17.03.25 Threat Report

This week, critical vulnerabilities in Zoom and Microsoft services, sophisticated phishing campaigns targeting the hospitality sector, and the emergence of a new cybercriminal tactic known as “infrastructure laundering.”

Multiple Zoom Client Vulnerabilities Expose Sensitive Data

Multiple high-severity vulnerabilities in Zoom’s client software, leaving millions of users at risk of data breaches, privilege escalation, and unauthorised access. The flaws, addressed in Zoom’s March 11, 2025 security bulletin, include:

• CVE-2025-27440 (Heap-Based Buffer Overflow) – Allows attackers to inject malicious code into systems running Zoom Workplace Apps.
• CVE-2025-27439 (Buffer Underflow) – Can crash Zoom or leak sensitive meeting data.
• CVE-2025-0151 (Use-After-Free) – Enables attackers to compromise encryption keys and access user credentials.
• CVE-2025-0150 (Incorrect Behaviour Order in iOS Workplace Apps) – Could expose enterprise authentication tokens and meeting metadata.
• CVE-2025-0149 (Insufficient Data Verification) – Facilitates Denial-of-Service (DoS) attacks by bypassing authenticity checks.

These vulnerabilities impact Zoom Desktop Clients (Windows, macOS, Linux), Mobile Apps (Android, iOS), and Workplace Applications.

Potential Impact

• Unauthorised code execution allowing attackers to gain remote control over affected systems.
• Exposure of sensitive data, including meeting credentials and chat logs.
• Denial-of-service (DoS) risks, forcing system crashes or disruptions to communication.

Recommendations

• Update Zoom immediately to versions 6.2.0 or later for Desktop and 5.15.5 or later for Mobile.
• Monitor access logs for suspicious activities, such as privilege escalations or unauthorised logins.
• Restrict Zoom usage to verified corporate networks to reduce exposure.
• Implement third-party encryption tools to enhance security for high-risk environments.

Microsoft Windows RDS Vulnerabilities Allow Remote Code Execution

Microsoft’s March 2025 Patch Tuesday addresses 57 vulnerabilities, including two critical Remote Code Execution (RCE) flaws in Windows Remote Desktop Services (RDS):

• CVE-2025-24035 – Allows an attacker to execute code remotely by exploiting improperly locked memory in RDS.
• CVE-2025-24045 – A more complex exploit requiring an attacker to win a race condition, but still deemed “Exploitation More Likely.”

Both vulnerabilities pose a high-severity risk to Windows Servers and Desktop environments, enabling unauthorised attackers to remotely execute malicious code and gain full control over affected systems.

Additional Critical Vulnerabilities Patched

• CVE-2025-26645 – RCE in Remote Desktop Client, exploitable via malicious RDP servers.
• CVE-2025-24057 – Heap-based buffer overflow in Microsoft Office, allowing attackers to execute code remotely.
• CVE-2025-24064 – Use-after-free flaw in Windows DNS Server, which may allow network-based attacks.
• CVE-2025-24084 – A remote code execution flaw in Windows Subsystem for Linux kernel.

Recommendations

• Apply Microsoft’s March security patches immediately to mitigate these critical vulnerabilities.
• Restrict RDP access to essential users and secure it with multi-factor authentication (MFA).
• Monitor network activity for unusual RDP login attempts or privilege escalations.
• Disable unnecessary RDP services if not in use.

Cybercriminals Impersonate Booking.com in Phishing Attacks on the Hospitality Industry

A highly targeted phishing campaign is impersonating Booking.com, attempting to steal credentials and financial data from hotel staff across North America, Europe, and Southeast Asia.

The attackers, identified as Storm-1865, employ a social engineering tactic called “ClickFix,” tricking victims into manually executing malicious commands that install credential-stealing malware.

Attack Methods

• Spoofed Booking.com emails claim to address negative guest reviews or urgent booking issues.
• Fake CAPTCHA pages trick users into executing malware-laden commands.
• Payloads include:
  • XWorm – Keylogger and credential stealer.
  • Lumma Stealer – Extracts saved passwords and financial data.
  • VenomRAT & AsyncRAT – Provide remote attacker control over infected systems.

Recommendations

• Verify email senders—Booking.com will never request password changes via email.
• Train hospitality staff to recognise social engineering tactics.
• Implement anti-phishing solutions to detect and block malicious links.
• Use endpoint detection tools to monitor for RAT malware.

Cloud “Infrastructure Laundering” Enables Cybercriminals to Evade Detection

A new cybercriminal tactic known as “infrastructure laundering” has been identified, wherein attackers exploit reputable cloud providers like AWS and Microsoft Azure to mask malicious operations.

Researchers at Silent Push discovered that the Funnull CDN—a China-based entity linked to malicious activity—has been renting and rapidly cycling through cloud-hosted IP addresses to evade security detection.

How It Works

• Threat actors rent cloud IP addresses, assign them to fraudulent sites, and discard them before detection.
• Over 1,200 AWS IPs and 200 Microsoft Azure IPs have been linked to malicious campaigns.
• Blends malicious traffic with legitimate cloud services, making detection harder.

Challenges & Risks

• Harder to blacklist malicious IPs without affecting legitimate users.
• Security tools struggle to differentiate between trusted cloud services and attacker-controlled resources.

Recommendations

• Monitor cloud activity for unusual IP turnover and rapid asset provisioning.
• Collaborate with cloud providers to strengthen verification of rented IPs.
• Enhance behavioural analytics to detect sudden changes in cloud-based infrastructure usage.

Stay Ahead of Emerging Cyber Threats

Sign up now to receive expert threat intelligence straight to your inbox and stay one step ahead of potential risks.