MSP cybersecurity news digest, April 14, 2025

Microsoft's April 2025 Patch Tuesday brings security updates addressing 134 vulnerabilities, including one actively exploited zero-day. Among these, eleven are rated as "Critical," all related to remote code execution.

The breakdown includes 49 elevation of privilege flaws, 9 security feature bypasses, 31 remote code execution bugs, 17 information disclosure issues, 14 denial of service flaws and 3 spoofing vulnerabilities. These figures exclude previously patched Mariner issues and 13 Microsoft Edge vulnerabilities fixed earlier in April.

The highlight of this update is CVE-2025-29824, a zero-day in the Windows Common Log File System Driver that allows local attackers to gain SYSTEM privileges. Researchers confirmed this flaw was exploited by the RansomEXX ransomware gang. While most patches are available now, updates for some Windows 10 versions, including LTSB 2015, are still pending and will be released later.

The HellCat ransomware group has struck again, targeting four companies across the U.S. and Europe by exploiting Jira credentials previously stolen via infostealer malware. Among the victims are Asseco Poland, HighWire Press, Racami and LeoVegas Group — firms spanning IT services, publishing, communications technology and online gaming. Asseco Poland, the largest software producer on the Warsaw Stock Exchange and a leader in advanced IT solutions for over 30 years, now heads the multinational Asseco Group — Europe’s sixth-largest software vendor, operating in 62 countries with 34,000 employees.

The breach trail leads back to infostealers like StealC (which was used in the case of Asseco), Raccoon, Redline, and Lumma Stealer, which had silently harvested credentials from infected machines months in advance. Once inside Jira — a platform often linked to development pipelines and internal systems —HellCat moved laterally to exfiltrate sensitive data and deploy ransomware. This attack vector is especially concerning for managed service providers (MSPs), whose access to client systems makes them high-value targets if credentials are compromised.

Researchers report that thousands of Jira credentials are already circulating in infostealer logs, many of which belong to employees of critical infrastructure providers. The HellCat ransomware group has claimed responsibility for 14 attacks from the beginning of 2025.

Scattered Spider, an advanced cybercrime group active since 2022, continues its attacks in 2025, with the recent victims including Klaviyo, HubSpot, Pure Storage, T-Mobile, Vodafone and others. Despite several arrests in 2024, the group has adapted quickly — researchers have tracked five unique phishing kits and updated its tools (including a fresh version of the Spectre RAT malware used for persistent access and data theft).

Scattered Spider targets large organizations by creating fake web domains that impersonate trusted brands and software vendors used by their victims. The attacks often begin with SMS phishing to harvest employee login credentials and MFA tokens. With this access, the group infiltrates systems, exfiltrates sensitive data, encrypts files and pressures organizations into paying ransom through extortion.

In their latest campaigns, Scattered Spider has begun leveraging publicly rentable subdomains — such as klv1.it[.]com — to host phishing pages, a move that makes their infrastructure more agile and harder to detect. Some of these domains impersonate multiple brands simultaneously, including Nike, T-Mobile and Tinder, reflecting a more aggressive and wide-reaching approach. Meanwhile, the updated Spectre RAT malware discovered in these operations shows signs of ongoing development, with enhanced obfuscation techniques, expanded C2 capabilities and flexible architecture designed to maintain long-term access within compromised environments.

Sensata Technologies, with a reported annual revenue of $4 billion in 2023, was hit by a ransomware attack, which encrypted parts of its network and disrupted core operations like manufacturing, shipping and support services.

Sensata Technologies, headquartered in the U.S., is a global industrial technology leader, delivering sensor-rich solutions that generate valuable insights for customers across operations in 13 countries. The company confirmed in an SEC filing that data was also stolen during the incident. While immediate recovery efforts are underway, Sensata has not provided a timeline for full restoration. External cybersecurity experts are assisting with the investigation, which has so far verified that data exfiltration occurred.

Although no threat actor has claimed responsibility yet, Sensata acknowledges that the situation may evolve and has committed to notifying affected individuals and regulators. For now, the company does not anticipate a significant financial impact for the current quarter, though that assessment may change.

Phishing actors are now using a tactic called precision-validated phishing, which only displays fake login pages to email addresses on a preverified target list.

This method relies on real-time email validation — via third-party APIs or custom JavaScript — to block anyone not on the list, including researchers and automated security tools. As a result, phishing sites now reject fake or test addresses, redirecting users to harmless pages and significantly reducing detection rates.

Researchers report that even when using real targets' addresses, some phishing kits send verification codes to the victim’s inbox, making further analysis nearly impossible. This new technique extends the lifespan of phishing operations and renders traditional analysis methods largely ineffective.