Malicious actors are exploiting Cascading Style Sheets (CSS), which are used to style and format the layout of web pages, to bypass spam filters and track users' actions.
That's according to new findings from Cisco Talos, which said such malicious activities can compromise a victim's security and privacy.
"The features available in CSS allow attackers and spammers to track users' actions and

Cybercriminals Exploit CSS to Evade Spam Filters and Track Email Users' Actions

Tenable Research reveals that AI chatbot DeepSeek R1 can be manipulated to generate keyloggers and ransomware code. While…

Tenable Research reveals that AI chatbot DeepSeek R1 can be manipulated to generate keyloggers and ransomware code. While not fully autonomous, it provides a playground for cybercriminals to refine and exploit its capabilities for malicious purposes.

A new analysis from cybersecurity firm Tenable Research reveals that the open-source AI chatbot **DeepSeek R1** can be manipulated to generate malicious software, including keyloggers and ransomware.

Tenable’s research team set out to assess DeepSeek’s ability to create harmful code. They focused on two common types of malware: keyloggers, which secretly record keystrokes, and ransomware, which encrypts files and demands payment for their release.

While the AI chatbot isn’t producing fully functional malware “out of the box,” and requires proper guidance and manual code corrections to produce a fully working keylogger; the research suggests that it could lower the barrier to entry for cybercriminals.

Initially, like other large language models (**LLMs**), DeepSeek stood up to its built-in ethical guidelines and refused direct requests to write malware. However, the Tenable researchers employed a “jailbreak” technique tricking the AI by framing the request for “educational purposes” to bypass these restrictions.

The researchers leveraged a key part of DeepSeek’s functionality: its “chain-of-thought” (CoT) capability. This feature allows the AI to explain its reasoning process step-by-step, much like someone thinking aloud while solving a problem. By observing DeepSeek’s CoT, researchers gained insights into how the AI approached malware development and even recognised the need for stealth techniques to avoid detection.

****DeepSeek Building Keylogger****

When tasked with building a keylogger, DeepSeek first outlined a plan and then generated C++ code. This initial code was flawed and contained several errors that the AI itself could not fix. However, with a few manual code adjustments by the researchers, the keylogger became functional, successfully logging keystrokes to a file.

Taking it a step further, the researchers prompted DeepSeek to help enhance the malware by hiding the log file and encrypting its contents, which it managed to provide code for, again requiring minor human correction.

This screenshot displays the keylogger created by DeepSeek running in the Task Manager, alongside the log file it generated. (Credit: Tenable Research)

****DeepSeek Building Ransomware****

The experiment with ransomware followed a similar pattern. DeepSeek laid out its strategy for creating file-encrypting malware. It produced several code samples designed to perform this function, but none of these initial versions would compile without manual editing.

Nevertheless, after some tweaking by the Tenable team, some of the ransomware samples were made operational. These functional samples included features for finding and encrypting files, a method to ensure the malware runs automatically when the system starts, and even a pop-up message informing the victim about the encryption.

****DeepSeek Struggled with Complex Malicious Tasks****

While DeepSeek demonstrated an ability to generate the basic building blocks of malware, Tenable’s findings highlight that it’s far from a push-button solution for cybercriminals. Creating effective malware still requires technical knowledge to guide the AI and debug the resulting code. For instance, DeepSeek struggled with more complex tasks like making the malware process invisible to the system’s task manager.

However, despite these limitations, Tenable researchers believe that access to tools like DeepSeek could accelerate malware development activities. The AI can provide a significant head start, offering code snippets and outlining necessary steps, which could be particularly helpful for individuals with limited coding experience looking to engage in cybercrime.

“DeepSeek can create the basic structure for malware,” explains Tenable’s technical **report** shared with Hackread.com ahead of its publishing on Thursday. “However, it is not capable of doing so without additional prompt engineering as well as manual code editing for more advanced features.” The AI struggled with more complex tasks like completely hiding the malware’s presence from system monitoring tools.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the latest development emphasising that AI can aid both good and bad actors, but security efforts should focus on making cyberattacks more costly by hardening endpoints rather than expecting EDR solutions to prevent all threats.

_“_Criminals are going to be criminals – and they’re going to use every tool and technique available to them. GenAI-assisted development is going to enable a new generation of developers – for altruistic and malicious efforts alike,_“_ said Trey,

_“_As a reminder, the EDR market is explicitly endpoint DETECTION and RESPONSE – they’re not intended to disrupt all attacks. Ultimately, we need to do what we can to drive up the cost of these campaigns by making endpoints harder to exploit – pointedly they need to be hardened to CIS 1 or 2 benchmarks,_“_ he explained.

AI Chatbot DeepSeek R1 Can Be Manipulated to Create Malware

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    
For Snort coverage

Thursday, March 13, 2025 14:23

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Miniaudio out-of-bounds write vulnerability **

_Discovered by Emmanuel Tacheau of Cisco Talos._   

TALOS-2024-2063 (CVE-2024-41147) is an out-of-bounds write vulnerability in Miniaudio, a lightweight, single-file audio playback and capture library written in C. A missing allocation size check can cause a buffer overflow, leading to this out-of-bounds write. This vulnerability can be triggered by a specially crafted FLAC file, resulting in a memory corruption when in playback mode. The application sends raw audio data to Miniaudio, which is then played back through the default playback device as defined by the operating system. 

**Adobe Acrobat out-of-bounds write vulnerability **

_Discovered by KPC of Cisco Talos._   

TALOS-2025-2134 (CVE-2025-27163) and TALOS-2025-2136 (CVE-2025-27164) are out-of-bounds read vulnerabilities in the font functionality, which can lead to disclosure of sensitive information. TALOS-2025-2135 (CVE-2025-27158) is a memory corruption vulnerability, stemming from an uninitialized pointer in the font functionality of Adobe Acrobat, which can potentially lead to arbitrary code execution. A specially crafted font file embedded into a PDF can trigger these vulnerabilities. An attacker needs to trick the user into opening a malicious file.

Miniaudio and Adobe Acrobat Reader vulnerabilities

Thorsten picks apart some headlines, highlights Talos’ report on an unknown attacker predominantly targeting Japan, and asks, “Where is the victim, and does it matter?”

Thursday, March 13, 2025 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Let's pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025.

When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn't typically (or shouldn't be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement.

In last week’s newsletter, my colleague Martin asked, "Who is responsible, and does it matter?" As a thought exercise, let's flip the script and ask, "Where is the victim, and does it matter?" I often field questions about threats specific to countries, regions, or continents, but the reality is that software is largely the same regardless of physical location. Yes, there are different language packs, and yes, spam and phishing campaigns may use local languages. However, when it comes to software, operating systems, libraries, and drivers, we share code globally.

Remember Log4j and NotPetya? These vulnerabilities caused chaos around the globe. Both have CVEs listed in the Known Exploited Vulnerabilities (KEV) catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency (CISA).

While researching the KEVs added in 2024, I discovered CVEs dating back to 2012, 2013, and 2014. This underscores that regardless of location, old vulnerabilities can remain relevant and dangerous years after their discovery.

Fast forward to 2025: CVE-2025-22224 was published on Mar. 4, 2025 and added to CISA's KEV Catalog less than two hours later. A week later, over 40,000 vulnerable instances were still detected globally, as shown on the Shadowserver dashboard:

Rather than solely focusing on geography, the global vulnerability landscape suggests we should ask ourselves:

·       "Am I running this software?"  
·       “Is my software up to date?"  
·       "How quickly can I fix it?"  
·       Or, for the brave, "Am I prepared to take the risk?"

While more attributes for CVEs may be beneficial, I personally believe the absence of a geographic attribute is a good thing. Patching and updating software should be prioritized regardless of nationality or geographic context. When it comes to maintaining robust cybersecurity, the only good vulnerability is no vulnerability.

Remember: In the digital world, we're all neighbors. A vulnerability anywhere is a threat just around the corner.

**The one big thing**

Cisco Talos discovered malicious activities conducted by an unknown attacker as early as January 2025, predominantly targeting organizations in Japan. The attacker exploited a vulnerability, CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.

**Why do I care?**

We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response report for Q4 2024, and this intrusion highlights this ongoing activity. In this case, the attacker establishes persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”

**So now what?**

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see the National Vulnerability Database. Here are the Snort SIDs for this threat:

·       Snort 2: 64632, 64633, 64630, 64631  
·       Snort 3: 301157, 301156

**Top security headlines of the week**

· **The Bluetooth “backdoor” that wasn’t.** The original title, “Undocumented backdoor found in Bluetooth chip used by a billion devices,” was updated to a more precise description: “Undocumented commands found in Bluetooth chip used by a billion devices.” (Bleepingcomputer) (Darkmentor)

· **A ransomware gang leveraged a vulnerable IP camera in an attack, effectively circumventing Endpoint Detection and Response (EDR).** The “Mr. Monk” in me wants to point out that while the article title says “webcam” — which, in my definition, is a camera connected internally or via USB to a PC — the article discusses Linux and SMB shares, which suggests it is an IP camera.  (Bleepingcomputer)

· **Massive alleged cyber attack against X (formerly Twitter).** This past Monday, a series of outages left X unavailable for thousands of users for at least one hour. Not all details are currently known to the public. (Securityweek)

**Can’t get enough Talos?**

  
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however it's far from their own use. Read our latest blog on Abusing with style: Leveraging cascading style sheets for evasion and tracking.

Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. Read the full blog here: Unmasking the new persistent attacks on Japan

**Upcoming events where you can find Talos**

· DEVCORE (March 15, 2025) Taipei, Taiwan. Ashley Shen will give a talk on exploit hunting.  
· RSA (April 28-May 1, 2025)  San Francisco, CA  
· PIVOTcon (May 7-May 9, 2025) Malaga, Spain. Ashley Shen and Vitor Ventura will present "Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling."  
· CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
· Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
MD5: 7abf12ab98f4cbed63228bba977cea7e  
VirusTotal:  https://www.virustotal.com/gui/file/9c60480afbbfbdf20520a9e7705f60a54ff2d0a94d72e4c26fc2aee55a158a9f  
Typical Filename: pdfzonepro.msi  
Claimed Product: N/A  
Detection Name: W32.9C60480AFB-95.SBX.TG

 SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

Patch it up: Old vulnerabilities are everyone’s problems

Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking.

Thursday, March 13, 2025 06:00

*   Cisco Talos has identified actors abusing Cascading Style Sheets (CSS) to 1) evade spam filters and detection engines, and 2) track users’ actions and preferences. 
*   This blog is a follow-up to our previous report on how threat actors could abuse CSS using a technique called “hidden text salting” to evade spam filters, email parsers, and detection engines. This technique introduces several security implications. 
*   Additionally, we have observed the abuse of CSS for tracking, which impacts users’ privacy. This abuse ranges from tracking users’ actions to identifying their preferences. Although email clients restrict the execution of JavaScript, we argue that fingerprinting system and hardware configurations is also possible using CSS properties and rules, depending on the users’ clients and system configurations.

Cascading Style Sheets (CSS) specify how HTML materials are rendered and displayed to recipients. In a legitimate context, CSS is mainly used to adjust an email’s content to fit the screen resolution of the recipient. However, we will discuss how CSS can be abused by threat actors to stay under the radar and track recipients at a minimum. The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we've identified in the wild for both evading detection and tracking users. These examples have all been observed from the second half of 2024 up until February 2025.

**The abuse of cascading style sheets for evasion**

Features of HTML and CSS can be used together to include comments and irrelevant content that are not visible to the victim (or recipient) when the email is rendered in an email client but can impact the efficacy of parsers and detection engines. We discussed a few examples in our recent blog post, and we will share more throughout the rest of this section. We will not cover cases that are well-known to the security community, such as including zero-sized fonts.

Threat actors can use the _text\_indent_ property of CSS to conceal content in the email’s body. Below is an example of a phishing email that contains text in different places, but the text is not visible when rendered in an email client.

A phishing email with several gibberish characters added in between the original words.

An inspection of the HTML source of the above email reveals that hidden text salting has been used in several places. For example, in the snippet shown below, the _text-indent_ and _font-size_ properties of CSS are used together to conceal the gibberish characters added in between the original words visible to the recipient of this email.

The HTML source snippet of the above phishing email shows how the __text-indent__ property in CSS is used to hide the irrelevant characters inserted between the original words visible to the recipient of email.

The _text-indent_ property is set to –_9999px_, which moves the text far out of the visible area when the email is rendered in the email client. Additionally, the _font-size_ property is set to an extremely small size, making the text virtually invisible to the human eye on most screens. In some cases, the text color is also set to _transparent_ to ensure the text is completely invisible by rendering it in a color that does not display against any background.

Alternatively, threat actors may use the _opacity_ property of CSS to hide the irrelevant content. An example phishing email is shown below that also impersonates the Blue Cross Blue Shield organization.

A phishing email impersonating the Blue Cross Blue Shield organization.

A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader. Most email templates enable threat actors to add preheader text to their emails. Such text follows the email’s main subject immediately and is a technique that allows attackers to entice readers with additional information. Note that this field is also used in many email marketing and spam campaigns.

In this example, the attacker has set the _opacity_ property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including _color_, _height_, _max-height_, and _max-width_. Additionally, the _mso-hide_ property is set to all to make the preheader invisible in Outlook email clients as well. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.

The HTML source snippet of the above phishing email shows how the __opacity__ property in CSS is used to hide the preheader text in the above email.

In a third example, the HTML smuggling technique is used to redirect the user to the final phishing page. This was a spear phishing email sent to one of our customers in February 2025. Additionally, the HTML attachment contains a series of German words and phrases that do not form coherent or grammatically correct sentences, and these are made invisible to the recipient of the email via hidden text salting.

A spear phishing email with an HTML attachment.

The email contains the phrase “with regard” in two other languages, including Finnish and Estonian. The rendered HTML attachment is also shown below. Note that the attacker tries to convince the recipient to click on the button and view the document by displaying a Microsoft SharePoint logo.

The rendered HTML attachment of the above email.

When the HTML attachment of the above email is inspected, one can notice that CSS properties are employed in various ways to conceal the irrelevant German phrases. First, the paragraphs' positions are set to _absolute_, allowing them to be placed anywhere on the page, which is often a technique used to hide elements by moving them off-screen. Additionally, the _width_ and _height_ of the paragraphs are set to zero, rendering them invisible in terms of space. The _opacity_ is also set to zero, making the content transparent and unseen by the recipient. Furthermore, a clipping method is utilized to ensure that the added salt remains hidden from the victim. Specifically, the first paragraph is clipped using a rectangle with the _clip_ CSS property (which is deprecated as of this writing) that has zero width and height, effectively making it invisible by limiting its visible area. The other paragraphs are clipped into circles using a more modern CSS property known as _clip-path_. Lastly, the _overflow_ property is set to _hidden_, ensuring that any content that exceeds the boundaries of the div element stays concealed.

The HTML source snippet of the above spear phishing email shows how hidden text salting is used to add irrelevant German phrases to the body of the email, while at the same time being invisible to the recipient.

**The abuse of cascading style sheets for tracking**

Email clients use different rendering engines and support different CSS rules and properties. However, CSS properties can be abused to track users' actions and preferences. We will discuss how fingerprinting recipients' systems and hardware is also possible, although some of these fingerprinting approaches may only work in specific email clients and depend on certain configuration assumptions.  

Marketing campaigns may use these CSS properties to track user engagement and optimize future campaigns, while spammers and threat actors may use this approach to enhance their targeted phishing campaigns, collect information, and craft targeted exploits. In what follows, we provide only a few examples of attempts to compromise the privacy of our customers.

Tracking users' (or email recipients') actions and preferences has been one of the most dominant patterns of CSS abuse identified by Talos in the wild in recent months. This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails). Below is an example of a spam email with multiple tracking capabilities.  

An example of a spam email.

The HTML source of the above email is shown below, where several tracking approaches are employed. First, the campaign uses a tracking image to record when the recipient opens the email. Second, different tracking URLs log the recipient's color scheme preference (see the _rd_ and _rl_ characters in the URLs). This is achievable via the CSS _media_ at-rule. Third, a tracking URL records when this email is printed (see the _p_ character in the URL). Finally, different tracking URLs are used to record when the email is opened in a specific email client. Also, note that a unique identifier is assigned to each recipient and used in the tracking URL.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked.

A second example email is shown below that tracks even more information, including the recipient's geo-location and device-specific information.

An example of a spam email.

An inspection of the HTML source of the above message, shown below, reveals several tracking clues. First, a tracking image is used to record when the recipient opens the email. Second, the recipient's color scheme preference is tracked via separate URLs. Third, a tracking URL is embedded within this message that records when it is printed. Fourth, different tracking URLs are used to record when the email is opened in a specific email client. Finally, a tracking pixel is appended to the end of the email to collect the recipient’s IP address, the email client used to open the email, and some device-specific information.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked and how their geo-location and device-specific information are collected.

As explained earlier, CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the _media_ at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth. The HTML code snippet below demonstrates how the CSS _media_ at-rule can be used for such purposes. Threat actors can set up different styles or load different resources based on criteria such as the screen width of the recipient’s device.

An example HTML code snippet that shows how the CSS __media__ at-rule can be used to fingerprint the screen width (or screen resolution) of the recipient’s device.

Fingerprinting the operating system of the recipient’s device is also possible and can be done in at least two main ways. In the first approach, the availability of certain fonts on a recipient’s system can indicate which operating system they might be using. Furthermore, threat actors may block the display of certain elements based on the inferred operating system. This can be achieved via the _font-face_ at-rule in CSS.

In the example shown below, the body of the message uses the _Segoe UI_ font, which is commonly available on Windows operating systems by default. Additionally, the _font-face_ at-rule defines a font called _MacFont_, which relies on the local availability of _Helvetica Neue_. This font is typically found on macOS systems. Note that in this example, elements with the class _.mac-style_ are hidden by default (_display: none;_). They are only shown to the recipient (_display: block;_) if the hypothetical media rule detects _MacFont_.

An example HTML code snippet that shows how the CSS __font-face__ at-rule can be used to fingerprint the operating system of the recipient’s device and then show or block specific contents using the availability of certain fonts.

The second method that can be used to fingerprint the operating system of a recipient’s device is to use unique URLs for resources (e.g., images) based on the applicable styles. When the email loads these resources, server logs can provide hints about the recipient's operating system. In the example snippet shown below, different images are loaded depending on the victim's operating system, which can be determined by the availability of certain fonts and styles that were applied.

An example HTML code snippet that shows how CSS can be used to fingerprint the operating system of the recipient’s device by loading different images.

**Mitigations**

As explained with multiple examples, CSS provides functionalities, rules, and properties that could be abused by attackers to evade spam filters and detection engines, as well as to track or fingerprint users and their devices. As such, both the security and privacy of your organization and business are at risk. In what follows, we provide a few mitigation solutions for each domain.

Security mitigations: One security mitigation solution is to rely on advanced filtering mechanisms that can more effectively detect hidden text salting and content concealment. These systems could examine different parts of emails to find and filter out hidden content. Alternatively, relying on features in addition to the text domain, such as the visual characteristics of emails, could be helpful. This approach is particularly beneficial in image-based threats.

Privacy mitigations: One of the most effective solutions in this domain is to use email privacy proxies. This mitigation is designed for email clients and involves rewriting emails to enhance privacy and maintain email integrity across different clients. In particular, the proxy service should be able to perform two main functions: 1) converting top-level CSS rules into style attributes, and 2) rewriting remote resources (e.g., images) to be included directly in the email via data URLs. The former function confines styles to the email itself and prevents conflicts with client-defined styles, while the latter function prevents exfiltration of information and undermines tracking pixels, ensuring the email's integrity over time.

**Protection**

Safeguarding against these complex threats necessitates a comprehensive email security solution that utilizes AI-driven detection. Secure Email Threat Defense employs distinctive deep learning and machine learning models, incorporating Natural Language Processing, within its sophisticated threat detection systems.

Secure Email Threat Defense detects harmful techniques employed in attacks against your organization, extracts unmatched context for particular business risks, offers searchable threat data, and classifies threats to identify which sectors of your organization are most at risk of attack.

Begin strengthening your environment against sophisticated threats. Register now for a free trial of Email Threat Defense.

Abusing with style: Leveraging cascading style sheets for evasion and tracking

Microsoft's March 2025 Patch Tuesday fixes six actively exploited zero-day vulnerabilities, including critical RCE and privilege escalation flaws. Learn how these vulnerabilities impact Windows systems and why immediate patching is essential.

Microsoft has released its March 2025 security updates, addressing a total of 57 vulnerabilities, including six that were actively being exploited before the patch was available as part of the company’s Patch Tuesday. Additionally, one vulnerability was publicly disclosed before a fix was released, bringing the total number of zero-day flaws to seven.

For your information, Patch Tuesday is the second Tuesday of each month when Microsoft releases security updates, bug fixes, and software patches for Windows, Office, and other Microsoft products. It is a scheduled update cycle aimed at improving security and stability.

The March 2025 Patch Tuesday update addresses several security issues, including 23 elevations of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerability, and 3 spoofing vulnerabilities. These counts do not include vulnerabilities patched in Mariner or Microsoft Edge earlier in the month.

Six of the zero-day vulnerabilities were being actively exploited. One, tracked as CVE-2025-24983, enables local attackers to gain system-level privileges by exploiting a race condition in the Windows Win32 Kernel Subsystem where multiple processes simultaneously access or modify shared resources. This flaw affects various Windows versions.

CVE-2025-24991 and CVE-2025-24984 are information disclosure vulnerabilities found in Windows NTFS that allow an attacker with physical access to a Windows device to read sensitive information from the system’s memory, and access portions of “heap memory,” a dynamic allocation region, by inserting a malicious USB drive, potentially stealing sensitive data or credentials. The publicly disclosed zero-day vulnerability, CVE-2025-26630, is a remote code execution (RCE) flaw in Microsoft Access caused by a use-after-free memory bug.

Other zero-day vulnerabilities include CVE-2025-24985, another RCE flaw in the Windows Fast FAT File System Driver caused by an integer overflow. CVE-2025-24993 is a remote code execution vulnerability in Windows NTFS caused by a heap-based buffer overflow. These vulnerabilities can be exploited by tricking users into mounting a crafted VHD file, allowing attackers to execute their code.

Finally, CVE-2025-26633, a security feature bypass in the Microsoft Management Console. The attacker must convince a user to interact with a malicious link or file, such as a specially crafted MMC (.msc) file. If successful, the attacker can circumvent security measures and gain unauthorized access to administrative tools and system settings,

The six critical vulnerabilities, all RCE flaws with CVSS scores ranging between 7.8 through 8.8, affect various Microsoft products. Two of these impact Windows Remote Desktop Services (CVE-2025-24045 and CVE-2025-24035), while the others relate to Microsoft Office, Windows Domain Name Service (CVE-2025-24064), Remote Desktop Client, and Windows Subsystem for Linux Kernel (CVE-2025-24084).

The NTFS and FAT RCE flaws are highlighted as particularly concerning, as they are part of an exploit chain that includes the NTFS information disclosure vulnerabilities. These vulnerabilities are related to mounting virtual hard disk (VHD) files, which could be used to deliver malware payloads.

In addition to Microsoft, other vendors have also released security updates or advisories in March 2025. These include Broadcom, Cisco, Edimax, Google, Ivanti, Fortinet, Paragon, and SAP.

Experts emphasize the importance of applying these patches promptly, particularly those addressing zero-day vulnerabilities. CVE-2025-24057 and CVE-2025-26630 require Office updates and users of Office 2016 need to install two specific patches.

> Security updates for March 2025 are now available. Details are available here: https://t.co/ItXjYLFR2w #PatchTuesday #SecurityUpdateGuide pic.twitter.com/Wx1JOTwTZ2
> 
> — Security Response (@msftsecresponse) March 11, 2025

****Expert Insights on Key Vulnerabilities****

Cybersecurity experts at Immersive have highlighted several vulnerabilities that warrant immediate attention:

*   **Windows NTFS / FAT Remote Code Execution (CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993)**
    
    These four actively exploited flaws relate to **remote code execution via Virtual Hard Disk (VHD) files**. While not remotely exploitable over a network, attackers can trick users into mounting malicious VHDs, potentially delivering malware. Organizations should monitor for VHD files in emails or downloads and apply security restrictions where possible. _Kev Breen, Senior Director of Threat Research, Immersive_.
    

*   **Microsoft Management Console Security Bypass (CVE-2025-26633)**
    
    Attackers are exploiting this flaw to **bypass security restrictions via social engineering**. Users may receive malicious .msc files through phishing emails or compromised websites. Security teams should monitor for .msc executions from untrusted sources to detect potential exploitation. _Kev Breen, Senior Director of Threat Research, Immersive_.
    

*   **Windows Remote Desktop Services RCE (CVE-2025-24035)**
    
    This critical vulnerability enables **remote attackers to execute arbitrary code** on systems with Remote Desktop Gateway enabled. Successful exploitation could lead to malware deployment, lateral movement, and security tool evasion. _Ben Hopkins, Cybersecurity Engineer, Immersive_.
    

*   **Mark of the Web (MoTW) Bypass (CVE-2025-24061)**
    
    Attackers can exploit this flaw to **bypass Windows’ security warnings** on downloaded files. Malicious .url files or web-based lures can trick users into executing harmful content. As similar vulnerabilities have been actively exploited in the past, this remains a high-risk issue. _Ben Hopkins, Cybersecurity Engineer, Immersive_.
    

*   **Win32 Kernel Subsystem Privilege Escalation (CVE-2025-24983)**
    
    A race condition vulnerability allows attackers to escalate privileges to the SYSTEM level, gaining full control over affected systems. This can enable security evasion and credential theft using tools like Mimikatz. Microsoft has confirmed in-the-wild exploitation, reinforcing the need for immediate patching. _Natalie Silva, Lead Cybersecurity Engineer, Immersive_.
    

Security experts emphasize that organizations should prioritize patching these vulnerabilities, especially those actively exploited, to reduce the risk of compromise.

March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”.

Tuesday, March 11, 2025 17:55

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”. 

There are six vulnerabilities that Microsoft has observed being exploited in the wild. CVE-2025-26633 is a Remoted Code Execution (RCE) vulnerability in Microsoft’s Management Console. Two information disclosure vulnerabilities, CVE-2025-24984 and CVE-2025-24991, and one RCE vulnerability, CVE-2025-24993, in Windows NTFS were observed being exploited in the wild. Microsoft also patched, CVE-2025-24985, another RCE exploited in the wild in the Windows Fast FAT system driver. An Elevation of Privilege (EOP) vulnerability, CVE-2025-24983, was also discovered being exploited in the wild, in Windows’ win32 Kernel Subsystem. 

There are two notable "critical" vulnerabilities. The first is CVE-2025-24035, which is a remote code execution (RCE) vulnerability affecting the Windows Remote Desktop Gateway (RD Gateway) service. This vulnerability is a remote unauthenticated User-after-free (UAF) issue in handling websocket initialization and closing operations which could potentially result in arbitrary code execution in the RD Gateway process. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. CVE-2025-24035 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24045 is another critical remote code execution vulnerability in the RD Gateway service caused by a UAF issue in handling connection and disconnection callbacks. Successful exploitation of this vulnerability requires the attacker to connect to a system with the RD Gateway role. This vulnerability has also been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2024-9157 is an elevation of privilege vulnerability in a Synaptics Audio Effect Component service binaries DLL distributed with Windows Update. This vulnerability is caused by the Synaptics service opening a named pipe without any meaningful ACLs and expecting clients to provide the name of a DLL which is then loaded into the Synaptics process, which may allow even a remote unprivileged user to provide a malicious DLL to be loaded in the context of the service. This vulnerability has been assigned a CVSS 3.1 score of 9.9 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-24064 is an RCE vulnerability in the Windows Domain Name Service flagged as "critical” by Microsoft.  To successfully exploit this vulnerability an attacker needs to send a perfectly timed DNS update message to the vulnerable server which may cause a UAF error and could potentially lead to remote code execution. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered "less likely to be exploited” by Microsoft. 

CVE-2025-24084 is an RCE in the Windows Subsystem for Linux (WSL2) Kernel caused by an untrusted pointer dereference. To exploit this vulnerability an attacker needs to have elevated privileges on the target machine, due to the requirement of manipulating processes, which isn’t usually accessible by regular users. This vulnerability has been assigned a CVSS 3.1 score of 8.4 but was considered "less likely to be exploited” by Microsoft. 

CVE-2025-26645 is a vulnerability in the Remote Desktop (RDP) client caused by a relative path traversal issue. An attacker in control of a Remote Desktop Server could achieve RCE on any vulnerable client machine connecting to the service. This vulnerability has been assigned a CVSS 3.1 score of 8.8 and is considered "less likely to be exploited” by Microsoft. 

Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important” or "Critical”:     

*   CVE-2025-24057 Microsoft Office Remote Code Execution Vulnerability 
*   CVE-2025-24051 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability 
*   CVE-2025-24056 Windows Telephony Service Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64663, 64662, 64432, 64658, 64659, 64656, 64657, 64660, 64661, 64653, 64652. There are also these Snort 3 rules: 64432, 301166, 301164, 301163, 301165, 301162

Microsoft Patch Tuesday for March 2025 — Snort rules and prominent vulnerabilities

Disgruntled ex-employee sabotages company systems with malicious code, causing major disruptions and financial losses.  Learn about the case…

Disgruntled ex-employee sabotages company systems with malicious code, causing major disruptions and financial losses.  Learn about the case and the legal consequences.

A legal proceeding concluded in a federal court located in Ohio, where a man from Texas was found responsible for introducing harmful software onto the computer system of his previous workplace.

According to the Department of Justice (DoJ) press release, the convict, Houston-based Davis Lu, aged 55, worked as a software developer for a company headquartered in Beachwood, Ohio from Nov 2007 to Oct 2019. In 2018, a shift in the company’s organizational structure occurred, which resulted in a reduction of his work duties and limitations on his access to certain systems. Following this change, he began to engage in actions that disrupted the company’s operational technology.

Specifically, Lu introduced computer code designed to cause system failures and prevent authorized personnel from logging into the network. The code created a cycle of new processes without ending previous ones, resulting in system crashes. He also erased files belonging to his colleagues and set up a mechanism that would deny access to all users if his own access was revoked. This access-denial feature was designed to activate automatically upon the removal of his credentials from the company’s directory.

Furthermore, he assigned names to his destructive code, using terms from different languages, including the Japanese word Hakai (meaning destruction) and the Chinese word HunShui (meaning sleep) which signified concepts of destruction and inactivity. Prior to surrendering his company-issued computer, he attempted to erase data stored on it using encryption.

A review of his online search activity revealed that he had been researching techniques to gain higher-level access to systems, conceal ongoing processes, and quickly delete files. This confirmed his intention to interfere with the efforts of his former colleagues to resolve the problems he had created.

The company suffered hefty monetary losses as a direct result of Lu’s actions. The court found him guilty of intentionally damaging protected computer systems. He now faces a potential prison term of up to ten years. A judge will determine his final sentence, considering federal sentencing guidelines.

The investigation into this case was conducted by the Federal Bureau of Investigation’s Cleveland Field Office. The prosecution was handled by attorneys from the Justice Department’s Criminal Division and the US Attorney’s Office for the Northern District of Ohio.

This incident is not isolated, as there have been cases involving individuals causing significant damage to their former employers through technological means. In 2020, Sudhish Kasaba Ramesh, a former Cisco employee, pleaded guilty to damaging and exploiting the company’s internal networks, resulting in Cisco spending $1.4 million on remedial measures and refunding $1 million to affected customers.

In another incident, Singapore’s court sentenced 39-year-old Kandula Nagaraju to two years and six months in 2024 for hacking into his former employer’s computer system and deleting critical data. Nagaraju was part of a 20-member team at National Computer Systems, and reportedly, was upset after being fired over poor performance.

Ex-Employee Sabotages Company Systems, Faces Up to 10 Years

Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

What Really Happened With the DDoS Attacks That Took Down X

Elon Musk has confirmed a massive cyberattack on his social media platform, X (once Twitter), causing widespread technical…

Elon Musk has confirmed a massive cyberattack on his social media platform, X (once Twitter), causing widespread technical problems. Reportedly, it was a well-coordinated effort from a group or country, most likely Ukraine.

A recent disruption to the X platform, formerly known as Twitter, has sparked controversy regarding its cause and origin. The platform experienced extended downtime, prompting its owner, Elon Musk, to claim that a significant cyberattack was responsible.

The attack began on March 10 and continued until 9:30 a.m. ET. Users reported issues accessing X at around 5:30 a.m. ET, followed by another outage at 9:30 a.m. ET and a third significant spike in error complaints around 11 a.m. ET. Some speculate that the X outage may have been caused by a DDOS (Distributed Denial of Service) attack.

In an X post, Musk publicly confirmed that the disruption was the result of a coordinated effort to disable the X system. He further specified that the attack’s originating internet protocol addresses were traced to the region of Ukraine.

“There was (still is) a massive cyberattack against 𝕏,” Musk wrote, adding that “We get attacked every day, but this was done with a lot of resources. Either a large, coordinated group and/or a country is involved. Tracing …”

The service interruptions were not uniform, with users experiencing intermittent outages. These periods of inaccessibility would last for approximately three-quarters of an hour, followed by brief periods of restored service, before the platform would once again become unresponsive. One particularly lengthy outage lasted several hours.

Musk indicated (video) that the scale of the attack suggested a substantial level of organization and resources. He proposed that either a large, coordinated group or potentially a state-sponsored entity was involved.

The claim that the attack originated from Ukraine has drawn scrutiny. Some have suggested that Musk’s political affiliations may have influenced his assessment. Given his alignment with a prominent political figure, and the current political climate surrounding aid to Ukraine, it is believed that the platform could become a target.

Musk also indicated that internal investigations were underway to determine the specifics of the attack. He stated that the platform’s security teams were attempting to trace the attack’s origins and methods.

Musk’s accusations come as President Trump’s administration has been critical of the Ukrainian government and the country’s response to the Russian invasion. This is a developing story, we will update this article as soon as there is any update regarding the investigation.

Determining the true cause of a cyberattack can be a complex and time-consuming process. It may take days, or even weeks, to gather sufficient evidence to identify the source and nature of the disruption definitively.

****DarkStorm Team Claims Responsibility****

While Musk blames Ukraine, the DarkStorm Team has claimed responsibility for the attack on X. ​Dark Storm Team is a group active since 2023, known for its pro-Palestinian stance and alleged ties to Russia. The group has targeted entities in Israel, NATO countries, and Western companies, often employing DDoS attacks to disrupt services.

Musk on Twitter and Dark Storm Team on Telegram

Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, “It’s difficult to say with incomplete information, and in the early stages of things, but between the sustained nature of the outage and Dark StormTeam taking credit for it on Telegram, this does appear to be a legitimate cyberattack on X.”

Tag

#cisco