This Week in Issue

In week’s issue! Cybercriminals are exploiting old SonicWall CVEs and leveraging RMM tools in targeted spam attacks, including campaigns impersonating HR and payroll platforms to steal credentials and funds. Meanwhile, nation-state actors and APTs are hitting Windows systems with multi-stage loaders and weaponized malicious drivers like XRed. During this year’s, Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple popular products used by Small Businesses. OT security continues to lag in critical infrastructure, leaving industrial systems vulnerable to evolving threats. Finally, adversarial machine learning and phishing remain high-impact tactics security leaders must double down on awareness and defense layering.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

1. SonicWall Scanning for CVE-2021-20016
Attackers are actively scanning for unpatched SonicWall appliances vulnerable to CVE-2021-20016, a critical SQL injection flaw. If exploited, it could allow remote access to firewall configurations—an easy entry point for lateral movement. SMBs relying on SonicWall must patch immediately or risk targeted exploitation.

2. Cyber Risk Quantification Still Guesswork
Many organizations continue to rely on vague or outdated methods to measure cyber risk, leading to poor investment and prioritization. Without accurate risk calculation, SMBs often overlook critical gaps in protection. We sees this as a strategic blind spot attackers can exploit.

3. ICS/OT Security Still Lags in Critical Infrastructure
Industrial and operational technology environments remain under protected, especially in manufacturing and energy sectors. Slow patch cycles and weak segmentation leave critical systems vulnerable to major disruptions.

4. VMware and SharePoint Zero-Days Exploited at Pwn2Own
Researchers successfully exploited zero-day vulnerabilities in VMware ESXi and Microsoft SharePoint at Pwn2Own, highlighting major flaws in core enterprise systems. These platforms are widely used by SMBs and MSPs, making the threat especially relevant. Immediate patching and network segmentation are advised.

5. Cybercriminals Impersonate Payroll & HR Platforms
A new phishing campaign is using spoofed HR and payroll portals to trick employees into surrendering credentials and payment data. Small businesses are prime targets due to less mature HR tech and fewer verification layers. Staff training and 2FA are key defenses.

6. Spam Campaign Abuses Remote Monitoring Tools (RMM)
Threat actors are using spam emails to deploy legitimate RMM software, giving them covert remote access to victim systems. If using RMM tools ensure proper access controls and alerting on new installs. This technique mimics insider behavior, making detection harder.

7. Help Desks Targeted as Weak Entry Points
Cisco Talos reports that IT help desks are being increasingly targeted for credential theft and social engineering attacks. These teams often have elevated access and can be tricked into resetting passwords. SMBs should reinforce verification protocols and limit over-the-phone resets.

8. Phishing Prevention Best Practices
Phishing remains one of the most effective and damaging attack vectors. This article outlines key prevention strategies, from email filtering to awareness training. SMBs should simulate attacks internally to gauge readiness and close gaps.

9. Adversarial Machine Learning on the Rise
Threat actors are testing ways to trick or poison AI/ML-based security systems. As SMBs increasingly adopt AI-driven defenses, understanding their limitations is critical. This growing trend requires human oversight and layered analytics.

10. Malicious Drivers Spread XRed Malware
Malware campaigns are now delivering XRed-infected drivers to gain deep system access and evade antivirus tools. This low-level attack vector is hard to detect without a strong EDR solution.

11. APT Group 123 Launches Stealthy Windows Attacks
APT Group 123 is targeting Windows environments with stealthy malware and advanced evasion techniques. Their goal is long-term access and data exfiltration, putting SMB intellectual property at risk. Early detection and endpoint visibility are essential.

12. New .NET Multi-Stage Loader Discovered
A newly discovered .NET-based loader is enabling multi-stage attacks that bypass common defenses. SMBs lacking dedicated SOC teams are especially vulnerable. Monitoring script execution and command-line activity can improve detection.

Why This matters

This week’s cybersecurity news shows that attackers are getting smarter and more patient. They’re finding ways to sneak into systems by pretending to be trusted tools like remote IT software or HR platforms and then staying hidden while they cause damage. Even well-protected companies are being breached. Government alerts also warn that industries like healthcare and finance are especially at risk. The takeaway: every business needs to stay updated, train staff, and be cautious about who and what they trust.

Cyber Hygiene Tips – Week of May 19, 2025

• Patch SonicWall Appliances Immediately
  Threat actors continue scanning for CVE-2021-20016 in unpatched SonicWall devices. If you’re still exposed, update firmware without delay and review access logs for unusual activity.

• Apply SharePoint and VMware ESXi Security Updates
  Ensure these systems are updated and segment them from core infrastructure if not critical.

• Block Unauthorized Remote Monitoring Tools
  Recent spam campaigns in Brazil are abusing legitimate RMM tools for remote access. Use allowlists and endpoint controls to restrict the installation and execution of these utilities.

• Be Wary of Fake HR and Payroll Communications
  Cybercriminals are impersonating benefits platforms to phish employees and steal sensitive data. Train staff to verify emails requesting login or financial information, and flag unusual domains.

• Harden Windows Defenses Against Multi-Stage Malware
  APTs are deploying custom loaders and XRed-infected drivers to compromise Windows systems. Use behavior-based endpoint detection and block unsigned or suspicious driver installs.

• Monitor DNS-over-HTTPS (DoH) Traffic
  Enable DoH inspection on your firewall or proxy and monitor for abnormal DNS queries to unknown hosts. Enable SSL inspection on your firewall or secure web gateway to decrypt and inspect DoH traffic. Identify and alert on unauthorized DoH resolvers, especially traffic bypassing your internal DNS policies. Log DNS queries, even if they’re encrypted, to analyze patterns like spikes in unknown domain lookups or use of rare DoH services. Use endpoint protection that flags unusual DoH usage.

• Limit Privileges for Service Accounts and Admins
  Regularly audit accounts and enforce least privilege policies.

• Update Detection Rules for Advanced Phishing Tactics
  As phishing grows more targeted and realistic, refresh your detection signatures and simulate recent attack patterns to keep your team alert.

• Strengthen AI Defenses with Human Oversight
  Emerging adversarial machine learning techniques can fool security AI. Don’t rely solely on automation pair ML tools with skilled analysts to validate alerts and investigate anomalies.

Government advisories

CISA is refining how it shares time-sensitive cyber alerts, especially for ICS. Subscribe to their alert feeds and integrate notifications into your incident response workflow for faster action.

CISA Adds Three Known Exploited Vulnerabilities to Catalog
This alert highlights newly identified vulnerabilities that are actively being exploited in the wild. Organizations are urged to prioritize patching these issues to prevent compromise.

CISA Releases Twenty-Two Industrial Control Systems Advisories
These advisories provide critical updates on vulnerabilities in widely used ICS products. Asset owners in manufacturing, energy, and infrastructure should review and implement mitigation steps immediately.

THREAT FOCUS INFORMATION

Threat Intelligence Brief: DPRK’s Remote IT Worker Espionage Campaign
Source: Dtex Systems – Inside the DPRK

Overview
A new advisory exposes how the Democratic People’s Republic of Korea (DPRK) is evolving its tactics by embedding state-affiliated operatives in remote IT roles across the U.S., U.K., and Europe. These individuals, using false identities, gain legitimate employment and long-term access to sensitive systems, where they gather proprietary data and potentially conduct espionage. This marks a strategic shift from traditional “laptop farms” to deeply embedded, virtual insider threats.

Threat Actor
This campaign is attributed to DPRK-aligned groups acting under state directive to evade sanctions and fund weapons development. These operatives are skilled IT professionals with deep knowledge of blockchain, AI, and enterprise software, and are adept at navigating Western hiring practices.

Targets
Private sector firms in software development, IT services, and finance using particularly remote teams. Weak identity verification processes make SMBs especially vulnerable to infiltration.

Tools and Techniques
DPRK operatives use deceptive tactics to secure employment, including:

• Fake documents and resumes

• Proxy identities via freelance platforms

• Borrowed identities and professional referrals

• VPNs and anonymized communication channels

While malware is not central to their initial operations, the risk of credential abuse, lateral movement, and data exfiltration remains high.

Mapped MITRE ATT&CK Techniques:

• T1199 – Trusted Relationship

• T1059 – Command and Scripting Interpreter

• T1078 – Valid Accounts

• T1027 – Obfuscated Files or Information

• T1003 – Credential Dumping

• T1021 – Remote Services

• T1567 – Exfiltration Over Web Service

Strategic Implications
This campaign illustrates how state actors are shifting from overt cyberattacks to subtle, long-term infiltration through economic channels. DPRK’s ability to bypass global sanctions by embedding operatives within foreign companies directly supports its weapons program. This blurs the lines between workforce risk and cyber risk especially for businesses with minimal vetting processes.

Defensive Recommendations

1. Vet Remote Hires Thoroughly: Use multifactor identity verification and third-party background checks.

2. Watch for Insider Anomalies: Deploy user behavior analytics (UBA) to flag unusual access or file activity.

3. Enforce Role-Based Access: Limit contractor access strictly to what’s necessary for their role.

4. Audit and Rotate Credentials: Apply geo-restrictions and monitor VPN access in real time.

5. Adopt CISA’s Insider Threat Guidelines: Formalize insider threat programs with clear escalation paths and training.

Why This Matters
This is not a traditional breach it’s state-sponsored employment fraud with espionage intent. DPRK is inserting operatives into trusted roles inside Western businesses to quietly siphon data and fund hostile operations. For SMBs, especially those embracing remote work, this reinforces the urgent need to apply the same rigor to workforce security as they do to perimeter defense.

Deep Dive: CVE-2023-5074 Exploitation and IP Scanning Activity
Disclaimer: This report includes raw threat intelligence such as IP addresses and IOCs. These indicators may not be confirmed as malicious by all sources. Use caution and validate against your internal telemetry before taking action.

Overview
CVE-2023-5074 is a command injection flaw in libcue, a library used to parse cue sheet files in Linux desktop environments like GNOME. A malicious .cue file can trigger arbitrary command execution simply by being saved or accessed—no user interaction required. This high-risk vulnerability was detailed in Tenable's advisory TRA-2023-32, and impacts systems running vulnerable libcue versions.

Scanning Activity
Suspicious scanning linked to this vulnerability has been observed from the following IPs:
• 139.59.223[.]9
• 204.216.147[.]144
• 52.200.100[.]203
• 146.70.200[.]39
These addresses appear to be probing systems for potential exploitation paths organizations should log, block, and investigate related traffic.

Why This Matters
This vulnerability is stealthy and easily exploitable, making it ideal for phishing-style attacks, lateral movement, or silent compromise in multi-user environments. Scanning activity suggests threat actors are actively seeking exposed systems. SMBs using Linux workstations or shared environments must act swiftly.

Defensive Recommendations

• Patch libcue immediately on all Linux desktops and shared systems.

• Monitor for .cue file activity, especially from untrusted sources.

• Block or flag traffic from the observed IPs.

• Use endpoint behavior monitoring to detect unauthorized command execution.

• Educate users about risks related to unknown multimedia files.

Sources:
CVE-2023-5074 – NVD
Tenable Advisory – TRA-2023-32

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

In today’s fast-moving cyber landscape, raw data isn’t enough you need actionable intelligence tailored to your business. Our Curated Threat Intelligence Service delivers real-time insights, customized threat profiles, and prioritized alerts focused on your industry, your risks, and your critical assets.

We filter the noise, track evolving threat actors, and highlight only what matters most so you can act faster, defend smarter, and stay resilient. Every report includes high-confidence indicators of compromise (IOCs), mapped MITRE ATT&CK techniques, and strategic recommendations designed to strengthen your defenses.

Protect your business with intelligence built for action, not overwhelm.
Contact us today to start receiving tailored threat intelligence you can trust.

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

NEW SERVICE NOW ONLINE!

Dragon Armor Advisors (DAA): We Handle the Hiring You Get the Cyber Experts

Hiring skilled cybersecurity professionals is expensive, time-consuming, and often leads to mismatches. Dragon Armor Advisors (DAA) changes the game by doing the hard part for you. We recruit, vet, train, and manage elite cybersecurity talent so you don’t have to.

Whether you need a security analyst, compliance expert, or incident response lead, Nexus-Dragon handles the full talent pipeline. Our advisors come from top-tier backgrounds, including NSA, DoD, and CISA, and are ready to integrate seamlessly into your team. You gain immediate access to professionals who are already mission-ready without the cost, delays, or risks of full-time hiring.

Let DAA fill your cybersecurity gaps while you stay focused on growth. Keep them as long as you need and if you want to bring them on permanently, we’ll make it happen.

Sponsor Spotlight: Tenable

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278