Introduction

The weekly Cybersecurity Bulletin report is prepared by the ECHO team to summarize and inform about the cybersecurity incidents that have occurred in the past week.

---

Executive Summary

In this bulletin:

• Current information is provided regarding attacks, data leaks, malware, ransomware, and critical security vulnerabilities.
• Our security team prepares this weekly bulletin by analyzing these threats to minimize potential risks.

---

Ransomware of the Week: VanHelsing RaaS: The Rise of a New Ransomware-as-a-Service Platform

 

General Overview

VanHelsing RaaS is a new platform that started operating on March 7, 2025, offering ransomware attacks as a service. This service targets a wide range of participants, from experienced hackers to beginners, requiring a $5,000 deposit for participation. Participants receive 80% of the ransom payments, while the main operators take 20%. The only rule is that Commonwealth of Independent States (CIS) countries cannot be targeted.
This service:

• Accepts membership for a $5,000 deposit
• Revenue share: 80% to participants, 20% to operators
• Restriction: CIS countries cannot be targeted

Within the first two weeks after the launch, three victims were identified, and ransom demands up to $500,000 were recorded.

---

Malware Details

• Name: VanHelsing
• Type: Ransomware-as-a-Service (RaaS)
• Programming Language: C++
• Detection Date: March 7, 2025
• Target Platforms: Windows, Linux, BSD, ARM, ESXi
• Target Sectors: Government, manufacturing, pharmaceuticals
• Detected Countries: France, USA

---

Here is the translated text in English:

---

Technical Details

Impact of the Malware

VanHelsing ransomware:

• Encrypts files on systems, changing the file extension to .vanhelsing
• Changes the desktop background, displaying a ransom note
• Requests payment in Bitcoin
• Uses a double extortion method:
  • Data is stolen before encryption
  • Threats of data leaks if payment is not made

---

Malware Code and Functions

Written in C++, VanHelsing ransomware performs the following functions:

• Deletes Shadow Copies: Removes system restore points, reducing the chance of file recovery.
• Scans Drives: Scans local and network drives to identify files for encryption.
• File Encryption: Encrypts files and adds the .vanhelsing extension.
• Changes Desktop Background: Alters the victim’s desktop background to display the ransom note.
• Command Line Arguments: Supports various command line arguments to determine encryption mode, targeted locations, and other behaviors.

VanHelsing provides flexibility with command-line arguments:

• Delete Shadow Copies – Prevent restore
• Network and Local Drive Scanning – Find target files
• File Encryption – With .vanhelsing extension
• Change Desktop Image – Display ransom note
• Mode Selection and Propagation – Spread via SMB across the network

---

MITRE ATT&CK Techniques

• T1486: Data encryption and ransom demand
• T1078: Abuse of valid accounts
• T1569.002: Command execution via system services

---

Malware of the Week: Atlantis AIO: An Automated Credential Stuffing Tool Targeting Over 140 Platforms

Description

Hackers are using the Atlantis AIO e-crime tool for credential stuffing attacks targeting over 140 platforms. Credential stuffing is a type of cyber attack in which the attacker gathers stolen account credentials, typically usernames or email addresses and passwords, and uses them for large-scale automated login attempts to gain unauthorized access to user accounts on systems.

Atlantis AIO is an advanced cybercrime tool that allows cybercriminals to perform automated credential stuffing attacks on over 140 platforms using stolen credentials.
The tool aims to gain unauthorized access by quickly testing millions of username and password combinations.

---

Malware Details

• Name: Atlantis AIO
• Type: Credential Stuffing Tool
• Targeted Platforms:
  • Email services: Hotmail, Yahoo, AOL, GMX, Web.de
  • E-commerce websites
  • Streaming services
  • VPN services
  • Financial services
  • Food delivery platforms

---

Technical Details

Impact

Atlantis AIO provides cybercriminals with the following capabilities:

• Access to multiple platforms using stolen credentials
• Account takeover
• Fraud and identity theft
• Performing unauthorized transactions

Code and Functions

• Automation:
  Automates platform-specific attacks via pre-configured modules.
• Brute-Force Capability:
  Can perform brute-force attacks on specific email platforms.
  Even automates account recovery processes for services like eBay and Yahoo.

---

Phishing Campaign of the Week: Morphing Meerkat: An Advanced Phishing Kit Impersonating Over 114 Brands

Description

A new Phishing-as-a-Service (PhaaS) platform has been discovered, offering fake login pages for 114 different brands by using DNS MX records.

Morphing Meerkat is a new Phishing-as-a-Service (PhaaS) platform that uses Domain Name System (DNS) Mail Exchange (MX) records to create fake login pages for 114 different brands. This platform facilitates phishing attacks, enabling attackers to capture users’ sensitive information.

---

Malware Details and MITRE ATT&CK Correlation

• Name: Morphing Meerkat
• Type: Phishing-as-a-Service (PhaaS) platform
• Targets: Users’ email service login credentials
• Detection Date: March 2025

Morphing Meerkat automates phishing attacks, spreading them on a large scale.
It identifies the targeted victim’s email service provider via DNS MX record queries and creates dynamic fake login pages accordingly.

MITRE ATT&CK Techniques

• T1566.002 – Phishing: Spear Phishing Links
• T1071.001 – Command and Control over Web Protocols
• T1557.001 – Man-in-the-Middle attack over DNS

---

Technical Details

Impact of the Malware

Through the Morphing Meerkat platform:

• Fake login pages for 114+ brands can be presented
• User credentials can be captured
• Sensitive data can be exposed, leading to unauthorized access risks

Functions

• Use of Open Redirects:
  Attackers use open redirects from ad platforms like Google’s DoubleClick or compromised WordPress sites to redirect users to phishing pages.
• Dynamic Language Support:
  The platform dynamically supports over a dozen languages, including Turkish, English, Korean, Spanish, Russian, German, Chinese, and Japanese, targeting global users.
• Code Obfuscation and Bloating:
  Phishing pages use obfuscation and bloating techniques to make the code difficult to read. They also disable right-clicking and certain keyboard shortcuts (Ctrl + S, Ctrl + U) to block analysis and reverse engineering efforts.

---

Developer-Targeted Phishing Campaign of the Week: API Key Leaks via Hijacked 9-Year-Old npm Packages

Description

Some cryptocurrency-focused npm packages have been hijacked and updated with malicious code. This event reveals that even long-used and trusted packages may be vulnerable.

---

Vulnerability Details

Affected Packages and Versions:

• country-currency-map (2.1.8)
• bnb-javascript-sdk-nobroadcast (2.16.16)
• @bithighlander/bitcoin-cash-js-lib (5.2.2)
• eslint-config-travix (6.3.1)
• @crosswise-finance1/sdk-v2 (0.1.21)
• @keepkey/device-protocol (7.13.3)
• @veniceswap/uikit (0.65.34)
• @veniceswap/eslint-config-pancake (1.6.2)
• babel-preset-travix (1.2.1)
• @travix/ui-themes (1.1.5)
• @coinmasters/types (4.8.16)

---

Malicious Code Path:

• package/scripts/launch.js
• package/scripts/diagnostic-report.js

These files contain obfuscated malicious JavaScript code.

---

Technical Details

Impact of the Vulnerability

Malicious code:

• Executes automatically during installation
• Collects sensitive data such as environment variables, API keys, SSH keys, access tokens, etc.
• Sends the data to the following remote server:
  https://eoi2ectd5a5tn1h.m.pipedream[.]net

---

MITRE ATT&CK Mapping

• T1552.001: Exposed Sensitive Information – Credentials
• T1071.001: Application Layer Protocols – Web Protocols

---

Source of the Vulnerability

While these malicious codes were not found in the GitHub repositories of the packages, they appeared in versions on npm. This suggests that:

• npm accounts may have been compromised through credential stuffing attacks
• Expired domains may have been re-registered and hijacked

Vulnerabilities of the Week

Critical Security Vulnerabilities in Ingress NGINX Controller: Unauthorized Remote Code Execution Risk

Description, General Overview

Ingress NGINX Controller is a widely used component for managing HTTP/HTTPS traffic in Kubernetes environments. Recently discovered five critical security vulnerabilities have created an attack vector called IngressNightmare. These flaws allow attackers to remotely execute code and potentially compromise Kubernetes clusters.

Over 6,500 clusters worldwide are affected by these vulnerabilities.

---

Vulnerability Details

CVE-2025-24513 – Directory Traversal Vulnerability

• Description: Directory traversal is possible due to insufficient input validation.
• Impact: DoS attack and limited exposure of certain sensitive objects.
• CVSS Score: 4.8

CVE-2025-24514 – Configuration Injection via auth-url

• Description: Injection into NGINX configuration via the auth-url parameter.
• Impact: Arbitrary code execution and access to sensitive information.
• CVSS Score: 8.8

CVE-2025-1097 – Configuration Injection via auth-tls-match-cn

• Description: Injection into NGINX configuration via a similar parameter.
• Impact: Arbitrary code execution, access to sensitive data.
• CVSS Score: 8.8

CVE-2025-1098 – Injection via mirror-target and mirror-host

• Description: Malicious content can be added to the configuration file.
• Impact: Code execution, information leakage.
• CVSS Score: 8.8

CVE-2025-1974 – Unauthorized Remote Code Execution

• Description: Attackers with access to the pod network can execute arbitrary code.
• Impact: Complete compromise of the cluster.
• CVSS Score: 9.8

---

Technical Details

The vulnerabilities are triggered by malicious configurations sent via Ingress annotations, which are directly injected into the NGINX configuration.
Due to the insufficient validation of these annotations by the admission controller, serious security breaches such as code execution occur.

---

Solution Recommendations

1. Update

• The security vulnerabilities are fixed in the following versions:
  • v1.12.1
  • v1.11.5
  • v1.10.7

2. Network Access Controls

• The admission controller component should only be accessible by the Kubernetes API Server.
• External access should be strictly blocked.

3. Temporary Measures

If updating is not possible:

In the case of using Helm:

helm upgrade --set controller.admissionWebhooks.enabled=false ingress-nginx ...

For Manual Installation:

• The ingress-nginx-admission ValidatingWebhookConfiguration should be deleted.
• The --validating-webhook argument should be removed from the Deployment.

Critical Zero-Day Vulnerability in Google Chrome (CVE-2025-2783): New Exploited Vulnerability with Active Exploitation in Russia-Based Espionage Attacks

Description, General Overview

Google has released an emergency update for a critical security vulnerability, CVE-2025-2783, discovered in the Chrome browser for Windows, which is being actively exploited.
The vulnerability exists in Chrome’s Mojo IPC (Inter-Process Communication) mechanism and allows attackers to bypass sandbox protections.

---

Vulnerability Details

• CVE ID: CVE-2025-2783
• Type: Remote Code Execution
• CVSS Score: 9.8 / 10 (Critical)
• Description:
  The vulnerability arises from the incorrect handle usage in the Mojo component, leading to a security breach.
• Affected Systems:
  All versions of Chrome for Windows
• Fixed Versions:
  • Chrome 134.0.6998.177 / 134.0.6998.178 (Windows)

---

Technical Impact and Attack Scenario

Vulnerability Impact

• Chrome sandbox bypass allows arbitrary code execution on the system.
• Confidentiality, integrity, and availability of the system are severely at risk.
• The attack can occur without user interaction—simply by clicking a link.

Attack Method

• Attackers send phishing emails with fake academic/forum invitations to targets.
• When the victim clicks the link, the malicious website triggers the exploit.
• Attacks have specifically targeted media organizations, educational institutions, and government organizations.
• The attacks are part of Russia-based espionage activities.

---

Solution and Recommendations

CVE-2025-2783 is a critical zero-day vulnerability targeting Chrome’s security structure. This vulnerability allows attackers to bypass Chrome’s security mechanisms and perform unauthorized operations on the target systems. Users should update their browsers as soon as possible and increase their security measures.

• Chrome Update:
  All users should update to Chrome 134.0.6998.177/.178.
• Email Security:
  Always verify the source of suspicious emails before clicking links.
• Security Software:
  Use up-to-date antivirus/anti-malware software to protect the system.

Critical Authorization Bypass Vulnerability in Next.js (CVE-2025-29927)

Description

Next.js, a popular React framework, is widely used in web applications. Recently, a critical vulnerability has been discovered that allows attackers to bypass middleware authorization controls.
This vulnerability, identified as CVE-2025-29927, is rated with a CVSS score of 9.1 and could result in unauthorized access to sensitive data.

---

Vulnerability Details

This vulnerability arises from the insufficient control of the x-middleware-subrequest header.
By manipulating this header, attackers can bypass middleware controls and gain access to protected resources.

---

Technical Details

Vulnerability Impact

In the case of a successful exploit:

• Unauthorized users can access protected pages.
• The application’s authorization logic can be bypassed.
• User data can be stolen, and unauthorized actions can be triggered.

Code and Functions

Next.js uses the x-middleware-subrequest header for internal routing operations.
However, this header is not validated for incoming HTTP requests.
Attackers:

• Can trick the middleware by adding this header.
• Can bypass authorization and break through security boundaries of the application.

---

Solution Recommendations

• Update:
  The security issue has been fixed in the following versions:
  • v12.3.5
  • v13.5.9
  • v14.2.25
  • v15.2.3
    Developers are strongly encouraged to upgrade to one of these versions as soon as possible.
• Header Filtering (Temporary Solution):
  • The x-middleware-subrequest header should be filtered for external requests in the server or reverse proxy configuration.
  • Example: Ensure special checks are made in Nginx, Apache, or before Next.js middleware.

---

Conclusion

The CVE-2025-29927 vulnerability in Next.js can allow attackers to bypass authorization controls in the middleware.
It is crucial for application developers to:

• Update as soon as possible
• Check security headers
• Regularly follow framework updates

What’s Happening in the Hacker Forum World

Bnsgroup.co.uk EMPLOYEE DATA LEAK – Database, Leaked!

• Date: March 24, 2025
• Threat Actor: DarkSat
• Forum: BreachForums
• Leak Details:

In March 2025, a data breach on the Bnsgroup.co.uk platform resulted in the leak of personal and work information of employees.

Breach Details:

• Data Types: Email, Phone Number, Job Type, Address, and more
• Years: 2021 – 2022
• Total Records: Over 3,000

Galaxia Software Sac 400M – Database, Leaked!

• Date: March 22, 2025
• Threat Actor: W1ndStre4m
• Forum: BreachForums
• Leak Details:

In March 2025, a data breach on the Galaxia Software Sac platform resulted in a large amount of data being leaked.

Breach Details:

• Rows: 40,499,7589
• Tables: 14,949
• Databases: 132

Jeevan Scientific Technology Limited – Data Breach

• Domain: www.jeevanscientific.com
• Threat Actor: saTaoz
• Forum: BreachForums
• Date: March 23, 2025

In March 2025, Jeevan Scientific Technology Limited (JSTL) was added to the list of organizations that experienced a data breach, following a release by the threat actor “saTaoz” on BreachForums. The leaked database, claimed to belong to JSTL, was published on the forum.

Leaked Data

The leaked data includes:

• Databases:
  js_committees, js_investors, js_reports, tbl_admin_users, tbl_clients, tbl_policy, tbl_project, tbl_service, tbl_testimonials, zsp_services, and others—total of 132 databases.
• Tables:
  The leak includes data from 14,949 tables.
• Sensitive User Data:
  From the tbl_kullanicilar table, some leaked fields include:
  inc_id, email, lname, phone, terms, name, phone1, file_no, status, password, time_zone, dt_created, date_modified, temp_password.
• Total Rows:
  40,499,7589

Ransomware Attacks on Companies

AutoCanada

• Group Name: Medusa
• Attacked Company: AutoCanada
• Industry: Automotive / Retail
• Impact: 455.90 GB of data leaked

AutoCanada, founded in 2006, is headquartered in Edmonton, Alberta, Canada. The company sells new and used vehicles, and also provides spare parts and service. The company’s headquarters is located at 200-15511 123 Ave NW, Edmonton, Alberta, T5V 0C3, Canada, and it employs 4,041 people. The company has an annual revenue of approximately $4.6 billion.

Leaked Data Types:

• Unknown

RFM Seating

• Group Name: Akira
• Attacked Company: RFM Seating
• Industry: Furniture / Manufacturing
• Impact: 58 GB of corporate documents leaked

RFM Seating specializes in custom, durable, and ergonomic seating solutions suitable for all body types. The company aims to provide chairs tailored to the specific needs of its customers.

Leaked Data Types:

• Corporate licenses
• Agreements and contracts
• Corporate Non-Disclosure Agreements (NDAs)
• Seating charts (Resident Cards)
• Driver’s licenses
• Personal Social Security Numbers (SSNs)
• Employee and customer contact numbers and email addresses
• HR documents
• Family member details

Wildeck, Inc.

• Group Name: Qilin
• Attacked Company: Wildeck, Inc.
• Industry: Manufacturing / Industry
• Impact: Over 500 GB of data leaked

Wildeck, Inc., headquartered in Waukesha, WI, is a subsidiary of Holden Industries, which is entirely employee-owned.