Cyware Daily Threat Intelligence, March 21, 2025

shutterstock 1799416234

Daily Threat Briefing March 21, 2025

A stealthy cyber campaign briefly surfaced before vanishing. Researchers uncovered a public web server tied to a campaign targeting South Korean entities, hosting a Rust-based payload delivering Cobalt Strike Cat alongside open-source hacking tools. The infrastructure disappeared within 24 hours but revealed a target list of over 1,000 Korean domains.

A backup tool vulnerability is now a fast track for attackers. CISA issued a warning for a path traversal flaw in Nakivo Backup and Replication, which is being actively exploited to execute code remotely and access sensitive enterprise data. The vulnerability has also been added to the KEV catalog.

Fake ads are turning Semrush into phishing bait. A malicious ad campaign is tricking users into visiting fraudulent Semrush login pages, stealing Google credentials by forcing victims to use the “Log in with Google” option on spoofed pages.

Top Malware Reported in the Last 24 Hours

Rust beacon uses Cobalt Strike 

Hunt researchers discovered a publicly exposed web server containing tools linked to a cyber intrusion campaign targeting South Korean organizations. The server, which was accessible for less than 24 hours, hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat (CS Cat), a modified version of the popular penetration testing tool. The actor also used open-source tools such as SQLMap, Web-SurvivalScan, and dirsearch to identify and exploit vulnerable web applications. The attacker compiled a list of over 1,000 Korean domains associated with government agencies, local municipalities, and private businesses for target selection. 

VSCode extensions downloading ransomware

Two malicious extensions, "ahban.shiba" and "ahban.cychelloworld," were found on the VSCode Marketplace that were capable of deploying ransomware. These extensions were able to bypass Microsoft's safety review processes and remained on the store for an extended period. The ransomware, however, appeared to be in development, only encrypting files in a specific test folder and demanding 1 ShibaCoin for recovery. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA warns of Nakivo bug

The CISA issued a warning about a high-severity absolute path traversal vulnerability (CVE-2024-48248) in Nakivo Backup and Replication, which has been exploited in the wild. This bug could potentially allow attackers to remotely execute arbitrary code within enterprise environments and access sensitive data, leading to potential data breaches or further security compromises. CISA has added the issue to its KEV catalog and urged federal agencies to apply the available patches by April 9. 

Active exploitation of CSLU instances

Cisco Smart Licensing Utility (CSLU) instances are being targeted by attackers due to a vulnerability that exposes a built-in backdoor admin account. This Windows application, used for managing licenses and linked products on-premises, had a security flaw (CVE-2024-20439) which Cisco patched in September. This flaw could allow unauthenticated attackers remote access with admin privileges over the CSLU app's API. A second critical vulnerability (CVE-2024-20440) was also addressed, which could let attackers access sensitive data in log files. These vulnerabilities only affect systems running vulnerable CSLU releases and are exploitable only if the CSLU app is started.

Top Scams Reported in the Last 24 Hours

Semrush impersonation scam

A new operation has been targeting Semrush as part of a malicious online marketing and advertising campaign. The criminals are using an indirect approach to hack Google advertisers and potentially gain access to Semrush accounts by creating malicious ads that redirect users to fraudulent Semrush login pages. The phishing pages only enable the "Log in with Google" option, forcing victims to authenticate with their Google account credentials, which are then harvested by the threat actors. The malicious ads use unique domain names, which redirect to static domains hosting the fake login pages.

Related Threat Briefings