Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs
MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors.
MITRE ATT&CK is a regularly updated public knowledge base that charts how real-world threat actors behave. It also lists known/documented threat actor groups, malware, and (some) past high-profile campaigns.
It’s used by cyber defenders and vendors for threat modeling and improving defenses, creating detection rules, creating playbooks to simulate attacks, map attackers’ actions to ATT&CK tactics, build attack timelines, identifying gaps in detection or response, etc.
ATT&CK’s matrices are divided in three main groups: Enterprise, Mobile, and ICS (industrial control systems).
Source: Helpnet security / MITRE AII&CK
Link: https://www.helpnetsecurity.com/2025/04/23/released-mitre-attck-v17-0-now-with-esxi-attack-ttps/
Link: https://attack.mitre.org/versions/v17/
159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure
As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024.
„We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure,“ VulnCheck said in a report shared with The Hacker News.
This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The cybersecurity company said a majority of the exploited vulnerabilities have been identified in content management systems (CMSes), followed by network edge devices, operating systems, open-source software, and server software.
Source: The hacker News
Link: https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html
5 Reasons Device Management Isn’t Device Trust
The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture. The solution is more complex. For this article, we’ll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization’s security infrastructure.
Source: The hacker news
Link: https://thehackernews.com/2025/04/5-reasons-device-management-isnt-device.html
Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks
Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild.
The vulnerabilities in question are listed below –
- CVE-2025-31200 (CVSS score: 7.5) – A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file
- CVE-2025-31201 (CVSS score: 6.8) – A vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication
The iPhone maker said it addressed CVE-2025-31200 with improved bounds checking and CVE-2025-31201 by removing the vulnerable section of code. Both the vulnerabilities have been credited to Apple, along with Google Threat Analysis Group (TAG) for reporting CVE-2025-31200.
Source: The hacker news / Bleeping computer / Dark raeding
Link: https://thehackernews.com/2025/04/apple-patches-two-actively-exploited.html
Link: https://www.darkreading.com/vulnerabilities-threats/apple-zero-days-sophisticated-attacks
Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence
A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.
„A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes,“ the project maintainers said in an advisory. „When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.“
Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised.
Source: The hacker news
Link: https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html
Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors.
From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various dual-use remote administration, SSH and file transfer tools.
The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
The massive cybersecurity risk you’re overlooking: your office.
You have the latest and greatest spam filters on everyone’s email account. Endpoint detection and response tools on every company-issued device. An intrusion detection and prevention system guards your network gates, shouting “Halt!” at every packet that even looks at it funny. Your systems are totally locked down. No hackers are getting in here.
The front door of your office building—that’s another story. An attacker can probably waltz right in there. Trust me. I know from experience. I’m doing the waltzing.
One of the most fun parts of being IBM’s Chief People Hacker is that I get to do physical security assessments. Basically, I break into clients’ buildings—with permission!—to help identify flaws in their physical defenses.
Source: IBM security intelligence
Link: https://www.ibm.com/think/insights/physical-cybersecurity