CyberMinute - April 7, 2025

In response to last year’s Chinese state-sponsored attacks that compromised the critical infrastructure of "dozens of countries", U.S. intelligence and cybersecurity agencies have recommended the use of end-to-end encrypted (E2E) messaging platforms such as Signal. In the aftermath of attacks by the threat actor known as Salt Typhoon, who infiltrated telecom networks and gained unauthorized access to sensitive systems including government wiretapping platforms, CISA and the FBI advised users and government officials to avoid (Short Message Service) messaging and switch to encrypted services for sensitive communications. 

Despite stronger encryption, the increased use of secure messaging apps has shifted the tactics of threat actors. Recent headlines highlight how attackers have been adapting their methods. A report from Google’s Threat Intelligence Group revealed that Russian actors exploited Signal’s “Linked Devices” feature in phishing campaigns, tricking users into approving unauthorized device connections. This allowed them to observe secure conversations and impersonate trusted contacts to escalate their level of access.  

More recently, the Computer Emergence Response Team Ukraine (CERT-UA) reported a similar attack using advanced social engineering. A previously compromised Signal account belonging to a Ukrainian official was used to send targeted phishing messages to secondary targets. The attackers leveraged the inherent trust of encrypted platforms, where recipients also believed they were communicating with a trusted contact, making the subsequent phishing attacks far more convincing. 

These incidents show that while E2E encryption raises the barrier of entry for cyberespionage, user vigilance, secure configurations, and careful administration of group chats membership remain essential. As threat actors evolve to bypass prior safeguards (such as using Phishing-as-a-Service kits that defeat MFA), staying informed on the latest tactics is critical to preventing compromise. Organizations and individuals can stay current on evolving threats by following updates from CyberAlberta. 

Click Here to Read More! 

On March 28, 2025, CISA released a malware analysis report on a new malware variant identified as Resurge that specifically targets Ivanti Connect Secure appliances. Resurge exploits CVE-2025-0282, a stack-overflow bug that allows remote code execution from an unauthenticated user, first identified in January of this year. Ivanti has since released a report on the critical vulnerability CVE-2025-22457, which has also been exploited. A Censys search indicates that several organizations in Alberta use the impacted products, though it is unclear whether they meet the vulnerability criteria: 

Assuming some of the identified products are vulnerable, this discovery heightens the risk for Alberta-based organizations that have not issued the latest patches. Threat actors deploying the Resurge variant will use similar methods to identify vulnerable targets, making it likely that Alberta-based organizations will appear on vulnerable target lists. 

The Resurge variant has been identified to use similar capabilities as the SPAWNCHIMERA, which is a strain of the SPAWN family of malware used by Chinese hacker groups targeting Ivanti vulnerabilities. CISA has reported that Resurge contains the ability to create web shells, manipulate integrity checks, harvest credentials, create accounts, reset passwords, and elevate permissions. Since the malware can remove evidence of exploitation, simply applying the new patches is not enough, and extra precautions are advised. It is recommended to conduct a factory reset in order to have the highest level of confidence that Resurge is not present on your system.    

Organizations should review if any Ivanti products are unpatched, and if so, follow the CISA recommendations and perform a factory rest after updating to ensure Resurge has been removed. 

Click Here to Read More! 

On March 21st, 2025, CloudSEK, a threat intelligence firm, disclosed that a threat actor was attempting to sell data purportedly obtained from Oracle Cloud Infrastructure (OCI) login servers. The actor, identified as rose87168, posted on BreachForums offering approximately six million records for sale. These records included encrypted SSO passwords, Java Keystore files, key files, and Enterprise Manager JPS keys, affecting around 140,000 tenants. 

Oracle firmly denied any breach of customer data, maintaining their stance despite industry claims supporting the breach's legitimacy. CloudSEK released a follow-up report after Oracle's denial, presenting further evidence to substantiate the breach. Similarly, SOC Radar corroborated these findings, stating, "Despite Oracle’s denial of the breach, evidence from 'rose87168' suggests a significant compromise."  

On April 2nd, Oracle capitulated and disclosed to affected clients that their system had been breached, resulting in the theft of old client login credentials. They stated that the compromised system was a legacy system, unused for the past eight years, as some had suspected. However, some of the stolen customer login data includes credentials from as recently as 2024. It is advised to rotate credentials used to access OCI, beginning with tenant administrators. Additionally, organizations should enhance monitoring of OCI access and logs for any suspicious activity. 

Organizations should also take this opportunity to review their security policies and procedures related to cloud infrastructure. This includes conducting regular security audits, implementing multi-factor authentication, and ensuring that all software and systems are up to date with the latest security patches. By taking these proactive steps, organizations can better protect themselves against potential threats and mitigate the impact of any future incidents. 

Click Here to Read More!