Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) narrowly avoided a shutdown of the Common Vulnerabilities and Exposures (CVE) program by extending its contract with MITRE for 11 months. The program, which assigns identifiers to publicly disclosed cybersecurity vulnerabilities, faced an abrupt end when the Department of Homeland Security (DHS) failed to renew its funding contract, set to expire on April 16, 2025. This lapse threatened to disrupt global cybersecurity coordination, as the CVE system is integral to organizations worldwide for tracking and addressing software vulnerabilities.
In response to the funding uncertainty, members of the CVE Board announced plans to establish the CVE Foundation, aiming to transition the program into an independent nonprofit. This move seeks to ensure the program's sustainability and neutrality, reducing reliance on a single government sponsor.
This month, cybersecurity researchers reported a major shift in tactics by the China-based “Smishing Triad,” a cybercrime group known for SMS phishing campaigns. Previously focused on impersonating postal services, the group is now targeting global banks and financial institutions.
Using iMessage and RCS, they send phishing messages that direct victims to fake banking websites, where card details and one-time passcodes are stolen. These are used to add cards to mobile wallets on devices controlled by scammers, which are then sold in bulk for fraudulent use.
The group operates at scale, leveraging phishing kits that spoof major financial brands like Visa, PayPal, and Citi. These tools are distributed via Telegram, fueling a cybercrime-as-a-service model. Analysts estimate the group maintains around 25,000 active phishing domains at any time, many hosted by Chinese firms.
The campaign highlights the evolving threat of phishing and the increasing professionalism behind global cybercrime operations.
Morphisec has published a report on "ResolverRAT," a new Trojan "that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques." The malware is targeting multiple countries, delivered via phishing emails with region-specific themes. Notably, the researchers have observed a wave of attacks against entities in the healthcare and pharmaceutical sectors.
The researchers dubbed the RAT "Resolver" due to its "heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult."
This month, Fortinet reported that over 14,000 Fortinet FortiGate devices worldwide were compromised through a novel post-exploitation technique. Attackers exploited known vulnerabilities, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to gain initial access. They then deployed a symbolic link (symlink) mechanism to maintain read-only access even after the devices were patched.
This symlink-based persistence allowed unauthorized access to sensitive data, such as device configurations, credentials, and cryptographic keys. The Shadowserver Foundation identified nearly 7,000 compromised devices in Asia, with significant numbers also in Europe and North America.
Fortinet released updates to detect and remove malicious symlinks. However, cybersecurity agencies, including CERT-NZ and CERT-FR, advised that patching alone is insufficient. They recommend isolating affected devices, conducting thorough forensic analyses, and resetting all associated credentials and certificates to mitigate the threat.
Attackers are exploiting an authentication bypass vulnerability (CVE-2025-3102) in the OttoKit WordPress plugin (formerly known as "SureTriggers"), BleepingComputer reports. Exploitation began just hours after the flaw was disclosed on Wednesday, according to researchers at Patchstack.
Wordfence notes that OttoKit/SureTriggers is installed on more than a hundred thousand websites, though only a small subset of these are vulnerable to exploitation. The vulnerability can allow "unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key."