Attackers exploit critical PHP flaw patched last June.

Summary

By the CyberWire staff

At a glance.

Attackers exploit critical PHP flaw patched last June.
North Korea's Moonstone Sleet deploys the Qilin ransomware.
Texas city declares state of emergency following cyberattack.

Attackers exploit critical PHP flaw patched last June.

Researchers at GreyNoise are tracking mass exploitation of a critical remote code execution flaw affecting PHP, SecurityWeek reports. The vulnerability (CVE-2024-4577) was patched last June, and dozens of exploits are available. The flaw, which received a CVSS score of 9.8, can be exploited to compromise Windows servers that are using Apache and PHP-CGI.

Cisco Talos said in a report last week that a threat actor was exploiting the vulnerability to target organizations in Japan since at least January 2025. GreyNoise observed additional exploitation during the same timeframe targeting entities in the US, the UK, India, Singapore, Taiwan, Indonesia, Malaysia, Hong Kong, and Spain.

Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection

Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.

North Korea's Moonstone Sleet deploys the Qilin ransomware.

Microsoft warns that the North Korean threat actor tracked as "Moonstone Sleet" has begun deploying the Qilin ransomware, marking the first time the group has used a ransomware-as-a-service offering, BleepingComputer reports. The group has previously deployed its own custom strains of ransomware. Microsoft published a report on Moonstone Sleet last year, assessing that the threat actor performs cyberespionage alongside financially motivated attacks on behalf of the North Korean government.

Many Voices. One Community.

Join Us at the RSAC 2025 Conference. Join us at RSAC, April 28 - May 1 in San Francisco and gain access to cybersecurity innovators, expert-led sessions, and hands-on workshops. Leave with new strategies, insights, and connections to elevate your cybersecurity journey.

Texas city declares state of emergency following cyberattack.

The border city of Mission, Texas, has declared a state of emergency following a cyberattack that potentially exposed all of the city government's data, the Record reports. Mission's mayor sent a letter to Texas Governor Greg Abbott requesting a state-level emergency declaration, saying, "The City of Mission, Texas, has suffered a cybersecurity incident such that the entire City computer server is at severe risk of a cyberattack that could release protected personal information, protected health information, civil and criminal records, and/or any and all other data held by the City of Mission and all departments within the City. I have determined that this incident is of such severity and magnitude that extraordinary measures must be taken to alleviate the immeasurable and imminent cybersecurity incident."

Notes.

Today's issue includes events affecting Hong Kong, India, Indonesia, Japan, the Democratic People's Republic of Korea, Singapore, Spain, Taiwan, the United Kingdom, and the United States.

Attacks, Threats, and Vulnerabilities

Feds Link $150M Cyberheist to 2022 LastPass Hacks (KrebsOnSecurity) In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing…

Undocumented commands found in Bluetooth chip used by a billion devices (BleepingComputer) The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

Trends

Ransomware roundup: February 2025 (Comparitech) February may be the shortest month of the year, but as Clop mass-released the remainder of its Cleo vulnerability victims and RansomHub continued its onslaught of claims, it turned into one of the busiest months for ransomware attacks over the last year or so.

Legislation, Policy, and Regulation

White House cyber director’s office set for more power under Trump, experts say (The Record) The Trump administration appears to be positioning the Office of the National Cyber Director to operate as the executive branch cybersecurity policy lead that Congress envisioned when establishing it in 2021, experts say.

Switzerland Mandates Cyber Reporting for Critical Infrastructure (Infosecurity Magazine) Starting April 2025, Swiss critical infrastructure organizations will have to report cyber-attacks to the country’s authorities within 24 hours of discovery

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

GovMilSpace (Washington, DC, USA, Mar 10 - 13, 2025) Demystify the future of space technology. In alignment with the SATELLITE Conference & Exhibition, GovMilSpace brings together government and military agencies, the intelligence community, and satellite and space industry partners to explore how private industry can enhance critical missions for the U.S. and its global allies.

Satellite 2025 (Washington, DC, USA, Mar 10 - 13, 2025) For 40+ years SATELLITE has gathered the global space and satellite communities for four immersive days of enterprise, insights, and innovation. This year, with the debut of GovMilSpace, SATELLITE expands its reach to address the needs and priorities of the defense sector.

WICYS 2025 (Dallas and Virtual, Texas, USA, Apr 2 - 5, 2025) WiCyS 2025 is the go-to event for cybersecurity professionals, students, and organizations. The conference is the flagship event to recruit, retain and advance women in cybersecurity.

40th Space Symposium (Denver and Virtual, Colorado, USA, Apr 7 - 10, 2025) Bringing together leaders from commercial, government and military space from around the world, the Space Symposium provides a forum to discuss, address and plan for future achievements in space. The Space Symposium program delivers exclusive networking and engagement opportunities with influential participants in one convenient and extraordinary venue. Space Symposium luncheons and dinners provide additional contact with influential participants.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 03.10.25

At a glance.

Attackers exploit critical PHP flaw patched last June.

North Korea's Moonstone Sleet deploys the Qilin ransomware.

Texas city declares state of emergency following cyberattack.

Notes.

Attacks, Threats, and Vulnerabilities

Trends

Legislation, Policy, and Regulation

Events