In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the
information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Wave of unpaid parking and toll phishing texts
VMware ESXI servers vulnerable to CVE-2025-22224
'Malvertising' campaign impacts 1 million PCs
CISA KEV updates
Wave of unpaid parking and toll phishing texts
Cities across the US are reporting a surge in mobile phishing scams posing as parking violation and toll notices, threatening extra fines for unpaid tickets. In New York City for example, victims are directed to a fake "NYC Department of Finance" site, where they’re asked to provide personal details. The scam attempts to steal sensitive information by convincing users they have unresolved parking fines.:
According to the FTC, there are 3 ways to report a phishing text from your mobile device:
1. Copy the message and forward it to 7726 (SPAM). This helps your wireless provider spot and block similar messages in the future
2. Apple - Tap **Report Junk**, then tap **Delete** and **Report Junk**. Messages will forward the sender's information and the message to Apple, as well as delete the message
3. Android - Touch and hold the conversation you want to report, Tap **Block** and then **Report spam** and then **OK**.
Source: Bleepingcomputer
VMware ESXi servers vulnerable to CVE-2025-22224
A critical out-of-bounds write flaw (CVE-2025-22224) in internet-exposed VMware ESXi instances is being actively exploited, allowing local attackers with admin privileges to escape the VM sandbox and execute code on the host. CISA has directed federal and state agencies to apply patches or stop using the product by March 25, 2025. VMware has also released a FAQ page with further guidance and mitigation steps. To remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the below matrix, no workarounds are available:
According to Shadowserver, as of 3-9-25, over 40k internet facing VMware ESXi instances are vulnerable worldwide.
Source: Broadcom
'Malvertising' campaign impacts 1 million PCs
Microsoft has detected a large-scale 'malvertising' campaign (tracked as **Storm-0408**) targeting nearly one million devices globally to steal information. The attack leverages illegal streaming sites to redirect victims to GitHub, Discord, and Dropbox, where malicious payloads are hosted. Once installed, the malware uses a multi-stage approach to gather system data, deploy additional payloads, and exfiltrate sensitive information.
After gaining an initial foothold via GitHub, the malware acted as a dropper to deploy info-stealers like Lumma and Doenerium, along with NetSupport for remote access. The attack used PowerShell, JavaScript, and LOLBAS techniques to collect system data, steal credentials, and maintain persistence through registry modifications and startup shortcuts.
The following graphic from Microsoft depicts the attack chain:
Recommendations to combat this threat include deploying an EDR solution, such as Microsoft Defender for Endpoint, and applying the appropriate configurations. Also, user awareness of the 'malvertising' threat is suggested. **Please see the source article for specific EDR configuration recommendations.
Source: Microsoft
CISA KEV updates
CISA has added 9 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact