March Security Roundup

In the news this month: 

• Russian actor launches phishing attacks targeting UK Microsoft accounts
• Linux vulnerability allows local users to gain unauthorised system access
• Lazarus Group infiltrates NPM to steal credentials and crypto data
• Apple zero-day exploited in targeted attacks against iOS and macOS users
• Hacktivists disrupt X with large-scale DDoS attack causing service outages

Cozy Bear targets Microsoft accounts in sophisticated phishing campaign

Russian state-sponsored threat actor Cozy Bear (also known as SVR) is behind a newly uncovered spear phishing campaign targeting Microsoft account users. The attackers impersonate officials from trusted entities such as the US State Department, the Ukrainian Ministry of Defence, and the European Parliament to initiate fake Microsoft Teams chats or meeting invites. UK organisations relying heavily on Microsoft 365 for remote or hybrid work are particularly at risk.

Once a user engages, they’re redirected to a malicious Microsoft Device Code authentication page, where any code entered is harvested by the attackers. This grants them long-term account access and the ability to exfiltrate sensitive data.

Risk to UK organisations

• Long-term unauthorised access to Microsoft 365 accounts
• Data breaches involving confidential or strategic information
• Compromised communications within hybrid/remote teams

Recommended mitigation

Action point: Review and apply vendor-specific patches across your Linux environments, including servers, containers, and embedded systems.

Lazarus Group infiltrates NPM ecosystem with malicious packages

Six malicious JavaScript packages have been discovered on NPM, linked to the North Korean Lazarus Group. These packages, designed for credential theft, backdoor access, and cryptocurrency-related data exfiltration, used typosquatting to deceive developers into downloading them.

Lazarus is infamous for employing such tactics to penetrate valuable networks and carry out large-scale attacks. An example of their exploits includes the recent plundering of $1.5 billion in a crypto heist from the Bybit exchange.

Risk to UK organisations

• Potential for credential theft and malware deployment in development environments
• Increased risk to crypto and financial services organisations

Recommended mitigation

Apple WebKit zero-day exploited in targeted attacks (CVE-2025-24201)

Apple has patched a zero-day vulnerability (CVE-2025-24201) in its WebKit browser engine, used across iOS, macOS, and Safari. The flaw allows attackers to perform out-of-bounds writes, enabling them to escape the web content sandbox. This has been exploited in sophisticated attacks targeting specific individuals on iOS versions before 17.2.

Risk to UK organisations

• Targeted attacks on executives, journalists, or political figures using Apple devices
• Potential data exfiltration via compromised web content

Recommended mitigation

Action point: Encourage users to update Apple devices immediately and apply security configurations that limit the use of third-party or unknown websites.

DDoS attack disrupts X (Twitter) services – Dark Storm claims responsibility

The social media platform X (formerly Twitter) experienced outages on 10 March 2025 due to a DDoS attack by pro-Palestinian hacktivist group Dark Storm. The group overwhelmed X’s servers and boasted of the disruption on their Telegram channel.

Risk to UK organisations

• Increased DDoS threat landscape for public-facing services and platforms
• Potential targeting of UK organisations based on political stances or affiliations

Recommended mitigation

Action point: Assess the resilience of external-facing services and consider geo-blocking or rate-limiting where appropriate to reduce DDoS impact.