Critical Cyber Threats This Week: AI Vulnerabilities, Ransomware Surges, and Supply Chain Risks

Executive Summary

In the past week, global cybersecurity developments have underscored new vulnerabilities and rapidly evolving threats that demand urgent attention. Notably, a surge of malicious packages on platforms like PyPI have targeted AI practitioners with infostealers, emphasising the need for vigilance in software supply chains. The North Korean hacking groups Kimsuky and Lazarus continue to adapt and deploy sophisticated malware campaigns, with Kimsuky using custom RDP Wrappers for stealthy access and Lazarus employing cross-platform JavaScript stealers to target cryptocurrency wallets.

Concerns about Taiwan and Australia's bans on the AI model DeepSeek highlight rising national security fears related to AI tools developed abroad, while vulnerabilities in high-profile infrastructure components such as Schneider Electric's industrial systems and AMD's SEV technology pose serious security risks if not swiftly mitigated. Moreover, ransomware actors are increasingly enticing insiders to betray their organisations through financial incentives, hinting at a shift in extortion tactics.

The Australian energy sector, represented by EnergyAustralia, is actively bolstering its cybersecurity leadership, reflecting heightened industry demand for robust security frameworks amidst escalating threats. Malware loaders like Coyote continue penetrating financial platforms predominantly in Brazil, raising concerns about their potential export to other regions, including Australia. Additionally, the exploitation of legacy authentication systems to bypass multifactor authentication, as seen in ADFS attacks on educational institutions, underscores vulnerabilities in outdated security technologies.

Concurrently, the rise of infrastructure laundering through legitimate cloud services like AWS and Azure by entities such as the Funnull CDN indicates advanced evasion techniques in play. As ransomware incidents surged in 2024, with over 6,000 logged attacks impacting organisations globally, including significant targets in Australia, the increasing sophistication of phishing attacks involving zero-click exploits and insider recruitment schemes highlights the relentless dynamism of cyber threats.

The addition of several new vulnerabilities to CISA’s KEV catalog, including critical flaws affecting Microsoft products and the Android OS, demands immediate risk mitigation strategies. These trends illustrate the compounded risks that Australian businesses face from both sophisticated international cyber actors and vulnerabilities within widely used technologies. Overall, these developments stress the urgent need for improved security protocols across sectors, enhanced collaboration between cybersecurity agencies, and the prioritisation of a proactive defence approach in mitigating these threats.

Vulnerability List

Vulnerability and Threat Report

1. Trimble Cityworks Deserialization Vulnerability (CVE-2025-0994)

   • This vulnerability in Trimble Cityworks involves deserialization of untrusted data, allowing remote code execution on Microsoft IIS web servers. It affects versions prior to 15.8.9 and is actively exploited, potentially deploying tools like Cobalt Strike.

   • Sources: CISA Warning, BleepingComputer

2. ASP.NET Machine Keys Vulnerability

   • Microsoft warns about exposed ASP.NET machine keys used in ViewState code injection attacks, allowing remote code execution on IIS web servers. Over 3,000 publicly available keys have increased the risk of exploitation.

   • Sources: DarkReading, The Hacker News

3. Malicious Machine Learning Models on Hugging Face

   • Malicious models on Hugging Face exploit the unsafe Python pickle serialization format to execute arbitrary code upon deserialization. Users are advised to switch to safer serialization formats like JSON or XML.

   • Sources: The Hacker News

4. Brute Force Attacks on VPN Devices

   • A massive brute force attack is targeting VPN devices from Palo Alto Networks, Ivanti, and SonicWall using 2.8 million IPs. Mainly sourced from Brazil, with compromised routers part of malware botnets.

   • Sources: BleepingComputer

5. Canadian Man Charged in $65M Cryptocurrency Fraud

   • Andean Medjedovic has been indicted for a $65 million cryptocurrency fraud leveraging weaknesses in DeFi protocols KyberSwap and Indexed Finance, reflecting vulnerabilities in DeFi platforms.

   • Sources: DarkReading

6. CVE-2025-32123 in Microsoft Outlook

   • This vulnerability involves improper input validation allowing remote code execution in Microsoft Outlook. CVE-2025-32123 impacts various Office products and threatens credential theft.

   • Sources: BleepingComputer

7. Ransomware Attack Trends in 2024

   • Ransomware incidents hit a record high in 2024, with groups like LockBit leading attacks. Industrial sectors were heavily targeted, driving the need for advanced defensive measures.

   • Sources: DarkReading

8. Cryptomining Exploits in Luka's PyPI Packages

   • The PyPI repository was hit by malicious packages mimicking DeepSeek AI, leading to credential theft.

   • Sources: DarkReading

9. DeepSeek App Data Transmission Vulnerability

   • The DeepSeek app inadequately encrypts transmitted user and device data, exposing sensitive information to interception and exploitation.

   • Sources: The Hacker News

10. SolarWinds Supply Chain Attack Legacy

• Following the 2020 Sunburst cyberattack via SolarWinds, implications continue affecting cybersecurity regulations and company policies, emphasizing the scrutiny on software supply chains.

• Sources: DarkReading

Categories

• New Malware and Vulnerabilities

• Cyber Attacks and Threat Actors

• Data Breaches and Exploits

• Artificial Intelligence and Security Risks

• Security Policy and Regulatory Updates

Highlights: New Malware and Vulnerabilities

Recent reports have highlighted a surge in new malware activity and freshly identified vulnerabilities. Among them, a critical issue in AMD's Secure Encrypted Virtualization (SEV), CVE-2024-56161, threatens VM security. Microsoft faces a privilege escalation flaw, CVE-2024-53104, in the Azure AI Face Service, capable of bypassing authorisation. Additionally, Linux kernel vulnerabilities and banking Trojans like Coyote continue to affect systems globally. These developments emphasise the need for regular security patches and proactive monitoring.

Cyber Attacks and Threat Actors

The past week has witnessed numerous cyber attacks and campaigns. Key incidents include:

• Russian cybercrime group Crazy Evil targeting social media users.

• Lazarus Group distributing JavaScript stealers through LinkedIn job offers.

• Abandoned AWS S3 buckets being exploited for malware delivery.

These incidents highlight the evolving nature of cyber threats and the need for constant vigilance.

Conclusion

The cybersecurity landscape continues to evolve rapidly, with threats ranging from AI-integrated attacks to critical infrastructure vulnerabilities. Organisations must adopt a multi-layered approach, combining proactive monitoring, timely updates, and collaboration with cybersecurity agencies to stay ahead of the threat curve. Australian businesses, in particular, should prioritise securing legacy systems and monitoring emerging technologies to minimise risks.