FBI and CISA warn of Medusa ransomware attacks impacting critical infrastructure. Learn about Medusa’s tactics, prevention tips, and…

FBI and CISA warn of Medusa ransomware attacks impacting critical infrastructure. Learn about Medusa’s tactics, prevention tips, and why paying ransoms is discouraged. 

A joint advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has revealed a particularly aggressive digital threat- a criminal operation, known as the Medusa ransomware gang.

According to the advisory (#StopRansomware: Medusa Ransomware), Medusa, a ransomware-as-a-service (RaaS) group first identified in June 2021, has become a serious threat to critical infrastructure sectors in the United States.

Authorities have identified a pattern of attacks affecting organizations across diverse sectors, including healthcare, education, law firms, insurance providers, technology companies, and manufacturers. Their victims include Bell Ambulance in Wisconsin, CPI Books, Customer Management Systems, and Heartland Health Center. The sheer number of victims, surpassing 300 as of December 2024, highlights the scope of this threat. 

The actors utilize different methods to infiltrate systems, including deceptive communications (phishing) and exploiting unpatched software vulnerabilities (e.g. ScreenConnect authentication bypass CVE-2024-1709). Once inside a network, they use legitimate system administration tools to move undetected. 

They employ a unique approach to extortion, which involves encrypting victims’ data and rendering it inaccessible, along with threatening to expose sensitive information if their demands are not met. This tactic creates immense pressure on targeted organizations, forcing them to consider paying the ransom to prevent public disclosure of their data.  

“Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa,” the advisory (PDF) warns.

Medusa uses advanced techniques to conceal its activities, such as remote access software to control compromised systems and using encrypted scripts and tools to create hidden connections to its command servers, thereby evading security software detection. 

A particularly concerning aspect of this operation is the aggressive nature of their extortion tactics. Victims are given a very short window of time to pay the ransom, often just two days. They are pressured through direct communication, and if they fail to comply, their stolen data is made available on darknet websites. There are even reports that paying the initial ransom might not guarantee the end of the ordeal, as further demands may follow.

In response to this growing threat, federal agencies have emphasized the need for ensuring regular software updates, implementing reliable access controls, and using multi-factor authentication. They also advise monitoring network activity for suspicious behaviour, limiting the use of remote desktop protocols, and segmenting networks to contain any potential breaches. 

Moreover, users are urged to enable two-factor authentication (2FA) for webmail and VPNs as social engineering is a significant factor in these attacks. All organizations affected by the Medusa ransomware are requested to report the incidents to law enforcement and to avoid paying any ransom demands.

FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware

February 2025 saw a record 126% surge in ransomware attacks, with Cl0p leading the charge. Hackers exploited file…

February 2025 saw a record 126% surge in ransomware attacks, with Cl0p leading the charge. Hackers exploited file transfer flaws, infostealers, and AI-driven tactics, reveals Bitdefender’s latest Threat Debrief report.

Cybersecurity just reached a new milestone; and not in a good way. According to Bitdefender’s latest Threat Debrief report, February 2025 was the worst month in history for ransomware attacks, with a 126% increase in claimed victims compared to the same period last year.

This surprising jump saw the number of victims soar from 425 in February 2024 to a staggering 962 in February 2025. The massive surge in ransomware attacks occurred despite the United States-led alliance of 40 countries, announced in November 2023, aimed at dismantling ransomware gangs and their infrastructure. The initiative focused on disrupting payments, taking down infrastructure, and enhancing intelligence sharing.

****Clop (Cl0p) Ransomware at Its Peak****

According to Bitdefender’s report shared with Hackread.com ahead of publishing on Thursday, Cl0p ransomware group Clop was responsible for more than a third of the attacks, claiming 335 victims in just one month. This makes a 300% increase from the previous month.

So, what’s behind this sudden rise in attacks? Cybersecurity experts point to a new trend that’s not so new: attackers are increasingly targeting vulnerabilities in edge network devices, such as file transfer systems and remote access tools.

Instead of focusing on specific industries, these opportunistic hackers are scanning the internet for easily exploitable flaws and launching automated attacks. For example, the Cl0p ransomware gang is notorious for exploiting vulnerabilities in MOVEit, a managed file transfer (MFT) software, with the highest frequency in 2023. The group stole so much data through MOVEit vulnerabilities that it launched a clearnet website to leak stolen information from victims worldwide.

In December 2024, Cl0p also announced exploiting security vulnerabilities in Cleo’s managed file transfer software, specifically targeting Cleo Harmony, VLTrader, and LexiCom products. Bitdefender’s Threat Debrief report also spotted Cl0p’s exploitation of Cleo vulnerabilities, especially CVE-2024-50623 and CVE-2024-55956 both rated 9.8 out of 10 in severity.

Both flaws allow attackers to execute commands remotely on compromised systems and were disclosed late last year. Despite patches being available, many organizations failed to update their systems in time, leaving them wide open to exploitation leading to the surge in victims seen in February 2025.

The illustration highlights the rapid pace at which ransomware gangs exploit vulnerabilities and shift to new targets. (Credit: Ditdefender)

****Other Notable Developments in the Ransomware World****

Beyond the record-breaking numbers, Bitdefender researchers noticed several other noteworthy trends in February 2025 including:

****FunkSec’s New Infostealer****

FunkSec, a growing ransomware group, released Wolfer, a tool designed to extract sensitive information from infected machines. It communicates with a Telegram bot to gather system details, Wi-Fi passwords, and more.

A ransomware gang using infostealers is bad news, especially as researchers recently found that cybercriminals are successfully breaching U.S. national security with infostealers as cheap as $10. Even high-security institutions like the military and the FBI have had their systems compromised, with access being sold on the dark web.

****Black Basta Gets Analyzed by AI****

On February 11, 2025, the notorious Black Basta ransomware gang had its internal chats leaked. These chats contained over 200,000 Russian-language messages. Hudson Rock’s researchers created a chatbot called BlackBastaGPT to sift through the chat logs.

Insights revealed details about their profits, use of deepfake technology, and internal conflicts. The group’s leader emphasized avoiding detection by using built-in system tools, a tactic known as “living off the land.”

****Ghost Ransomware Under Scrutiny****

A joint advisory from CISA highlighted Ghost (also known as Cring), a China-based ransomware operation exploiting older but still unpatched vulnerabilities. Recommendations include patching affected software, segmenting networks, and backing up data regularly.

****Akira’s Webcam Hack****

The Akira ransomware gang found a creative way to bypass security by hijacking a victim’s webcam. Since the device ran Linux and wasn’t monitored closely, it became the perfect launchpad for encrypting files across the network undetected.

****Top 10 Companies Most Targeted by Ransomware Gangs****

The United States, Canada, the UK, Germany, and other developed nations remain the biggest targets of ransomware groups. These countries are highly vulnerable due to their reliance on connected edge devices, cloud infrastructure, and critical business data.

In total, these are the top 10 companies most targeted by ransomware gangs:

1.  USA
2.  Canada
3.  The UK
4.  Germany
5.  France
6.  Australia
7.  Brazil
8.  Mexico
9.  Italy
10.  Sweden

For those looking to understand the full scope of modern ransomware operations and how to fight back, Bitdefender has published a comprehensive whitepaper detailing current attack methods and defence strategies. You can access it here.

Ransomware Hits Record High: 126% Surge in Attacks in February 2025

A misconfigured database exposed 108.8 GB of sensitive data, including information on over 86,000 healthcare workers affiliated with…

A misconfigured database exposed 108.8 GB of sensitive data, including information on over 86,000 healthcare workers affiliated with ESHYFT, a New Jersey-based HealthTech company operating across 29 states. ESHYFT also provides a mobile platform that connects healthcare facilities with qualified nursing professionals.

The exposed database was not password-protected or encrypted and contained a treasure trove of personally identifiable information (PII) including SSNs, scans of identification documents, salary details, work history, and more.

The database was discovered by cybersecurity researcher Jeremiah Fowler who shared their report with Hackread.com revealing that the exposed data included profile images, facial images, professional certificates, work assignment agreements, CVs, and resumes.

Additionally, one spreadsheet document contained over 800,000 entries detailing nurses’ internal IDs, facility names, time and date of shifts, hours worked, and more. What’s worse, medical documents, including medical reports containing information on diagnoses, prescriptions, or treatments, were also exposed.

The exposure of such sensitive data could potentially fall under HIPAA regulations. It can also expose vulnerable users to online and physical risks, including identity theft, employment fraud, financial fraud, and targeted phishing campaigns.

The good news is that Fowler immediately notified ESHYFT. The bad news is that it took the company over a month after being alerted to restrict public access to the database. However, according to Fowler, the exposed database was not owned or directly managed by ESHYFT.

It remains unclear whether a third-party contractor was responsible for its management. Additionally, the duration of the exposure and whether unauthorized parties accessed the data are unknown.

Nevertheless, cybercriminals could use the exposed data to commit crimes in the victims’ names or deceive them into revealing additional personal or financial information. Therefore, HealthTech must implement proper cybersecurity measures including:

*   Implement mandatory encryption protocols for sensitive data.

*   Use multi-factor authentication to prevent unauthorized access.

*   Conduct regular security audits to identify potential vulnerabilities.

*   Segregate sensitive data and assign expiration dates for data that is no longer in use.

*   Have a data breach response plan in place and a dedicated communication channel for reporting potential security incidents.

*   Provide timely responsible disclosure notices to affected individuals and educate them on how to recognize phishing attempts.

HealthTech Database Exposed 108GB Medical and Employment Records

OBSCURE#BAT malware campaign exploits social engineering & fake software downloads to evade detection, steal data and persist on…

OBSCURE#BAT malware campaign exploits social engineering & fake software downloads to evade detection, steal data and persist on systems. Learn how to stay safe.

Cybersecurity researchers at Securonix Threat Labs have spotted a new malware campaign called OBSCURE#BAT. This campaign uses social engineering tactics and fake software downloads to trick users into executing malicious code, enabling attackers to infect systems and avoid detection.

The attack begins with a user executing a malicious batch file, which is often disguised as legitimate security features or malicious software downloads. Once executed, the malware establishes itself by creating scheduled tasks and modifying the Windows Registry to operate even after the system reboots.

The malware then uses a user-mode rootkit to hide its presence on the system, making it difficult for users and security tools to detect. The rootkit can hide files, registry entries, and running processes, allowing the malware to embed further into legitimate system processes and services.

****Fake Captchas and Malicious Software Downloads****

As seen in recent similar campaigns, hackers have been leveraging typosquatting and social engineering tactics to present fake products as legitimate within their supply chains. This includes:

**Masquerading Software:** Attackers also disguise their malicious files as trustworthy applications, such as Tor Browser, SIP (VoIP) software or Adobe products, increasing the chances that users will execute them.

**Fake Captchas:** Users may encounter a fake captcha, especially the Cloudflare captcha feature, that tricks them into executing malicious code. These captchas often originate from typosquatted domains, resembling legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard.

Fake captcha used in the attack (Screenshot Securonix)

****Evasion Techniques****

The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques. These include:

**API Hooking:** By using user-mode API hooking, the malware can hide files, registry entries, and running processes. This means that common tools like Windows Task Manager and command-line commands cannot see certain files or processes, particularly those that fit a specific naming scheme (e.g., those starting with “$nya-“).

**Registry Manipulation:** It registers a fake driver (ACPIx86.sys) in the registry to ensure further persistence. This driver is linked to a Windows service, allowing it to execute malicious code without raising suspicion.

**Stealthy Logging:** The malware monitors user interactions, such as clipboard activity, and regularly writes this data to encrypted files, further complicating detection and analysis.

****Countries Targeted in the OBSCURE#BAT Attack****

According to Securonix’s detailed technical report, shared with Hackread.com before its official release on Thursday, the malware appears to be financially motivated or aimed at espionage, targeting users primarily in the following countries:

*   Canada
*   Germany
*   United States
*   United Kingdom

****How to Protect Yourself from the OBSCURE#BAT Attack****

While common sense is a must when downloading software or clicking on unknown links, users and organizations should also follow these key security measures to protect their systems from OBSCURE#BAT and similar threats:

*   **Clean downloads**: Only download software from legitimate websites, and be wary of fake captchas and other social engineering tactics.

*   **Use endpoint logging**: For organizations, deploy endpoint logging tools, such as Sysmon and PowerShell logging, to enhance detection and response capabilities.

*   **Monitor for suspicious activity**: Regularly monitor systems for suspicious activity, such as unusual network connections or process behaviour.

*   **Use threat detection tools**: Consider using threat detection tools, such as behavioural analysis and machine learning-based systems, to detect and respond to threats like OBSCURE#BAT.

New OBSCURE#BAT Malware Targets Users with Fake Captchas

Cary, North Carolina, 13th March 2025, CyberNewsWire

**Cary, North Carolina, March 13th, 2025, CyberNewsWire**

As Artificial Intelligence (AI)-powered cyber threats surge, INE Security, a global leader in cybersecurity training and certification, is launching a new initiative to help organizations rethink cybersecurity training and workforce development. The company warns that AI is reshaping both the threat landscape and the skills required for cybersecurity professionals. While AI offers significant advantages in cyber defense, organizations must ensure their teams are properly trained to leverage it effectively without becoming overly reliant on automation.

> “The rise of AI in cybersecurity isn’t just a challenge—it’s an opportunity,” said Dara Warn, CEO of INE Security. “By training cybersecurity professionals properly, AI can be leveraged to filter noise, reduce burnout, and increase efficiency. However, if we don’t train people to understand the ‘why’ behind AI-driven decisions, we risk a future where cybersecurity professionals are blindly following AI without the expertise to think critically beyond it.”

**AI as a Force Multiplier: Improving SOC Efficiency and Threat Detection**

AI-driven security tools are improving the signal-to-noise ratio, making Security Operations Centers (SOCs) more efficient by reducing false positive alerts—an area cybersecurity tools have been refining for over a decade. AI can prioritize critical threats, allowing analysts to focus on real dangers rather than wasting time investigating false alarms.

> “AI is making threat detection smarter, but it’s not foolproof,” said Tracy Wallace, Director of Content at INE Security. “Security professionals need to be trained to work alongside AI, not just follow its outputs. AI is great at reducing alert fatigue, but analysts still need the expertise to investigate, interpret, and respond to threats accurately.”

**Generative AI: A Double-Edged Sword for Cybersecurity Talent**

One of the most promising yet complex aspects of AI’s rise is its impact on the cybersecurity workforce. On one hand, generative AI will lower the barrier to entry, allowing more professionals to enter the cybersecurity field and reducing the global labor shortage. 

> However, this shift also presents risks. “The concern isn’t that AI is making cybersecurity easier,” said Wallace. “The concern is that if professionals become too dependent on AI outputs, they won’t develop the critical-thinking skills necessary to work beyond what the AI gives them. Organizations must ensure that cybersecurity training teaches professionals not just how to use AI but how to work independently of it when needed.”

**The Data Privacy Dilemma: AI and LLM Security Risks**

Another concern in AI-driven cybersecurity is data privacy and security risks with large language models (LLMs). While concerns over data leakage with cloud-based AI models are growing, this isn’t a new challenge—it’s an evolution of longstanding security principles. Organizations must ensure AI-powered security solutions do not require external data sharing.

> “As AI becomes more deeply integrated into cybersecurity operations, privacy-first security architectures are crucial,” said Wallace. “Organizations need AI models that can operate securely without exposing sensitive data to external systems.”

**The Future of AI Security Training: Agentic Architectures and AI-Driven Automation**

Looking ahead, Agentic AI architectures are becoming a hot topic in cybersecurity. While some view it as buzzword hype, there is real potential for AI-driven security agents that autonomously investigate threats, adjust defenses in real-time, and improve security workflows with minimal human intervention.

> However, automation must be carefully balanced. “Agentic AI might be the future, but we can’t let it replace hands-on expertise and human decision-making,” said Warn. “Security professionals must be trained to interpret AI-driven insights, make judgment calls, and recognize when AI is wrong.”

**Training as the Solution: INE Security’s AI-Powered Cybersecurity Curriculum**

To close the cybersecurity skills gap and help professionals work effectively with AI, INE Security is working to expand its AI-driven training programs. These programs will focus on:

*   **AI-Driven Threat Analysis** – Training security teams to interpret AI-generated threat intelligence and reduce false positives.
*   **Machine Learning for Cyber Defense** – Teaching professionals how AI-powered security models work and how attackers exploit AI vulnerabilities.
*   **Generative AI in Cybersecurity** – Helping cybersecurity teams understand the risks and benefits of AI-generated attacks and defenses.
*   **Hands-On AI Security Labs** – Simulating real-world AI-powered attacks and training professionals on how to counter them manually and with AI assistance.

> “Our end goal is not just to train security professionals how to use AI but to train them how to think critically in an AI-driven world,” said Wallace. 

**The Call to Action: Prepare for AI-Driven Threats Now**

With AI transforming cybersecurity threats at an unprecedented pace, INE Security urges companies to:

*   Train their cybersecurity teams on AI-driven tools, while ensuring they develop critical problem-solving skills.
*   Prioritize AI-powered security solutions that enhance, not replace, human expertise.
*   Implement privacy-first AI models that reduce data exposure risks**.**

> “The AI revolution in cybersecurity is here,” concluded Warn. “Organizations that act now—by investing in security training, developing cybersecurity talent, and understanding how AI truly impacts the field—will be the ones leading the industry forward. The future of cybersecurity belongs to those who train for it.”

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers, offering both Red Team training and Blue Team training. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Using AI-Driven Cybersecurity Training to Counter Emerging Threats

The Hague, the Netherlands, 13th March 2025, CyberNewsWire

**The Hague, the Netherlands, March 13th, 2025, CyberNewsWire**

Founded in 2024, **Modat** – the European-crafted, research-driven, AI-powered cybersecurity company, has announced the launch of its premier product, **Modat Magnify**.   

Designed by and for cybersecurity professionals, the team behind the product aims to speed up the lives of these individuals easier by giving them access to the largest Internet ‘Device DNA’ dataset available. The ‘Device DNA’ catalogues the essential attributes of each internet-connected device to create a unique profile.

*   **FAST.** AI-powered for unparalleled speed. Continuously scanning the entire internet and identify adversary infrastructure in real-time. 
*   **SMART**. Research enhances the development of the platform and offers contextualized data, historical context, and predictive insights. 
*   **EASY**. User-centric UI designed from firsthand experience as cybersecurity professionals From the initial query to the findings result pages, easy-to-filter, read and use.  

> “It starts with research to gain insight and build,” says Soufian El Yadmani, CEO & Founder of Modat. “Offensive and defensive professionals shared what solutions they need to be faster and to focus on what they do best. Scanning the internet is just a beginning. Speed, contextual data, and insight is vital to our products and services. Our ‘Device DNA’ gives value in the results to increase proactive efforts and build cyber resilience.” 

> “Protecting your country takes clear insight into internet connected devices. Modat helps you to protect your country’s infrastructure with this insight,” emphasized Vincent Thiele, COO & Co-Founder of Modat. “We support communities to improve the health of the Internet and deliver products to help make the internet a safer place.”

Recent research covered by 35+ media outlets **Global Impact:** https://rb.gy/59kfce  

**Users can learn more:**

*   https://www.modat.io/modat-magnify
*   modat.io/enterprise 
*   https://www.modat.io/device-dna 

**Pricing & Access:**  

https://magnify.modat.io/pricing    

*   **FREE:**  covers most basic use cases. Solid start for many security professionals 
*   **Practitioner:** €20/m  
*   **Professional:** €60/m 
*   **Business:** €400/m 
*   **Enterprise:** tailored solutions for more complex needs of organisations and governments 

****About Modat****

Modat, founded in 2024 is the European-crafted, AI-powered, research-driven cybersecurity company dedicated to helping security professionals outpace adversaries and stay ahead of evolving threats. Their flagship product, **Modat Magnify**, provides access to the world’s largest Internet “Device DNA” dataset.  

Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Their products enable the security community by giving access to unparalleled speed, contextualized data, and predictive insights.  

By design, the **Modat Magnify** platform helps offensive and defensive professionals by giving them a fast, smart, easy way to stop searching and start finding. Our ‘Device DNA’ catalogues the essential attributes of each internet-connected device to create a unique profile to support proactive cybersecurity. 

Modat empowers individuals, companies, and governments to strengthen their security posture and increase cyber resiliency. The team actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast.

**Contact:**

modat.io

LIn: https://www.linkedin.com/company/modat-io/

Bluesky: https://bsky.app/profile/modat-io.bsky.social

For quotes/to schedule an interview, users can reach: 

**Soufian El Yadmani – CEO & Founder** 

Email: \[email protected\]  

LinkedIn: https://www.linkedin.com/in/soufianelyadmani/  

**Vincent Thiele – COO & Co-Founder** 

Email: \[email protected\]  

LinkedIn: https://www.linkedin.com/in/thielev/  

**Contact**

**Head of Marketing**  
**Bessie Schenk**  
**Modat**  
**\[email protected\]**

Modat launches premier product, Modat Magnify for Cybersecurity Professionals

Dragos reveals Volt Typhoon hackers infiltrated a US electric utility for 300 days, collecting sensitive data. Learn how this cyberattack threatens infrastructure.

Cybersecurity firm Dragos has revealed a prolonged cyber attack by the Chinese threat actor **Volt Typhoon** into the United States electric grid, specifically targeting the Littleton Electric Light and Water Departments (LELWD) in Massachusetts. This breach lasted over 300 days from February to November 2023.

The incident came to light just before Thanksgiving in 2023 when the FBI alerted LELWD to a potential compromise. Following investigations, with assistance from Dragos, revealed that the Volt Typhoon had infiltrated the utility’s systems as early as February 2023.

According to Dragos’s **report**, during this extensive period, the threat actors collected sensitive **operational technology (OT)** data, including information on energy grid operations, which could facilitate future disruptive attacks on critical infrastructure.

****Volt Typhoon’s Modus Operandi****

Volt Typhoon, also known as VOLTZITE, is a Chinese state-sponsored advanced persistent threat group active since at least mid-2021. The group focuses on cyber espionage, primarily targeting US critical infrastructure sectors **such as telecommunications** and energy. They employ sophisticated techniques to maintain persistent, long-term access to networks while evading detection.

**Tim Mackey**, Head of Software Supply Chain Risk Strategy at Black Duck, emphasizes the challenges posed by the long lifespan of devices in critical infrastructure. He notes that devices designed and tested to best practices available at their release can become vulnerable to more sophisticated attacks later in their lifecycle. Attackers, aware of the emphasis on uptime and service availability in critical infrastructure, may exploit these vulnerabilities to plan targeted attacks rather than opportunistic ones.

****Implications and Recommendations****

The LELWD incident shows the increasing cyber threats to essential services and why the energy sector needs proper cybersecurity measures. Organizations responsible for critical infrastructure must prioritize regular assessments and updates of their cybersecurity protocols to address evolving threats.

Additionally, implementing strong monitoring systems, conducting security audits, and collaborating with cybersecurity experts are essential to securing your infrastructure from threat actors like the Volt Typhoon.

1.  Hackers Have Reportedly Infiltrated The US Power Grids
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Critical Solar Power Grid Vulnerabilities Risk Global Blackouts
4.  Hacking Power Grids: TETRA Radio Hacking Risks Infrastructure
5.  Controller-level flaws let hackers physically damage moving bridges

Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year

Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and…

Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and best practices for developers.

Cybersecurity researchers at Sonatype have identified several vulnerabilities within picklescan, a tool used for examining Python pickle files for malicious code. These files, commonly used for storing and retrieving machine learning models, pose a security risk due to their ability to execute arbitrary code during the process of retrieving the stored data.

According to Sonatype’s analysis, shared with Hackread.com, in total four vulnerabilities were found:

*   **CVE-2025-1716**– allows attackers to bypass the tool’s checks and execute harmful code;

*   **CVE-2025-1889**– failure to detect hidden malicious files due to its reliance on file extensions;

*   **CVE-2025-1944**– can be exploited by manipulating ZIP archive filenames to cause the tool to malfunction;

*   **CVE-2025-1945**– failure to detect malicious files when certain bits within ZIP archives are altered.

It is worth noting that platforms such as Hugging Face utilize picklescan as part of their security measures to identify malicious AI models. The discovered vulnerabilities could allow malicious actors to bypass these security checks, thereby posing a threat to developers who rely on open-source AI models, as they can lead to “arbitrary code execution,” researchers noted. This means, an attacker could possibly take complete control of a system.

“Given the role of picklescan within the wider AI/ML hygiene posture (e.g. when used with PyTorch), the vulnerabilities discovered by Sonatype could be leveraged by threat actors to bypass malware scanning (at least in part) and target devs leveraging open source AI,” researchers explained in the blog post.

Good news is that picklescan maintainer showed a strong commitment to security by promptly addressing vulnerabilities, releasing version 0.0.23, which patched flaws, minimizing the opportunity for malicious actors to exploit them.

Sonatype’s chief product officer, Mitchell Johnson, urges developers to avoid using pickle files from untrusted sources whenever possible, and instead utilize safer file formats. If pickle files must be used, they should only be loaded in secure, controlled environments. Moreover, it is important to verify the integrity of AI models through cryptographic signatures and checksums, and implementing multi-layered security scanning.

The findings highlight the growing need for advanced, reliable security measures in AI/ML pipelines. To mitigate the risks, organizations should adopt practices such as utilizing safer file formats, employing multiple security scanning tools, and monitoring for suspicious behaviour when loading pickle files.

Picklescan Vulnerabilities Could Let Hackers Bypass AI Security Checks

UNC3886 hackers target Juniper routers with custom backdoor malware, exploiting outdated systems for stealthy access and espionage. Learn how to stay protected.

Cybersecurity researchers at Google’s Mandiant have exposed a series of attacks which took place in mid-2024 targeting Juniper routers running the Junos OS operating system. These attacks, linked to a Chinese hacking group known as UNC3886, involved planting custom-built malware designed to secretly control the devices while evading detection.

****What Happened?****

Mandiant’s investigation revealed that UNC3886 deployed backdoors disguised as legitimate system processes on Juniper MX routers running outdated hardware and software. These routers, using end-of-life (EOL) configurations, were easier targets due to vulnerabilities in their security systems. The malware leveraged Junos OS’s Veriexec, a file integrity monitor, to avoid detection. Instead of disabling Veriexec, the attackers injected malicious code into legitimate processes

According to the company’s blog post shared with Hackread.com ahead of publishing on Wednesday, these backdoors were built on the foundation of a publicly available hacking tool called TINYSHELL.

What makes these attacks particularly alarming is how the hackers customized their malware to integrate into the Juniper environment. The malicious programs were disguised as legitimate system processes, mimicking names like “appid” (a play on a real Juniper process) to avoid raising suspicion. Beyond stealth, the malware included features to disable logging on the routers, effectively erasing traces of the attackers’ activities and making it harder for security teams to spot the intrusion.

To carry out their attacks, the hackers exploited the inner workings of Junos OS, the operating system powering Juniper’s routers and other networking gear. Junos OS is built on a modified version of FreeBSD, a Unix-like system, and offers two ways to interact with it: a command-line interface (CLI) for standard operations and a shell mode that provides deeper access to the underlying system. The attackers used this shell mode to execute their malicious commands.

****How Did the Hackers Make This Happen?****

The attackers gained access by using stolen credentials to infiltrate router management interfaces. Once inside, they injected malware into legitimate processes, such as the cat command, leveraging named pipes and memory manipulation to **evade detection**.

To cover their tracks, some backdoors disabled logging functions, effectively erasing evidence of their presence. For instance, the lmpad backdoor altered system logs and disabled SNMP alerts, making it significantly harder for defenders to spot unauthorized access.

****The Malware Toolkit****

UNC3886 deployed six customized backdoors, all derived from the open-source TINYSHELL framework but specifically adapted for Junos OS. Each variant had unique functionalities:

*   **appid** and **to**: These were active backdoors with hardcoded command-and-control (C2) servers, allowing attackers to upload/download files, execute shell commands, and route traffic through proxies.

*   **irad**: A passive backdoor that remained dormant until triggered by specific “magic strings” in network traffic. Once activated, it could launch remote shells or relay connections.

*   **lmpad**: This hybrid backdoor acted as both a backdoor and a stealth tool. It disabled logging, modified system files, and patched memory to prevent audit logs from recording malicious activity.

*   **jdosd** and **oemd**: These passive backdoors used encrypted **UDP/TCP channels** for covert file transfers and remote command execution, making detection even more challenging.

****About UNC3886****

UNC3886 is a well-known hacking group with a track record of targeting network devices and virtualization technologies, often using previously unknown vulnerabilities (known as **zero-day exploits**). The group’s main focus is on espionage against industries like defence, technology, and telecommunications, particularly in the US and Asia.

While other Chinese hacking campaigns, such as those attributed to groups like **Volt Typhoon** or **Salt Typhoon**, have made headlines, Mandiant found no direct technical connections between UNC3886’s activities and those operations. This suggests that UNC3886 is a distinct threat, operating with its own tools and strategies.

****Why Does This Matter?****

Routers and other network devices are the backbone of modern IT infrastructure, directing traffic and connecting systems across organizations. But unlike laptops or servers, these devices often lack proper security monitoring tools, making them attractive targets for attackers. Once compromised, a router can provide a gateway to an entire network, allowing hackers to spy on communications, steal data, or launch further attacks.

The fact that UNC3886 targeted older, unsupported Juniper devices highlights another issue such as how many organizations continue to rely on outdated equipment, either due to budget restrictions or oversight. These systems are **sitting ducks** for skilled attackers, as they no longer receive patches for newly discovered vulnerabilities.

****What Should Organizations Do?****

Mandiant and Juniper Networks have worked together to address the issue, and they’ve outlined steps organizations can take to protect themselves:

*   **Upgrade Devices**: Replace end-of-life Juniper hardware and software with supported versions. Juniper has released updated software images that include fixes and improved detection capabilities.

*   **Run Security Scans**: Use Juniper’s Malware Removal Tool (JMRT) to perform a Quick Scan and Integrity Check on your devices after upgrading. This can help identify and remove any malicious programs.

*   **Monitor and Harden Networks**: Strengthen security around network devices by limiting access, using strong authentication, and regularly reviewing logs for unusual activity, even though attackers may try to disable logging.

*   **Stay Informed**: Keep up with security advisories from vendors like Juniper and reports from cybersecurity firms like Mandiant to stay ahead of emerging threats.

Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers

Tel Aviv, Israel, 12th March 2025, CyberNewsWire

**Tel Aviv, Israel, March 12th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR) solution, announced today that it won Silver in the category of Security Operations Center (SOC) solutions at the annual 2025 Globee Awards. The program aims to raise awareness about cybersecurity issues and honor those who have made significant contributions in protecting organizations and individuals from cyber threats.

This award comes on the heels of significant advancements for CYREBRO, solidifying its position as a future-proof cybersecurity leader. The company has recently launched its proprietary security data lake, enabling unparalleled threat analysis and faster, more precise detection. This innovation, coupled with a strategic partnership with Google Cloud, enhances CYREBRO’s ability to scale and deliver cutting-edge security solutions across diverse environments.

CYREBRO’s commitment to global expansion is evident in its rapidly growing customer base across new markets, demonstrating the universal need for proactive threat detection and response across companies of all sizes.

CYREBRO remains steadfast in its 100% channel-based strategy, empowering its partners to deliver exceptional MDR services to their clients. This approach ensures seamless integration and personalized service, maximizing the value of CYREBRO’s MDR capabilities.

> “We are honored to receive this prestigious award,” said Ori Arbel, CYREBRO CTO. “This recognition validates our relentless pursuit of innovation and our dedication to empowering businesses with robust cybersecurity defenses. We’re particularly proud of the strides we’ve made in enhancing our platform, directly translating to superior security outcomes for our partners and customers.”

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

Source

HackRead