Remote hijacking at your fingertips.

A critical vulnerability could let attackers hijack and potentially disable vulnerable servers. Europol warns of a “shadow alliance” between state-backed threat actors and cybercriminals. Sekoia examines ClearFake. A critical PHP vulnerability is under active exploitation. A sophisticated scareware phishing campaign has shifted its focus to macOS users. Phishing as a service attacks are on the rise. A new jailbreak technique bypasses security controls in popular LLMs. Microsoft has uncovered StilachiRAT. CISA confirms active exploitation of a critical Fortinet vulnerability. On our CertByte segment, Chris Hare is joined by Troy McMillan to break down a question targeting the ISACA® Certified Information Security Manager® (CISM®) exam. AI coding assistants get all judgy.

Today is Wednesday March 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical vulnerability could let attackers hijack and potentially disable vulnerable servers. 

A critical vulnerability (CVE-2024-54085) in American Megatrends International’s (AMI) MegaRAC Baseboard Management Controller (BMC) software could let attackers hijack and potentially disable vulnerable servers. MegaRAC BMC, used by major server vendors like HPE, Asus, and ASRock, enables remote system management. The flaw allows remote attackers to take full control of affected servers, deploy malware, corrupt firmware, or even cause physical damage.

Security firm Eclypsium discovered the flaw while analyzing patches for a previous vulnerability. Over 1,000 exposed servers were found online, and more devices may be affected. While no exploits have been detected in the wild, researchers warn that creating one is easy. Admins are urged to apply patches released on March 11 and monitor for suspicious activity, as patching is complex and requires downtime.

Europol warns of a “shadow alliance” between state-backed threat actors and cybercriminals. 

The latest report from Europol warns of a growing “shadow alliance” between state-backed threat actors and cybercriminals, with AI amplifying their impact. The EU Serious and Organised Crime Threat Assessment 2025 highlights how groups—especially from Russia—use cybercrime to destabilize Europe while maintaining deniability. These hybrid threats involve ransomware, data theft, and AI-driven disinformation campaigns.

AI is making attacks more scalable and harder to detect, enabling deepfake-powered social engineering, automated fraud, and AI-driven cyberattacks. Europol warns that future AI advancements could lead to fully autonomous criminal networks.

Experts stress the need for defensive AI tools to counteract these evolving threats. Criminals don’t need perfect AI to succeed—just good enough to bypass security and deceive users. Europol urges governments and businesses to stay ahead in this digital arms race.

Sekoia examines ClearFake. 

A blog post from Sekoia examines ClearFake,  a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads.  A recent variant has expanded its reach by exploiting Web3 technologies, targeting users involved in cryptocurrency, decentralized finance (DeFi), and NFTs. This campaign employs fake Google Meet pages that prompt users to fix non-existent technical issues, leading them to execute malicious code. Windows users are tricked into running scripts that download infostealers like Stealc and Rhadamanthys, while macOS users receive the AMOS Stealer. The operation is linked to cybercriminal groups “Slavic Nation Empire (SNE)” and “Scamquerteo,” both active in the Russian-speaking cybercrime ecosystem. These groups use sophisticated social engineering tactics and share infrastructure to maximize their reach. 

A critical PHP vulnerability is under active exploitation. 

A critical PHP vulnerability (CVE-2024-4577) is being actively exploited to compromise Windows-based systems, according to Bitdefender Labs. The flaw, which affects PHP installations running in CGI mode, allows attackers to execute arbitrary code by manipulating character encoding conversions. Since June 2024, attackers have used it to deploy cryptocurrency miners like XMRig and remote access tools such as Quasar RAT.

Most attacks target systems in Taiwan (54.65%), Hong Kong (27.06%), and Brazil (16.39%), with some in Japan and India. Attackers use “Living Off The Land” techniques to evade detection, sometimes even modifying firewall rules to block competitors in a cryptojacking rivalry.

The PHP team has released patches in versions 8.3.8, 8.2.20, and 8.1.29, urging immediate updates. Organizations should switch to more secure architectures, restrict PowerShell access, and enhance monitoring. With ransomware groups eyeing this vulnerability, proactive threat detection is essential to prevent severe attacks.

A sophisticated scareware phishing campaign has shifted its focus to macOS users. 

A sophisticated scareware phishing campaign has shifted its focus from Windows to macOS users, according to Israeli cybersecurity firm LayerX. Previously, the attackers tricked Windows users into believing their systems were locked due to a security breach. Victims were lured into entering their credentials on phishing pages hosted on Microsoft’s Windows.net platform, allowing attackers to bypass security checks.

However, new anti-scareware features in Chrome, Firefox, and Edge led to a 90% drop in Windows-targeted attacks. Within two weeks, the attackers adapted, modifying their tactics to target macOS users, particularly those using Safari. The phishing pages remained nearly identical but were adjusted to appear legitimate for Apple users.

By exploiting domain typos and compromised sites, the attackers redirected victims to fake login pages. LayerX warns that this evolving campaign is a significant threat to enterprises, as compromised corporate accounts could lead to widespread data exposure.

Phishing as a service attacks are on the rise. 

Barracuda has detected over a million phishing-as-a-service (PhaaS) attacks in 2025, with platforms like Tycoon 2FA, EvilProxy, and the newly emerging Sneaky 2FA leading the surge. Tycoon 2FA dominates, accounting for 89% of attacks, while EvilProxy holds 8% and Sneaky 2FA 3%.

Sneaky 2FA, operated by the cybercrime group Sneaky Log, bypasses two-factor authentication (2FA) and uses Telegram bots for adversary-in-the-middle (AiTM) attacks, primarily targeting Microsoft 365 users. Attackers leverage Microsoft’s ‘autograb’ function to pre-fill phishing pages with victims’ credentials.

Meanwhile, Tycoon 2FA has upgraded its evasion tactics, using encryption and obfuscation techniques to hide malicious activity. EvilProxy remains a major threat due to its accessibility, allowing less-skilled attackers to run phishing campaigns.

Barracuda warns users to watch for suspicious URLs and unexpected MFA prompts, as these attacks continue to evolve and evade detection.

A new jailbreak technique bypasses security controls in popular LLMs. 

A researcher from Cato CTRL has discovered a new jailbreak technique, Immersive World, that bypasses security controls in ChatGPT, Copilot, and DeepSeek, enabling AI-generated malware creation. This exploit tricked AI models into writing malware to steal Chrome credentials—without requiring prior coding expertise.

The discovery highlights the rise of “zero-knowledge” cybercriminals, where AI lowers the technical barrier for launching attacks. As AI adoption grows in finance, healthcare, and technology, security risks like data breaches, misinformation, and automated malware generation are escalating.

Experts warn that traditional security strategies may no longer be sufficient. The Immersive World jailbreak serves as a stark reminder of AI’s dual-use nature—both as a tool for innovation and a weapon for cybercrime.

Microsoft has uncovered StilachiRAT. 

Microsoft has uncovered StilachiRAT, a stealthy and persistent remote access trojan (RAT) designed to steal sensitive data from compromised systems. First detected in November 2024, the malware is not yet widely distributed, but Microsoft warns it can spread through trojanized software, malicious sites, and phishing emails.

StilachiRAT profiles infected systems, steals credentials from Chrome, monitors cryptocurrency wallets, and tracks clipboard content for valuable data. It can also spy on RDP sessions, allowing lateral movement within networks. To evade detection, it clears event logs, checks for analysis tools, and obfuscates Windows API calls.

The malware maintains persistence through watchdog threads and Windows services, making it difficult to remove. Microsoft has not attributed StilachiRAT to any known threat actor but stresses the need for vigilance as it poses a serious risk to organizations and individuals alike.

CISA confirms active exploitation of a critical Fortinet vulnerability. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical Fortinet vulnerability (CVE-2025-24472) in ransomware attacks. The flaw, affecting FortiOS and FortiProxy, allows attackers to gain super-admin privileges via crafted proxy requests. Linked to the Mora_00 ransomware group, it has been exploited to deploy a new strain called SuperBlack.

Additionally, CISA flagged a supply chain vulnerability (CVE-2025-30066) in the tj-actions/changed-files GitHub Action, which impacted over 23,000 organizations. Attackers modified the code, exposing CI/CD secrets in GitHub Actions logs.

Organizations are urged to patch Fortinet devices (FortiOS 7.0.17, 7.2.13, 7.0.20) and ensure they’re using a secure version of the GitHub Action to prevent further exploitation.

 

AI coding assistants get all judgy. 

As companies rush to replace humans with AI, coding assistant Cursor might have just revealed what workplace bots will be like—a little snarky and a lot judgmental.

One user, janswist, learned this the hard way when Cursor flat-out refused to generate code for him. “You should develop the logic yourself,” it scolded, insisting he actually learn to code instead of relying on AI. So, naturally, janswist did what any frustrated dev would do—he filed a bug report, which quickly went viral.

Speculation swirled: Did Cursor hit a hard coding limit, or had it absorbed the grumpy spirit of Stack Overflow? Hacker News users joked that the AI might have trained on the notoriously sarcastic programming forum. If AI agents inherit human snark, maybe the real future of work is just arguing with robots.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.