This Week in Issue

A critical remote code execution (RCE) vulnerability in ASUS's DriverHub utility is actively being exploited by threat actors to gain administrator level access through malicious websites, underscoring the need for robust endpoint protection, patch management, and strict application control policies. Simultaneously, a massive 7,000-device proxy botnet built from compromised IoT devices and home routers was dismantled, exposing how cybercriminals abuse residential proxies for phishing, spam distribution, and command-and-control (C2) operations, often bypassing traditional firewalls and network segmentation strategies.

Meanwhile, the Lumma Stealer malware has evolved with advanced PowerShell-based modules, increasing its ability to evade detection, conduct credential theft, and exfiltrate sensitive data in Windows-based enterprise environments; this highlights the importance of behavioral analytics, identity and access management (IAM) controls, and anomaly detection.

In the aviation sector, GlobalX Airlines, a charter contractor supporting U.S. Immigration and Customs Enforcement (ICE), confirmed a cyberattack that potentially exposed sensitive logistics and operational data, raising urgent concerns around third-party risk management, supply chain security, and national infrastructure protection.

Lastly, cybercriminals are actively selling stolen U.S. Social Security numbers (SSNs) and driver’s licenses on dark web marketplaces, fueling an increase in identity theft, synthetic identity fraud, and violations of data privacy laws such as HIPAA and GDPR. These incidents underscore the strategic need for ongoing security awareness training, incident response planning, risk management frameworks, and alignment with compliance standards such as NIST, ISO 27001, and CMMC to stay ahead of increasingly complex and cross-sector cyber threats.

CYBER NEWS ROUNDUP

1. SANS Internet Storm Center Diary – Proxy Abuse via DNS
Threat actors are increasingly abusing DNS-over-HTTPS (DoH) and anonymizing proxy networks to conduct covert command-and-control (C2) communications, bypassing traditional DNS security controls. Organizations without deep packet inspection or encrypted traffic analytics are especially vulnerable to these stealthy tactics. This increases the risk of data exfiltration, malware persistence, and lateral movement across internal networks. Security operations centers (SOCs) should implement SSL/TLS inspection, deploy DNS monitoring tools, and enhance visibility into encrypted traffic behavior.
Read more: https://isc.sans.edu/diary/rss/31940

2. ASUS DriverHub Vulnerability
A critical local privilege escalation vulnerability in ASUS’s DriverHub utility allows malicious websites to execute system-level commands via drive-by downloads. This remote code execution (RCE) risk is amplified in unmanaged or bring-your-own-device (BYOD) environments lacking proper endpoint security controls. Attackers can deploy malware, create persistence mechanisms, and compromise entire systems without user awareness. Organizations should immediately uninstall the utility or deploy available security patches and enforce application control policies.
Read more: https://www.bleepingcomputer.com/news/security/asus-driverhub-flaw-let-malicious-sites-run-commands-with-admin-rights/

3. Understanding Email Protocols – Dark Web Informer
Email protocols like SMTP, IMAP, and POP3 remain prime vectors for cyberattacks when left misconfigured or unencrypted. Threat actors exploit these weaknesses for phishing, spoofing, and man-in-the-middle attacks—often bypassing traditional spam filters. Organizations must strengthen their email security posture through proper configuration, strong encryption, and enforcement of DMARC, SPF, and DKIM authentication protocols. Strengthening email gateways and running regular phishing simulation training are essential for reducing human risk factors.
Read more: https://darkwebinformer.com/how-email-protocols-work/

4. Dark Web Sale of U.S. SSNs and Licenses
Cybercriminals are trafficking U.S. Social Security numbers and driver’s licenses on dark web marketplaces, fueling identity theft, financial fraud, and criminal impersonation schemes. These stolen records, often harvested from previous data breaches, are used in synthetic identity fraud and account takeover attacks. Victims include both individuals and businesses affected through fraudulent transactions or reputational damage. Continuous monitoring of dark web exposure, credit activity, and deployment of identity protection services are strongly advised.
Read more: https://darkwebinformer.com/alleged-sale-of-social-security-numbers-with-drivers-licenses-from-usa/

5. LevelBlue – April 2025 Ransomware and Consulting Trends
Ransomware operators are evolving their tactics, now exploiting third-party vendors, unmanaged devices, and poorly secured networks in sectors like healthcare and manufacturing. April 2025 saw a 17% spike in ransomware-related incident response and consulting engagements, reflecting growing demand for resilience. Key defensive strategies include implementing zero trust architectures, enhancing patch management, and running regular tabletop exercises to test incident response readiness. Organizations must treat ransomware not just as a malware issue—but as a full-blown operational threat.
Read more: https://levelblue.com/blogs/security-essentials/april-2025-cybersecurity-consulting-updates-and-ransomware-activity

6. The Hacker News – Weekly Recap on Zero-Day Exploits
Several new zero-day vulnerabilities have been discovered across Windows, iOS, and Android platforms, with some under active exploitation by advanced threat actors. These flaws may enable remote code execution, full system compromise, and unauthorized access to sensitive data. While vendors have issued emergency patches, delayed user-side updates leave many systems vulnerable. Continuous vulnerability scanning, automated patch deployment, and integration of threat intelligence feeds into your SIEM are key mitigation strategies.
Read more: https://thehackernews.com/2025/05/weekly-recap-zero-day-exploits.html

7. 7,000-Device Proxy Botnet Disrupted
A residential proxy botnet of over 7,000 hijacked routers and IoT devices has been dismantled after enabling spam, phishing, and obfuscated traffic operations for cybercriminals. Devices were exploited via outdated firmware and default credentials, allowing attackers to weaponize them as proxy relays. This highlights the growing threat of unmanaged IoT and the critical importance of firmware patching and network segmentation. Organizations and home users alike should enforce strong password policies and conduct routine asset audits.
Read more: https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html

8. GlobalX Airlines Confirms Cyberattack
GlobalX Airlines, a charter provider supporting U.S. ICE deportation flights, confirmed a data breach involving potentially sensitive operational and logistics information. The incident raises major concerns around aviation cybersecurity, third-party vendor risk, and data sovereignty within critical infrastructure. As attackers increasingly target supply chains and public-private entities, robust vendor assessments and segmentation of sensitive systems are vital. CISA-aligned audits and proactive threat modeling are strongly recommended to mitigate cascading impacts.
Read more: https://www.securityweek.com/us-deportation-airline-globalx-confirms-hack/

9. Lumma Stealer Upgrades with PowerShell Toolkit
The Lumma Stealer malware now includes advanced PowerShell-based modules, giving it greater stealth and expanded capabilities for credential harvesting, cookie theft, and remote access. Its malware-as-a-service (MaaS) model makes it widely accessible to low-skill cybercriminals, increasing enterprise risk across sectors. This strain targets Windows environments and often enters via phishing emails or cracked software downloads. Defenders should enable PowerShell logging, implement endpoint behavior monitoring, and block known C2 domains via DNS-layer defense.
Read more: https://cybersecuritynews.com/lumma-stealer-evolves-with-new-powershell-tools/

Why This matters

This week’s developments highlight a dangerous escalation in both the scale and sophistication of cyber threats. From the abuse of ASUS software vulnerabilities enabling remote code execution to the evolution of Lumma Stealer with stealthy PowerShell capabilities, attackers are exploiting trusted tools and everyday platforms to bypass defenses. The takedown of a 7,000-device proxy botnet and the breach of GlobalX Airlines impacting sensitive government operations—underscore that no sector is immune, especially those relying on unmanaged or third-party infrastructure. Meanwhile, dark web markets continue to thrive with stolen U.S. identity data, fueling a surge in fraud and identity-based attacks.

CISA’s latest ICS advisories and updates on how it shares alerts point to a critical need for faster, broader threat dissemination and action especially for industries managing operational technology. With ransomware rising, zero-day exploits actively circulating, and national infrastructure being targeted, organizations must go beyond compliance and adopt proactive defense strategies. Regular patching, behavior-based threat detection, and cross-sector threat intelligence sharing are no longer optional they’re survival essentials in an increasingly hostile cyber landscape.

Cyber Hygiene Tips – Week of May 12, 2025

• Remove or Update ASUS DriverHub Now
  There's a problem with a program called DriverHub that could let hackers into your computer just by visiting a bad website. If you have it, it should be removed or updated right away.
  *Dragon Armor Advisors can check your systems and safely remove risky software for you.

• Watch for Hidden Hacker Scripts
  Hackers are using sneaky tools that run silently in the background. These can steal your information without you knowing.
  *Dragon Armor Advisors can set up alerts to catch this kind of silent threat before it causes damage.

• Keep Equipment Networks Separate
  Office equipment or factory machines should not be connected to the same network as your regular computers—it makes them easier to hack.
  *Dragon Armor Advisors will separate and secure these systems so hackers can’t use one to get to the other.

• Check Encrypted Web Traffic for Suspicious Activity
  Hackers are hiding inside secure internet traffic to sneak around. This is hard to see without special tools.
  *Dragon Armor Advisors can monitor your network and catch anything out of the ordinary.

• Be Careful with Remote Access Software
  Some scams trick people into downloading programs that let hackers control your computer.
  *Dragon Armor Advisors can manage and monitor what remote tools are allowed in your business.

• Look Out for Stolen Identity Info Online
  Criminals are selling Social Security numbers and driver’s licenses on shady websites.
  *Dragon Armor Advisors can help monitor the dark web and alert you if your information appears.

• Update Wi-Fi Routers and Smart Devices
  Thousands of internet-connected devices like routers, cameras, or smart assistants were recently hacked and used in a cyberattack.
  *Dragon Armor Advisors can update your devices and change factory passwords to keep you safe.

• Limit Who Has Full Access
  The more people with full system access, the more ways hackers can get in. Only trusted people should have that kind of access.
  *Dragon Armor Advisors will review your team’s access and help set safer limits.

• Protect Your Business Email
  Hackers can fake emails that look like they’re from you or your company. You need special settings in place to stop that.
  *Dragon Armor Advisors can check your email setup and lock it down to prevent impersonation.

Government advisories

CISA is refining how it shares time-sensitive cyber alerts, especially for ICS. Subscribe to their alert feeds and integrate notifications into your incident response workflow for faster action.

Update on How CISA Shares Cyber-Related Alerts and Notifications
https://www.cisa.gov/news-events/alerts/2025/05/12/update-how-cisa-shares-cyber-related-alerts-and-notifications

CISA Releases Five Industrial Control Systems Advisories
https://www.cisa.gov/news-events/alerts/2025/05/08/cisa-releases-five-industrial-control-systems-advisories

THREAT FOCUS INFORMATION

Overview
The Noodlophile Stealer campaign is actively leveraging fake AI video generation websites to trick users into downloading malware-laden tools disguised as advanced creative apps. By masquerading as popular services like "VideoDream" and "CapCutLoader," attackers exploit the booming AI content trend to infect systems with XWorm, a feature-rich remote access tool and infostealer. Victims range from freelance creators to corporate users experimenting with generative AI. The goal is to exfiltrate browser credentials, social media session cookies, and open remote control pathways into victim systems.

Malware Used:

• Noodlophile Stealer (Loader)

• XWorm (Modular RAT/Infostealer)

MITRE ATT&CK Techniques:

• T1036 – Masquerading

• T1204 – User Execution

• T1041 – Exfiltration Over C2 Channel

• T1503 – Credentials from Web Browsers

• T1539 – Steal Web Session Cookie

• T1055 – Process Injection

Defensive Recommendations:

• Block access to unverified AI sites using DNS filtering.

• Deploy behavioral EDR tools that detect process injection and credential access.

• Train users to identify fake platforms mimicking AI services.

• Enforce MFA to reduce impact of stolen cookies or credentials.

• Restrict PowerShell usage on non-admin workstations.

Why This Matters
This attack reflects how cybercriminals exploit the hype around emerging tech like AI to create believable social engineering lures. With highly modular malware like XWorm involved, threat actors can pivot quickly from infostealing to full network infiltration. The blurred line between personal and business device use raises the stakes for security teams across all industries.

Source:
https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/

SAP NetWeaver Exploitation via CVE-2025-31324

Overview
A critical vulnerability in SAP NetWeaver Application Server Java’s Visual Composer component (CVE-2025-31324) is being actively exploited in the wild. The flaw allows attackers to remotely execute commands on exposed systems via malformed HTTP requests, even though the vulnerable VCFRAMEWORK module isn't installed by default. Analysts observed payload delivery attempts shortly after disclosure, targeting enterprises using low-code development tools within SAP deployments. Given SAP's widespread use in finance, logistics, and supply chains, successful exploitation could lead to operational disruption or full system compromise.

MITRE ATT&CK Techniques:

• T1505 – Server Software Component

• T1059 – Command and Scripting Interpreter

Defensive Recommendations:

• Patch all SAP systems to mitigate CVE-2025-31324 immediately.

• Restrict external access to SAP development and administrative interfaces.

• Monitor for abnormal HTTP GET requests targeting Visual Composer URLs.

• Enable logging and alerting on command-line execution from SAP components.

• Apply web application firewall (WAF) rules to detect known exploit patterns.

Why This Matters
CVE-2025-31324 represents a strategic risk to enterprise operations, especially if exploited by nation-state actors or ransomware groups. Organizations must treat SAP environments as high-value targets and ensure proper segmentation, monitoring, and patch hygiene.

Source:
https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

In today’s fast-moving cyber landscape, raw data isn’t enough you need actionable intelligence tailored to your business. Our Curated Threat Intelligence Service delivers real-time insights, customized threat profiles, and prioritized alerts focused on your industry, your risks, and your critical assets.

We filter the noise, track evolving threat actors, and highlight only what matters most so you can act faster, defend smarter, and stay resilient. Every report includes high-confidence indicators of compromise (IOCs), mapped MITRE ATT&CK techniques, and strategic recommendations designed to strengthen your defenses.

Protect your business with intelligence built for action, not overwhelm.
Contact us today to start receiving tailored threat intelligence you can trust.

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

NEW SERVICE NOW ONLINE!

Dragon Armor Advisors (DAA): We Handle the Hiring You Get the Cyber Experts

Hiring skilled cybersecurity professionals is expensive, time-consuming, and often leads to mismatches. Dragon Armor Advisors (DAA) changes the game by doing the hard part for you. We recruit, vet, train, and manage elite cybersecurity talent so you don’t have to.

Whether you need a security analyst, compliance expert, or incident response lead, Nexus-Dragon handles the full talent pipeline. Our advisors come from top-tier backgrounds, including NSA, DoD, and CISA, and are ready to integrate seamlessly into your team. You gain immediate access to professionals who are already mission-ready without the cost, delays, or risks of full-time hiring.

Let DAA fill your cybersecurity gaps while you stay focused on growth. Keep them as long as you need and if you want to bring them on permanently, we’ll make it happen.

This Weeks Sponsor:

Nessus by Tenable is a leading vulnerability assessment tool trusted across the cybersecurity industry for its accuracy, speed, and depth of coverage. It identifies misconfigurations, missing patches, and known vulnerabilities across networks, servers, and cloud environments with both credentialed and uncredentialed scans. Nessus supports compliance audits for standards like PCI-DSS, HIPAA, and NIST, and offers robust integration capabilities for security teams seeking automation and efficiency. Its continually updated vulnerability database and clear, actionable reports make it an essential resource for reducing organizational risk and strengthening overall security posture. Learn more or get started here:

NESSUS

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

We value your feedback! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you.

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278