Microsoft update causing issues, ransomware exploiting Windows logging flaw, smishing kit stealing card details...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Play ransomware exploited Windows logging flaw in zero-day attacks
The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month’s Patch Tuesday.
“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said in April.
Microsoft linked these attacks to the RansomEXX ransomware gang, saying the attackers installed the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting files.
Since then, Symantec’s Threat Hunter Team has also found evidence linking them to the Play ransomware-as-a-service operation, saying the attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. organization’s network.
“Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation,” Symantec said.
“Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.”
OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws
A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.
“This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user’s authentication credentials,” Wordfence said. “This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible.”
That said, the vulnerability is exploitable only in two possible scenarios –
- When a site has never enabled or used an application password, and OttoKit has never been connected to the website using an application password before
- When an attacker has authenticated access to a site and can generate a valid application password
Wordfence revealed that it observed the threat actors attempting to exploit the initial connection vulnerability to establish a connection with the site, followed by using it to create an administrative user account via the automation/action endpoint.
Cyber Attacks
New Attack Exploiting X/Twitter Advertising Display URL Feature to Trick Users
A sophisticated financial scam has emerged on X/Twitter, exploiting a critical vulnerability in the platform’s advertising display URL feature.
Cybersecurity researchers have uncovered a campaign that tricks users by displaying trusted domain names in advertisements while redirecting victims to malicious cryptocurrency scam websites.
The attack leverages a known loophole in X/Twitter’s URL handling system, allowing attackers to display one domain to X/Twitter’s crawlers while sending actual visitors to entirely different destinations.
The most recent instance of this attack was discovered on May 1, 2025, when advertisements for a fictitious “Apple iToken” cryptocurrency began appearing on X/Twitter.
What made these ads particularly deceptive was that they showed “From CNN.com” as the display URL, creating a false sense of legitimacy. When users clicked the link, however, they were redirected to cryptocurrency scam websites with elaborate Apple-themed interfaces designed to steal funds.
New Chinese Smishing Kit Dubbed ‘Panda Shop’ Steal Google, Apple Pay & Credit Card Details
A sophisticated new smishing kit dubbed “Panda Shop” has emerged from China, enabling cybercriminals to steal financial data including Google Pay, Apple Pay, and credit card details.
This kit leverages advanced social engineering tactics by impersonating trusted organizations like USPS, DHL, and major banking institutions, creating convincing phishing pages that are nearly indistinguishable from authentic sites on mobile devices.
The kit represents a significant evolution in smishing technology, with templates customized for popular mobile platforms and browsers.
When victims open such pages, they believe they’re visiting legitimate websites that sent mobile notifications requesting additional information to receive a parcel or verify account details.
Resecurity researchers identified the kit on March 22, 2025, noting that the actors behind it can send up to 2 million smishing messages daily.
This massive scale enables Chinese cybercriminals to potentially target up to 60 million victims monthly-enough to reach every person in the United States twice per year.
In Other News...
Microsoft: April updates cause Windows Server auth issues
Microsoft says the April 2025 security updates are causing authentication issues on some Windows Server 2025 domain controllers.
The list of impacted platforms includes Windows Server 2016, Windows Server 2019, Windows Server 2022, and the latest version, Windows Server 2025.
However, as the company further explained, home users are unlikely to be affected by this known issue since domain controllers are typically used for business and enterprise authentication.
The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard
“After installing the April Windows monthly security update released April 8, 2025 (KB5055523) or later, Active Directory Domain Controllers (DC) might experience issues when processing Kerberos logons or delegations using certificate-based credentials that rely on key trust via the Active Directory msds-KeyCredentialLink field,” Microsoft said in a Windows release health update.
“This can result in authentication issues in Windows Hello for Business (WHfB) Key Trust environments or environments that have deployed Device Public Key Authentication (also known as Machine PKINIT).”
These problems could also impact software relying on these two features for authentication, including but not limited to third-party single sign-on (SSO) solutions, identity management systems, and smart card authentication products.
Affected auth protocols include Kerberos Public Key Cryptography for Initial Authentication (Kerberos PKINIT) and Certificate-based Service-for-User Delegation (S4U) via Kerberos Resource-Based Constrained Delegation (RBKCD or A2DF Delegation) or Kerberos Constrained Delegation (KCD or A2D2 Delegation)
Microsoft pushes fix for Windows 11 24H2 update failures
Microsoft has fixed a known issue preventing Windows 11 24H2 feature updates from being delivered via Windows Server Update Services (WSUS) after installing the April 2025 security updates.
WSUS was introduced as Software Update Services (SUS) almost twenty years ago, and it is designed to help IT admins defer, approve, and schedule updates for Microsoft products on large enterprise networks from a single local update server instead of relying on endpoints to update from Microsoft’s servers on their own.
Redmond confirmed the Windows 11 24H2 upgrade problems in late April following widespread reports across online platforms, including Reddit and its own community website.
The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard
As the company said when it acknowledged this issue, affected users see Windows Update Service (wuauserv) errors with 0x80240069 codes when attempting to update systems running Windows 11 23H2 or Windows 11 22H2.
Luckily, home users are unlikely to experience these update problems since WSUS is designed to be used only in business and enterprise environments.
“Devices which have installed the April Windows monthly security update, released April 8, 2025, or later (starting with KB5055528) might be unable to update to Windows 11 24H2 via Windows Server Update Services (WSUS),” Microsoft said last month in a Windows release health update.
“As part of this issue, the download of Windows 11 24H2 does not initiate or complete. Windows updates log can show error code 0x80240069, and further logs might include text similar to ‘Service wuauserv has unexpectedly stopped’.”