- Neeve
- Posts
- 🤐 The Ransomware Gateway No One's Talking About
🤐 The Ransomware Gateway No One's Talking About
Fines, leaks, and hacks—key cyber updates
Alison Bridge
March 25, 2025
Welcome to your essential briefing on threats at the intersection of cybersecurity and critical infrastructure, brought to you by Neeve, the edge cloud security platform for smart buildings, making built spaces secure, intelligent, and sustainable.
This Week’s Cyber Insights
AI assistants that can autonomously perform web tasks are no longer science fiction—they're here, and so are the security risks. OpenAI's Operator and similar AI agents designed to streamline productivity are opening up new attack vectors for cybercriminals.
AI agents like OpenAI's Operator, are designed to automate web-based tasks but could be repurposed for malicious activities.
When prompted to send unsolicited emails, AI agents may initially resist citing privacy concerns, but can be manipulated through prompt adjustments.
These agents can identify target information, create scripts to gather system information, and draft convincing phishing emails.
As these technologies become more sophisticated, the potential for abuse grows, blurring the line between legitimate automation and malicious intent.
🤔 The Bigger Picture:
As AI agents become more capable and widely available, the barrier to entry for executing sophisticated cyberattacks is dropping dramatically. Security teams need to implement robust safeguards against this new class of threats, focusing on unusual patterns of automation rather than just the content of communications.
A vicious trio of VMware vulnerabilities is giving attackers the keys to your virtual kingdom. These critical flaws in ESXi, Workstation, and Fusion products are being actively exploited to paralyze enterprise infrastructures and deploy ransomware across entire virtualized environments.
CVE-2025-22224 (CVSS 9.3) is a heap overflow flaw in VMware's VMCI driver that lets attackers execute code on the host's VMX process.
CVE-2025-22225 (CVSS 8.2) enables privilege escalation to gain kernel-level control of ESXi hosts.
CVE-2025-22226 (CVSS 7.1) facilitates credential theft via hypervisor memory leaks for lateral movement.
Attackers are encrypting VM disk files (VMDKs) and deleting backups stored in vSphere datastores within 47 minutes of initial access.
Ransom demands average $2–5 million, with double extortion tactics threatening data leaks on dark web forums.
🤔 The Bigger Picture:
Your virtualization infrastructure—the technology that's supposed to isolate workloads—has become the attack vector. With only 38% of organizations properly monitoring ESXi host logs for VM management anomalies, most security teams are flying blind. Patch these vulnerabilities immediately and implement micro-segmentation between management interfaces and production networks.
In what experts are calling "one of history's largest exposures of vulnerability to cyber attacks," over 150 US government database servers normally hidden behind multiple security layers are now directly accessible from the internet. This massive security failure affects Azure Government Cloud, used by at least 15 major federal agencies including the Departments of Agriculture, Education, Energy, Health and Human Services, and Veterans Affairs.
Database ports (1433 for SQL Server, 3306 for MySQL, 5432 for PostgreSQL) have been directly exposed to the internet for months.
Server administrators deliberately weakened default security settings that normally protect these systems.
57 newly created or previously internal endpoints have been responding to connection attempts for 48 consecutive days.
PostgreSQL servers responding to external connections have increased fourfold over previous maximums.
A potential Department of Defense supply chain compromise through Kruko.io, a Polish software company with DoD connections, was also uncovered.
🤔 The Bigger Picture:
The exposed databases potentially contain Americans' most sensitive information, from Social Security numbers and tax records to medical histories and whistleblower identities. Foreign intelligence agencies likely already know about these vulnerabilities, given they were discovered using publicly available scanning tools.
Further Alerts & Insights
📰 Medusa Ransomware Using Fake CrowdStrike Driver to Kill EDR
Medusa ransomware is deploying a malicious driver dubbed "ABYSSWORKER" that imitates legitimate CrowdStrike Falcon software. The driver can manipulate files and processes to terminate or permanently delete endpoint detection and response (EDR) products.
📰 CISA Releases Five Industrial Control Systems Advisories
CISA has issued five Industrial Control Systems advisories highlighting critical vulnerabilities in products from Schneider Electric, Siemens, SMA, and Santesoft. The vulnerabilities affect systems across multiple critical infrastructure sectors with CVSS scores ranging from 6.9 to 8.5.
📰 Trend Micro Open-Sources Model for Autonomous Cybersecurity
Trend Micro has open-sourced Trend Cybertron, an AI model and agent framework for autonomous cybersecurity agents. The specialized 8-billion-parameter model is fine-tuned using Llama 3.1 and leverages threat intelligence from over 250 million sensors worldwide.
📰 AI-Powered Malware-as-a-Service Dominates Cyberattacks
Malware-as-a-service now constitutes 57% of all cyberattacks according to Darktrace's latest research. Password-related attacks have skyrocketed from 567 per second three years ago to 7,000 per second today, while adversaries are getting 10-14 minutes faster every year.