In partnership with

This week’s headlines show the line between defender and adversary eroding fast. U.S. authorities charged former cybersecurity pros for operating the ALPHV/BlackCat ransomware gang, while a malicious Open VSX extension used Ethereum smart contracts for command-and-control. Meanwhile, threat actors are turning RMM tools into vehicles for real-world cargo theft. Here are the key stories and defensive moves that matter now.

🚨 Top Stories

1. Former security pros charged in ALPHV/BlackCat ransomware scheme
U.S. prosecutors indicted three American cyber professionals for running ransomware operations aligned with ALPHV/BlackCat, leveraging their incident-response skills to extort victims.
Source — Reuters
💡 Key Takeaway: Even trusted defenders can turn rogue. Treat security and IR roles as insider-risk positions with strong access auditing and rotation policies.

2. “SleepyDuck” VSX extension backdoors developers via Ethereum smart contracts
A malicious Open VSX extension posing as a Solidity plugin planted a remote-access trojan using on-chain C2 instructions. Tens of thousands of downloads preceded its removal.
Source — Bleeping Computer
💡 Key Takeaway: Your developer ecosystem is part of the supply chain. Limit IDE extensions in sensitive environments and mirror verified packages internally.

3. RMM tools abused to steal freight and cargo
Criminal groups are breaching logistics companies and using legitimate remote management software (ScreenConnect, Fleetdeck, N-able) to reroute shipments and steal goods.
Source — Bleeping Computer
💡 Key Takeaway: RMM and monitoring platforms are high-value attack surfaces. Enforce MFA, network segmentation, and continuous behavioral logging.

🛠️ Vulnerability Spotlight

CVE-2025-61932 — Lanscope Endpoint Manager zero-day exploited by Tick group
China-linked operators used this critical (9.3 CVSS) flaw to deploy Gokcpdoor backdoors against Asian corporate targets. CISA has added it to the KEV catalog.
Source — The Hacker News
💡 Key Takeaway: Patch immediately or isolate the product. Assume compromise and hunt for outbound Lanscope traffic.

CVE-2024-1086 — Linux kernel privilege-escalation actively exploited
Ransomware operators now weaponize this use-after-free bug in netfilter:nf_tables to gain root after initial access.
Source — Bleeping Computer
💡 Key Takeaway: Kernel bugs aren’t “internal-only.” Update now and tighten EPP/EDR telemetry for priv-esc attempts.

📈 Trend to Watch

Trust is the new attack surface
Attackers are embedding C2 on blockchains, abusing legitimate tools, and turning defenders into insiders. Detection must shift from perimeter breach to behavior anomaly.
💡 Key Takeaway: Expand visibility to include extension lifecycles, RMM usage, and on-chain telemetry. Assume “legit” tools can go bad.

🏛️ Policy & Regulation Watch

Policy & Regulation Watch

U.S. mulls ban on TP-Link routers over China ties
Commerce and Defense agencies support restricting TP-Link devices citing espionage risk and firmware exposure concerns.
Source — SC World
💡 Key Takeaway: Inventory consumer-grade network gear in remote offices and plan vendor alternatives for compliance.

🧰 Tool / Resource of the Week

Operationalizing NIST 800-53 with Continuous Exposure Management
A practical framework for translating NIST controls into attack-path-based prioritization.
Source — Vicarius
💡 Key Takeaway: Shift from checkbox compliance to live exposure reduction — connect controls to real attack paths.

⚡ Quick Hits

  • Cybercriminals exploit RMM tools to steal real-world cargo — Threat actors use remote-monitoring software in freight and trucking networks to reroute shipments. Help Net Security
    💡 Key Takeaway: Segment and restrict RMM access; cargo theft is now a cyber + physical risk.

  • CISA warns Linux kernel flaw now used in ransomware attacks — CVE-2024-1086 is being weaponized for root access. TechRadar Pro
    💡 Key Takeaway: Patch affected kernels immediately; privilege-escalation bugs are central to ransomware chains.

  • Chinese group UNC6384 targets diplomats via malicious LNK files — PlugX malware delivered through Windows shortcut exploits. Arctic Wolf Labs
    💡 Key Takeaway: Disable LNK previews and tighten attachment controls for executive and diplomatic users.

  • CTEM gains traction post-RSA 2025 — Continuous Threat Exposure Management is becoming the new baseline for SOCs. The Hacker News
    💡 Key Takeaway: Replace annual pen tests with continuous exposure validation loops.

  • Texas Cyber Command launches at UT San Antonio — Expands state-level cyber-defense collaboration. UTSA News
    💡 Key Takeaway: Expect new coordination standards for vendors supporting Texas government networks.

🛡️ Actionable Defense Move of the Week

Audit Privileged Access and Defender Tools

  • Inventory all users with admin rights on SOC, RMM, EDR, and CI/CD systems.

  • Enforce MFA and network segmentation for those accounts.

  • Log and review tool extensions and plugin installs.

  • Patch Lanscope and Linux kernels immediately; hunt for Tick and Gokcpdoor IOCs.

💡 Key Takeaway: Assume your own tools can be weapons. Shrink the trusted surface and monitor it like an adversary.

🏁 Final Word

This week reminds us: enterprise software (Oracle EBS) is as vulnerable as infrastructure (firewalls). Two new EBS bugs and unresolved firewall zero-days demand urgency. Patch, hunt, isolate — and assume adversaries will not wait.

Stay vigilant.

Realtime User Onboarding, Zero Engineering

Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.

Dynamic Voice guides users in the moment
Picture-in-Picture stay visible across your site and others
Guardrails keep things accurate with smooth handoffs if needed

No code. No engineering. Just onboarding that adapts as you grow.

See how it works

That’s it for this week — stay sharp. Share InfoSec.Watch with a teammate so they don’t fall behind.

Subscribe

Keep Reading

No posts found

© 2025 InfoSec.Watch.

Privacy policy

Terms of use

Powered by beehiiv