Apple AirBorne RCE, Lazarus Watering Attacks, CISA Flags Exploits – Cybersecurity News [April 28, 2025]

by | May 5, 2025 | Announcements

cybersecurity news

Apple AirBorne RCE, Lazarus Watering Attacks, CISA Flags Exploits – Cybersecurity News [April 28, 2025]

by DuoCircle

This week’s updates are packed with real-time threats and adversarial attacks. Nowadays, even Apple devices are open to silent attacks without users even tapping a button. A few software flaws are now confirmed to be under real attack, and there’s a fresh warning about ransomware-as-a-service being marketed with brand-friendly options. And if your developers forget to hide Git files, there’s a growing number of attackers ready to pounce. Here’s what happened recently and what details you should know of.

 

 Apple ‘AirBorne’ Vulnerabilities Enable Zero-Click AirPlay RCE Exploits

A set of serious flaws in Apple’s AirPlay technology could let attackers run malicious code or steal data without any user interaction. These bugs affect both Apple and third-party devices using AirPlay.

Researchers at Oligo Security discovered twenty-three new vulnerabilities in the AirPlay Protocol and SDK, which can be exploited in several ways, including zero-click and one-click remote code execution, denial of service, man-in-the-middle attacks, and bypassing access controls. Two of the prime security flaws (CVE-2025-24252 and CVE-2025-24132) allow a flexible option for attackers to create wormable zero-click exploits that can spread across devices on the same network. Another flaw, CVE-2025-24206, lets attackers bypass the user’s “Accept” click for AirPlay requests, enabling silent takeovers. These attacks only work if the attacker is on the same network or connected via peer-to-peer, but once in, they can move laterally across other AirPlay-enabled devices.

 

attackers

 

The flaws have now been patched, and users are strongly advised to update all the Apple and AirPlay-enabled devices in their possession. Also, disabling AirPlay when not in use and limiting access to trusted devices can help reduce risks.

 

Lazarus Group Targets Six Organizations in Watering Hole Attacks

Lazarus recently targeted organizations in Southeast Asia using a mix of known exploits and website compromises.

The attack was analyzed by Kaspersky and ran from November 2024 to February 2025. It impacted at least six organizations across software, IT, finance, telecom, and semiconductor sectors. Lazarus started by compromising popular Southeast Asian media sites, inserting scripts to profile visitors, and redirecting selected ones to fake websites, imitating legitimate software vendors. These fake sites targeted users of Cross EX, a widely used file transfer client, for online banking and government services. Although the exact exploit method remains unclear, the attackers used malicious JavaScript to exploit Cross-EX and deliver malware. The malware launched a legitimate process called SyncHost.exe and injected shellcode to load the ThreatNeedle backdoor, which can run 37 commands on infected systems. From there, additional tools like LPEClient, Agamemnon, wAgent, and Innorix Abuser were deployed.

The exploited software has since been patched, and one unexploited zero-day was also fixed. Organizations should update affected software and monitor for signs of compromise. To further strengthen defense measures, integrating advanced email security tools such as DuoCircle can help prevent phishing and malware delivery through email channels, complementing other security measures.

 

infected systems

 

CISA Flags Broadcom Fabric OS and CommVault Vulnerabilities as Actively Exploited

CISA has added three security flaws to its Known Exploited Vulnerabilities list after confirming they are being actively used in real-world attacks.

The first flaw is in Broadcom’s Brocade Fabric OS, which runs on Fibre Channel switches used to manage storage networks. Tracked as CVE-2025-1976, it affects versions 9.1.0 to 9.1.1d6. Although it requires admin-level access, attackers have been using it to run arbitrary commands or change the OS itself. Broadcom has fixed this issue in version 9.1.1d7, and newer versions like 9.2.0 are not affected. The second flaw, CVE-2025-3928, affects Commvault web servers that are part of a widely used backup and restore solution.

This flaw lets authenticated users drop webshells on systems if they have access to the internet. It has been fixed in recent software updates across both Windows and Linux. The third issue, CVE-2025-42599, is a buffer overflow in Qualitia’s Active! Mail client. It has caused service disruptions and was confirmed by JPCERT/CC to be under attack. A fix is available in a newer build of the client.

 

Security Flaws

 

Organizations have until mid-May to apply the updates. Users and admins should patch affected systems as soon as possible to stay protected.

 

DragonForce Introduces White-Label Ransomware in New Affiliate Strategy

DragonForce, a ransomware group, is changing how ransomware operations work by offering a service model that lets other cybercriminals run their own branded attacks using DragonForce’s tools and infrastructure.

Instead of the usual model where ransomware developers provide malware to affiliates and manage data leak sites themselves, DragonForce has created a system that lets affiliates white-label their attacks. Affiliates can use DragonForce’s malware, negotiation tools, and storage servers under their own chosen brand name while paying 20% of the ransom as a fee. This model removes the need for them to build and manage their own tech. DragonForce calls itself a ransomware cartel and says it aims to host unlimited partner brands targeting ESXi, NAS, BSD, and Windows systems.

They say they follow certain rules, such as avoiding attacks on hospitals treating cancer or heart patients. A representative said they want money, not to harm people. While DragonForce promises flexibility and control, they require strict rule-following and can remove affiliates who break them. The group claims their service has attracted known threat actors and has already onboarded at least one gang, RansomBay.

 

 

hospitals treating cancer or heart patient

 

The full scale of adoption is unclear, but this setup could attract more low-effort attackers. Organizations should stay alert, patch systems, and back up critical data regularly.

 

Hackers Intensify Scanning for Exposed GitHub Tokens and Secrets

Hackers are scanning the internet for exposed Git configuration files to steal credentials and access cloud services and private code repositories.

GreyNoise, a threat monitoring enterprise, reported a sharp spike in this activity between April 20 and 21, 2025. During this period, nearly 4,800 unique IP addresses were involved daily, much higher than normal. The scans came from all over the world, but most of the traffic originated from and targeted Singapore, followed by the United States and Germany. Git config files can contain sensitive data like remote repository links, automation scripts, and, most critically, account credentials and access tokens. When developers fail to block public access to the .git/ directory while deploying websites, these files become easy targets. This type of scanning has happened before.

 

sensitive data

 

In October 2024, Sysdig exposed an operation called EmeraldWhale that stole 15,000 cloud credentials by scanning for these files. The same method was used to breach the Wayback Machine and maintain access despite efforts to remove the attackers. GreyNoise has recorded four major waves of this activity since late 2024, with the latest being the most intense. The scans are now heavily concentrated on regions with advanced infrastructure and high-value targets.

As a threat mitigation response organizations are advised to block their direct or indirect access to .git/ directories, monitor logs, and rotate any exposed credentials quickly.

Pin It on Pinterest

Share This