Cyber Briefing: 2025.04.17
This briefing highlights Oracle cloud risks, Windows Task Scheduler flaws, Chinese malware campaigns, a $5M crypto exploit, insider breaches, CVE program updates, and hospital data lawsuits.
Listen to our podcast here!
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this?
👉 What's going on in the cyber world today?
🚨 Cyber Alerts
1. CISA Warns of Oracle Cloud Access Risks
The Cybersecurity and Infrastructure Security Agency (CISA) warned of possible unauthorized access to a legacy Oracle Cloud environment. The agency raised concerns over the exposure of sensitive credentials like passwords, usernames, and encryption keys. Attackers could use these credentials to escalate privileges, access cloud platforms, or initiate phishing campaigns. CISA urges organizations to audit systems, reset passwords, and enforce phishing-resistant multi-factor authentication to protect against threats.
2. Windows Task Scheduler Flaws Enable Attacks
Researchers have identified critical vulnerabilities in the Windows Task Scheduler that could allow attackers to escalate their privileges and erase evidence of malicious activities. The flaws exist in the "schtasks.exe" binary, which manages scheduled tasks on both local and remote computers. By exploiting these vulnerabilities, attackers can bypass User Account Control (UAC) prompts, allowing them to run commands with high-level (SYSTEM) privileges without user consent. The vulnerabilities also allow attackers to overwrite security logs and task event logs, making it difficult for organizations to detect unauthorized actions.
3. ToneShell Used in Mustang Panda Attacks
Mustang Panda, a China-sponsored espionage group, continues to target government entities and military organizations in East Asia and Europe with evolving malware. Security researchers have found that the group is using weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deliver ToneShell malware. This technique leverages DLL sideloading, allowing the malware to bypass security measures by exploiting the trust in signed executables. Recent investigations have revealed several variants of ToneShell, with each one incorporating subtle modifications to evade detection, demonstrating the group's ongoing efforts to refine its attack strategies.
Click here for more alerts!
💥 Cyber Incidents
4. Hacker Exploits ZKsync Admin Account for $5M
On April 15, a hacker compromised a ZKsync admin account, minting $5 million worth of unclaimed tokens. The attacker exploited an administrative function tied to ZKsync’s airdrop contracts, minting 111 million ZK tokens, increasing the total supply by 0.45%. Despite the scale of the attack, ZKsync confirmed no user funds were affected and worked with the Security Alliance (SEAL) for recovery. Following the breach, the ZK token saw a volatile price drop of 7% over the 24-hour period, reflecting market concerns.
5. Ameriprise Ex-Employee Exposes Customer Data
Ameriprise Financial, a prominent Fortune 500 company, revealed that a former employee exposed the personal information of over 4,600 customers. The breach occurred during a transition between 2018 and 2020 when the former financial advisor moved to LPL Financial and shared more data than allowed. While the exact details of the exposed information were not fully disclosed, it is likely that names, addresses, phone numbers, and email addresses were compromised. In response, Ameriprise has implemented stronger security measures and offered impacted customers free credit monitoring services to mitigate potential risks.
6. Alain Afflelou Breach Exposes Customer Info
Alain Afflelou, a French eyewear and hearing aid company, suffered a cyberattack through one of its service providers. The attack exploited a vulnerability in the provider’s system, which granted unauthorized access to the company’s customer relationship management tool. Personal data such as names, addresses, phone numbers, and purchase details were exposed, though no sensitive financial or medical information was compromised. The company emphasized that no banking or social security numbers were accessed, and they are investigating the incident further while implementing measures to prevent recurrence.
Click here for more incidents!
📢 Cyber News
7. CVE Foundation Launches CVE Program
The CVE Foundation has officially launched to ensure the long-term stability and independence of the CVE Program. This program has been the cornerstone of global cybersecurity for 25 years, providing essential tracking of software vulnerabilities. Following the expiration of MITRE's U.S. government contract, there were concerns about a potential breakdown in vulnerability management, which could leave defenders vulnerable to emerging threats. By creating the CVE Foundation as an independent non-profit, stakeholders aim to safeguard the program's future and ensure that cybersecurity professionals worldwide can continue relying on the CVE system for effective threat identification and response.
8. DPP Law Fined After Ransomware Exposes Data
DPP Law, a law firm based in Bootle, UK, was fined £60,000 after cybercriminals breached its systems and published confidential client data on the dark web. The breach, which involved over 32GB of sensitive information, included court bundles, police body camera footage, and details on 791 affected clients, including those involved in criminal, family, and police-related cases. Hackers gained access by brute-forcing a vulnerable admin account without multi-factor authentication, then moved laterally across the network to steal the data.
9. Kansas Hospitals Sued Over Data Breach
The University of Kansas Hospital Authority and Lawrence Memorial Hospital are facing a class action lawsuit. The case stems from a breach by a physical therapist employed by KU Health who accessed over 400 patients' private medical data. The lawsuit claims the therapist targeted women who had undergone breast augmentation surgery, viewing sensitive files including nude photos and personal information. Despite discovering the breach, KU Health allegedly delayed notifying patients and law enforcement, leading to claims of negligence, privacy violations, and emotional distress.
Click here for more news!
📈Cyber Stocks
💡 Cyber Tip
Beware of Legacy Cloud Misconfigurations in Oracle Environments
CISA warns that outdated Oracle Cloud setups may expose credentials like passwords and encryption keys, enabling unauthorized access and phishing attacks.
✅ Actions You Should Take:
Audit cloud environments – Review all legacy Oracle configurations and decommission unused services.
Reset exposed credentials – Immediately rotate keys, passwords, and tokens that may have been exposed.
Implement phishing-resistant MFA – Enforce strong authentication mechanisms to block unauthorized access.
Why it matters: Legacy cloud systems often go unmonitored, creating silent entry points for attackers to escalate privileges and compromise sensitive systems.
📚 Cyber Book
Networking All-in-One For Dummies by Doug Lowe
📊 Cyber Poll
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.