Security Community

Who: • Hertz (car rental company) • Cleo Communications (file transfer vendor) • Possible link to Clop ransomware gang (Russia-affiliated) What: A cyberattack exploiting zero-day vulnerabilities in Cleo’s platform led to unauthorized access to Hertz customer data between October–December 2024. Exposed data includes: • Names, contact details, and dates of birth • Credit card and driver’s license information • Some Social Security and passport numbers • Workers' compensation claim data Impact: • Global exposure: Breach notices issued in the U.S., Canada, EU, UK, and Australia • Unknown scope: Number of affected customers not yet confirmed • No current evidence of fraudulent use, but sensitive data is at risk • Cleo vulnerabilities have been patched, and authorities have been notified Action Needed: • Monitor for fraud and identity theft • Review vendor security practices • Implement stronger third-party risk management policies Read the full article HERE

Security Brief: Phishing Campaigns Use Real-Time Validation for Credential Theft Who: Threat actors employing advanced phishing techniques, tracked by Cofense and Ontinue. Related activity linked to clusters Storm-1811 and STAC5777. What: A new tactic dubbed “precision-validating phishing” uses real-time email validation to display fake login pages only to verified, high-value email accounts. This approach improves success rates and evades detection by security tools. Additional phishing lures use file deletion notices to deliver malware or direct users to bogus Microsoft login pages. In a separate campaign, attackers used Microsoft Teams messages and Quick Assist for remote access and multi-stage compromise. Impact: • Credential theft from real, active accounts with higher resale/exploitation value. • Malware delivery via fake OneDrive installers using ScreenConnect remote access. • Extended phishing campaign lifespans due to evasion of automated analysis. • Persistence and remote access achieved using legitimate tools (e.g., TeamViewer, Node.js). Action Needed: • Educate users on new phishing tactics and suspicious file deletion lures. • Disable unused collaboration tools like Quick Assist. • Monitor for abnormal remote access activity and unauthorized use of tools like TeamViewer. Read the full article HERE

Who: A threat actor tracked as Storm-2460 exploited a Windows zero-day (CVE-2025-29824) using the PipeMagic trojan to deploy ransomware. Victims include IT, real estate, financial, software, and retail sectors across the U.S., Venezuela, Spain, and Saudi Arabia. What: The vulnerability, a privilege escalation flaw in Windows Common Log File System (CLFS), was used to gain SYSTEM privileges. Attackers delivered encrypted ransomware payloads via a malicious MSBuild file and certutil, leveraging compromised third-party sites. Impact: Systems were compromised to steal credentials (via LSASS dump) and encrypt files with ransomware linked to the RansomEXX family. Windows 11 version 24H2 is not affected. Microsoft has patched the flaw and urges immediate updates. Action Needed: • Apply April 2025 Patch Tuesday updates. • Monitor for PipeMagic and related activity. • Restrict certutil use and implement credential protection strategies. Read the full article HERE