloud) to exfiltrate secrets.

Three packages—acloud-client, enumer-iam, and tcloud-python-test—were dependencies of accesskey_tools, a GitHub project with 519 stars and 42 forks, suggesting a widespread impact. The malicious packages have now been removed from PyPI.

Meanwhile, Fortinet FortiGuard Labs found thousands of suspicious PyPI and npm packages embedding malicious install scripts or communicating with command-and-control (C&C) servers.

Mitigation: Developers should monitor dependencies for suspicious URLs and scrutinize package sources to prevent data theft and malware infections.

4. OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

A new malware campaign, OBSCURE#BAT, uses social engineering to deploy the r77 rootkit, enabling persistence and evasion on infected systems. The attackers remain unidentified. The rootkit hides files, registry keys, and tasks with a specific prefix. It spreads through fake software downloads and CAPTCHA scams, mainly targeting users in the U.S., Canada, Germany, and the U.K.

Initial infection methods include:

• Fake Cloudflare CAPTCHA pages (ClickFix strategy)
• Malware disguised as legitimate tools like Tor Browser and VoIP software

Once executed, a batch script runs PowerShell commands to modify the Windows Registry, set up scheduled tasks, and install a stealthy rootkit (ACPIx86.sys). The malware also patches AMSI to bypass antivirus detection and monitors clipboard activity for potential data theft.

OBSCURE#BAT demonstrates advanced evasion techniques, making detection difficult. Security researchers warn that its persistence mechanisms ensure it survives reboots and injects into critical processes like winlogon.exe.

03/05/2025-03/12/2025 FreeType Vulnerability, Over 400 IPs Exploiting Multiple SSRF Vulnerabilities, 3 Ivanti Flaws And More.

1. FreeType Vulnerability Actively Exploited for Arbitrary Code Execution

A critical vulnerability (CVE-2025-27363) in FreeType (versions ≤2.13.0) is being actively exploited, potentially leading to arbitrary code execution.

Vulnerability Details
The flaw occurs when parsing TrueType GX and variable fonts, due to improper assignment of a signed short to an unsigned long, causing heap buffer overflow. This results in out-of-bounds writes, enabling attackers to execute malicious code.

Affected Versions: FreeType: Versions 0.0.0 – 2.13.0

Recommendations

• Update FreeType to a version above 2.13.0
• Monitor for suspicious activity indicating exploitation
• Enhance security with firewalls and intrusion detection systems

This vulnerability poses a serious risk to affected systems, making immediate updates and security measures essential.

2. Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Threat intelligence firm GreyNoise warns of a coordinated surge in SSRF vulnerability exploitation across multiple platforms. At least 400 IPs have been observed attacking multiple SSRF CVEs simultaneously, starting March 9, 2025.

Targeted countries include the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel, which saw a spike on March 11, 2025.

Exploited SSRF vulnerabilities include:

• Zimbra Collaboration Suite (CVE-2020-7796, 9.8 CVSS)
• GitLab CE/EE (CVE-2021-22175, 9.8 CVSS)
• Ivanti Connect Secure (CVE-2024-21893, 8.2 CVSS)
• And others from VMware, DotNetNuke, and ColumbiaSoft

Attackers are targeting multiple SSRF flaws simultaneously, suggesting automation and intelligence gathering. GreyNoise suspects Grafana reconnaissance precedes the attacks.

Users should apply patches, restrict outbound connections, and monitor for suspicious traffic as SSRF can expose internal networks and steal cloud credentials.

3. 3 Ivanti Flaws Added to CISA’s Vulnerabilities Catalogue

The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its catalogue, including three Ivanti Endpoint Manager (EPM) flaws that pose a serious security risk.

Newly Listed Vulnerabilities:

• Advantive VeraCore SQL Injection (CVE-2025-25181)
• Advantive VeraCore Unrestricted File Upload (CVE-2024-57968)
• Ivanti EPM Path Traversal (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161)

Experts warn that the Ivanti flaws allow remote, unauthenticated attackers to fully compromise servers. Organizations delaying patches risk domain compromise, credential theft, and lateral movement by attackers.

With Ivanti’s vast market share (400,000+ companies), unpatched systems remain prime targets. CISA urges immediate patching, assuming potential compromise and monitoring for indicators of attack.

4. This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Cybersecurity researchers uncovered a malicious Python package, set-utils, on PyPI, designed to steal Ethereum private keys by impersonating popular libraries. The package, downloaded 1,077 times, has since been removed.

Set-utils mimics widely used libraries like python-utils (712M+ downloads) to trick developers, particularly those working with Ethereum wallets and blockchain applications.

The malware intercepts private keys during wallet creation functions like “from_key()” and “from_mnemonic()”, then encrypts and exfiltrates them via blockchain transactions using Polygon’s RPC endpoint to evade detection.
By running in a background thread, the attack remains stealthy, ensuring stolen keys are sent unnoticed. Socket warns that even successfully created Ethereum accounts are compromised.

Developers should verify package authenticity before installation and monitor for unexpected network activity to protect sensitive data.

5. Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

Over 1,000 WordPress websites have been infected with malicious JavaScript injecting four backdoors, allowing attackers multiple re-entry points.

The script, served via cdn.csyndication[.]com, has been detected on 908 sites. The backdoors:

1. Fake Plugin – Installs “Ultra SEO Processor” to execute attacker commands.
2. Code Injection – Adds malicious JavaScript to wp-config.php.
3. SSH Access – Inserts an attacker-controlled SSH key for persistent access.
4. Remote Commands – Executes commands and opens a reverse shell via gsocket[.]io.

To mitigate risks, users should remove unauthorized SSH keys, rotate admin credentials, and monitor logs.

Meanwhile, a separate malware campaign hijacked 35,000+ websites, redirecting users to Chinese gambling platforms via JavaScript from domains like mlbetjs[.]com.
Additionally, the ScreamedJungle group has compromised 115+ Magento e-commerce sites using Bablosoft JS for browser fingerprinting, exploiting known Magento vulnerabilities (CVE-2024-34102, CVE-2024-20720).

02/26/2025-03/05/2025 Broadcom Releases Patches; Cisco, Hitachi, Microsoft, and Progress Flaws; Paragon Partition Manager Driver Vulnerability.

1. VMware Flaws Exploited in the Wild—Broadcom Releases Patches

Broadcom released an advisory on March 4 addressing three VMware vulnerabilities, one critical, that allow attackers to access the hypervisor via a virtual machine. These flaws — CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (8.2), and CVE-2025-22226 (7.1) — are already being exploited.

Security teams using VMware ESX, vSphere, Cloud Foundation, or Telco Cloud Platform should patch immediately. The critical flaw enables a heap overflow to execute code as the host’s VMX process, while the others also allow privilege escalation. These zero-days pose a serious risk, enabling attackers to seize hypervisor control. VMware exploits show a trend of deep system breaches. The likely attackers are state-sponsored or APT groups seeking persistent access, data exfiltration, and system disruption.

2. Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

CISA added five security flaws to its KEV catalog due to active exploitation. These impact Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold.

Key vulnerabilities include:

• CVE-2023-20118 (Cisco routers, CVSS 6.5) – Allows remote root access; unpatched due to end-of-life.
• CVE-2022-43939 & CVE-2022-43769 (Hitachi Vantara, CVSS 8.6 & 8.8) – Enable authorization bypass and command execution; patched in August 2024.
• CVE-2018-8639 (Windows Win32k, CVSS 7.8) – Allows privilege escalation; patched in 2018.
• CVE-2024-4885 (WhatsUp Gold, CVSS 9.8) – Enables remote code execution; patched in June 2024.

Threat actors exploit these flaws, with CVE-2023-20118 used in the PolarEdge botnet and CVE-2024-4885 observed in attacks worldwide. A Chinese hacking group exploited CVE-2018-8639 in South Korea.

Federal agencies must apply mitigations by March 24, 2025.

3. Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors are exploiting a zero-day flaw (CVE-2025-0289) in Paragon Partition Manager’s BioNTdrv.sys driver for ransomware attacks, enabling privilege escalation and arbitrary code execution. Discovered by Microsoft, this flaw is part of five vulnerabilities affecting BioNTdrv.sys versions 1.3.0 and 1.5.1. These include kernel memory mapping and write flaws, a null pointer dereference, and insecure kernel resource access, according to CERT/CC. Attackers with local access can escalate privileges or trigger denial-of-service (DoS) attacks.

A Bring Your Own Vulnerable Driver (BYOVD) attack is possible on systems where the driver isn’t installed, granting elevated privileges. Paragon Software has addressed the issues in version 2.0.0, and Microsoft has added the vulnerable driver to its blocklist. This comes shortly after Check Point uncovered a malware campaign exploiting another Windows driver (truesight.sys) to deploy Gh0st RAT malware.

4. Widespread Network Edge Device Targeting Conducted by PolarEdge Botnet

Over 2,000 Cisco, QNAP, Synology, and ASUS network edge devices worldwide have been compromised by the PolarEdge botnet since late 2023. Affected regions include the U.S., Taiwan, Russia, India, Brazil, Australia, and Argentina.

French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443.

This follows reports from SecurityScorecard of large-scale password spraying attacks on Microsoft 365 accounts. A botnet of over 130,000 compromised devices—likely linked to a China-based threat group—was behind the campaign.