Dragon Sight

WEEK OF APRIL 21–26, 2025 | ISSUE 06 | STAY CYBER AWARE THIS APRIL!"Stay informed. Stay prepared. Stay secure—with Dragon Sight"

Author

Don B
April 21, 2025

This Week in Dragon Sight
Political pressure on the NSA raises red flags about cybersecurity leadership.
Accounting firms face rising cyber risks amid poor cloud hygiene.
New stealth malware exploits DNS resolvers and scripting languages.
Critical CVE-2025-24054 is under active exploitation so patch now.
Chinese APTs and credential theft tactics target Linux and web logs.

CYBER NEWS ROUNDUP

NSA Director Faces Political Pressure
NSA Director Timothy Haugh became the subject of political controversy after being contacted by allies of Donald Trump and far-right activist Laura Loomer. The outreach has raised alarms over potential political interference in national security operations. Intelligence officials are now navigating how to maintain apolitical integrity amid external pressure.
Read more: NyTimes

Cybersecurity Shortfalls in Accounting Firms
As accounting firms move to cloud environments, many continue to underinvest in cybersecurity—making them prime targets for data breaches. A recent report stresses the urgent need for zero-trust models, encryption, and proactive monitoring. Firms that fail to act could face severe regulatory and reputational damage.
Read more: Dark Reading

IT-RAT Malware Hides in Microsoft DNS Tools
A new stealthy malware known as IT-RAT is abusing Microsoft’s DNS Resolver libraries to fly under the radar. This fileless malware blends into normal system operations, making it difficult to detect with traditional tools. Security teams are urged to enhance behavioral monitoring and adopt stronger endpoint defenses.
Read more: Dark Reading

Multi-Stage Malware Chain Leverages JSE & VBS Scripts
Researchers uncovered a layered malware campaign using JSE, VBS, and BAT scripts to avoid detection and maintain persistence. The campaign highlights the threat posed by legitimate scripting environments being weaponized. Organizations should review script execution policies and monitor for unusual script behaviors.
Read more: Hackernews

Critical Web Vulnerability Under Active Attack (CVE-2025-24054)
A severe vulnerability identified as CVE-2025-24054 is being exploited in live environments, allowing attackers to execute arbitrary code. Thousands of systems remain unpatched and at risk. Admins are urged to apply security updates immediately and verify exposure.
Read more: Hackernews

Chinese APT Targets Linux in New Campaign
A Chinese-linked advanced persistent threat group has begun targeting Linux-based systems using stealthy custom malware. The group’s tools are designed to mimic legitimate processes, making detection difficult. Enterprises running hybrid infrastructure are especially vulnerable.
Read more: NyTimes

4chan Knocked Offline by Rival Hacker
The controversial message board 4chan was temporarily taken down in a cyberattack allegedly carried out by a hacker from a competing online community. The takedown appears to be part of an escalating cyber feud between online factions. This highlights the increasing weaponization of DDoS and site takedown tactics.
Read more: PCWORLD

How to Track Credential Theft Through Logs
Security researchers are emphasizing the value of correlating web logs and network activity to detect stolen credentials. The technique involves matching anomalies in access logs with suspicious IP behavior. It’s a low-cost but highly effective method to spot account compromise.
Read more: Cybersecurity News

Why This matters

This week’s headlines and advisories paint a clear picture: cyber threats are accelerating in both complexity and impact. From stealthy fileless malware like IT-RAT and advanced multi-stage scripting attacks, to nation-state actors targeting Linux systems, attackers are evolving faster than ever. Meanwhile, vulnerable sectors like accounting and legacy cloud environments remain dangerously underprepared, putting sensitive data and operations at risk. CISA’s alerts on newly exploited vulnerabilities and critical ICS flaws underscore how urgent it is for security teams to act decisively. Whether you're defending infrastructure, securing credentials, or hunting for credential theft, the message is clear—proactive cyber defense isn’t just strategic, it’s survival.

Actionable Security Tips

  • Patch all newly listed CISA vulnerabilities immediately to block active threats.

  • Monitor DNS resolver activity for hidden malware like IT-RAT.

  • Audit and rotate cloud credentials, especially in legacy Oracle environments.

  • Apply vendor patches for ICS systems like Schneider Electric and Mitsubishi smartRTU.

  • Correlate web and network logs to detect signs of credential theft.

  • Stay alert for politically driven cyber risks targeting government and infrastructure.

  • Disable or restrict JSE, VBS, and BAT scripts to stop script-based malware attacks.

Cyber Hygiene Tips (Based on This Week’s Threats)

  • Patch early, patch often.
    CISA added several actively exploited CVEs apply updates as soon as they're released to reduce your exposure. (CISA Known Exploited Vulnerabilities Catalog)

  • Use MFA for cloud and remote services.
    With warnings about legacy Oracle Cloud credential risks, multi-factor authentication adds a critical layer of protection. (CISA Oracle Cloud alert)

  • Restrict script execution on endpoints.
    Malware campaigns are chaining JSE, VBS, and BAT scripts to evade detection. Block unnecessary scripts using endpoint policies. (The Hacker News – Multi-Stage Malware Attack)

  • Audit and remove unused user accounts.
    Credential theft and misuse can go undetected in stale accounts regular audits are essential. (Cybersecurity News Tracking Credential Theft)

  • Monitor DNS resolver and system process activity.
    IT-RAT malware hides in legitimate DNS components. Behavioral monitoring helps catch suspicious activity that traditional tools miss. (Dark Reading IT-RAT Malware)

  • Back up your systems and test restores.
    ICS environments are being actively targeted ensure backups are recent, isolated, and can be restored under pressure. (CISA ICS Advisories Schneider Electric, Mitsubishi Electric)

  • Use network segmentation.
    Contain malware spread in both IT and OT environments by isolating critical assets. (CISA ICS advisories + Chinese APTs targeting Linux systems)

  • Train employees to spot phishing and social engineering.
    Credential theft often begins with phishing user awareness is your first line of defense. (Cybersecurity News Credential Theft Tracking)

  • Disable legacy protocols and unused services.
    Legacy systems like Oracle and unpatched ICS gear are prime targets eliminate what you don’t need. (CISA alerts + ICS advisories)

  • Practice your incident response plan.
    With threats coming from nation-states and hacktivists alike, being prepared to respond is critical. (NSA political pressure article + 4chan cyberattack)

THREAT FOCUS INFORMATION

Threat Intelligence Spotlight: Shuckworm Targets Western Military Operations in Ukraine

In a newly observed campaign with serious geopolitical implications, the Russian-linked cyber-espionage group Shuckworm (also tracked as Gamaredon or Armageddon) has set its sights on a Western military mission operating within Ukraine. This operation was uncovered by researchers at Symantec, in collaboration with a UK-based security firm, and is the latest in a long string of attacks attributed to this persistent threat actor.

Shuckworm is a known cyber-espionage group believed to have strong affiliations with Russia’s FSB (Federal Security Service). It has actively conducted operations against Ukrainian interests for nearly a decade. However, this new report shows a marked escalation—not only in targeting foreign assets on Ukrainian soil, but also in its tradecraft and intent.

Key Findings

  • Target Profile: A Western military mission supporting Ukraine—possibly involving intelligence sharing, defense training, or logistical support.

  • Toolset Used: The attack leverages the GammaSteel malware family, which is known for its info-stealing capabilities and modular structure.

  • Persistence & Evasion: Shuckworm’s malware gains persistence by installing itself in the user’s Desktop folder and abusing PowerShell scripts for execution and command-and-control (C2).

  • Tactics and Techniques (Mapped to MITRE ATT&CK):

    • T1091 – Replication Through Removable Media: Suggests USB-based spread, possibly to reach air-gapped or semi-isolated systems.

    • T1054 – Indicator Blocking: Designed to block or evade security tools and event logging.

    • T1547 – Boot or Logon Autostart Execution: Ensures long-term persistence on infected endpoints by manipulating startup settings.

Strategic Implications

This campaign reinforces how deeply entangled cyber operations have become in modern warfare. By targeting foreign military missions, Shuckworm is signaling that any external support to Ukraine—whether advisory, humanitarian, or strategic—may now fall within its digital crosshairs.

It also highlights the continued evolution of Russian APTs, especially their reliance on low-cost, high-impact malware tailored for espionage rather than disruption. GammaSteel, for instance, is lightweight and modular, allowing operators to download new capabilities on demand based on the victim’s role and system access.

Defensive Recommendations

  • Restrict the use of removable media in sensitive military or diplomatic environments.

  • Log and monitor PowerShell execution using enhanced security baselining tools (e.g., AMSI logging, Defender for Endpoint).

  • Enforce strict application whitelisting and startup control policies to prevent unauthorized autostart configurations.

  • Ensure all remote mission systems are regularly audited for unauthorized persistence mechanisms, especially in user-accessible directories.

Why This Matters

The Shuckworm campaign is a textbook case of politically motivated cyber-espionage. It blends simple but effective techniques with focused targeting to extract high-value intelligence. In an era where information dominance shapes battlefield outcomes, defending against persistent APT activity is not just a cybersecurity mandate it’s a matter of national and allied security.

Discover the Nexus-Dragon

Explore Everything at Nexus-Dragon.com — Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Whether you're elevating your personal cybersecurity skillset or fortifying your organization’s digital defenses, Nexus-Dragon offers a comprehensive ecosystem of solutions. From hands on cybersecurity training to enterprise grade endpoint security, we prepare you to stay resilient, compliant, and threat-ready in an evolving digital world.

Inside the Nexus-Dragon Ecosystem:

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

www.nexus-dragon.com

Included in CLS:

  • Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

  • Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

  • Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

  • Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

  • AI-driven threat detection, endpoint security, and real-time response

  • Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

  • Guided onboarding and a full cybersecurity risk assessment to identify gaps

  • Multi-year price lock and flexible plans that grow with your organization’s needs

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

TELL US HOW WE’RE DOING!

We value your feedback! Let us know how we can improve future issues.

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278