Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
Google indicates limited, targeted exploitation of CVE-2024-43093 & CVE-2024-50302. 

SYSTEMS AFFECTED:

  • Android OS patch levels prior to 2025-03-05

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

  • Multiple vulnerabilities in System that could allow for remote code execution. (CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, CVE-2025-22412)

Tactic: Privilege Escalation (TA0004):

Technique: Exploitation for Privilege Escalation (T1068):​​​

  • Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0032, CVE-2024-43093, CVE-2025-0078, CVE-2025-0080, CVE-2025-0087)
  • Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2025-22409, CVE-2023-21125, CVE-2025-0079, CVE-2025-22404, CVE-2025-22405, CVE-2025-22406)
  • A vulnerability in Kernel that could allow for elevation of privilege. (CVE-2024-46852)

Details of lower-severity vulnerabilities are as follows:

  • Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2024-43090, CVE-2025-0083, CVE-2025-0086)
  • A vulnerability in Framework that could allow for denial of service. (CVE-2024-49740)
  • A vulnerability in System that could allow for denial of service. (CVE-2025-0081)
  • Multiple vulnerabilities in System that could allow for information disclosure. (CVE-2024-49728, CVE-2025-0082, CVE-2025-0092, CVE-2025-0093, CVE-2025-22407, CVE-2025-26417)
  • Multiple vulnerabilities in Kernel that could allow for information disclosure. (CVE-2024-50302, CVE-2025-22413)
  • A vulnerability in Google Play system updates. (CVE-2024-43093)
  • Multiple vulnerabilities in MediaTek components. (CVE-2025-20645, CVE-2025-20644)
  • Multiple vulnerabilities in Qualcomm components. (CVE-2024-49836, CVE-2024-49838, CVE-2024-53014, CVE-2024-53024, CVE-2024-53027)
  • Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2024-43051, CVE-2024-53011, CVE-2024-53025)

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
    • Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
    • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.

REFERENCES:

Android:
https://source.android.com/docs/security/bulletin/2025-03-01
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26417

Uptick in Facebook Scams

Threat actors compromise accounts using social engineering tactics to convince their targets to take action, divulge sensitive information, or install malware to gain unauthorized access to legitimate user accounts. Once an account is compromised, they impersonate the victim to conduct further malicious activity. Threat actors can change account information, such as name, date of birth, email address, and phone number, and lock the victim out of their account by updating the password and multi-factor authentication (MFA) method. They can also post information and/or images that violate Facebook’s terms and conditions or acceptable use policies. Additionally, they can communicate with the contacts in the victim’s address book to conduct social engineering attacks, send harassing messages, threaten extortion, steal funds, or install malware. Scams can also result in exfiltrated data, identity theft, and financial loss.
The NJCCIC received an uptick in reports of compromised Facebook accounts impacting New Jersey residents and businesses. In the past month, victims reported that their Facebook account was compromised, while others reported that their contact’s account was compromised. Once compromised, the threat actors communicated with the victims’ contacts to lure and defraud them. The threat actors initially monitored Facebook activity to build trust and solicit the victims’ contacts in cryptocurrency investment schemes . However, they later changed their tactics to create posts playing on emotion and claiming to sell expensive items, such as used cars, on behalf of their sick or deceased relative, typically an uncle. The victims’ contacts believed the sale lure was authentic and thought they communicated directly with legitimate users through Facebook Messenger. However, they made $500 to $2,000 payments, typically through Zelle, under false pretenses to the threat actors.
In another example, threat actors messaged the victims’ contacts through Facebook Messenger. The message instructed them to vote to win a prize by clicking the link. If clicked, the Facebook account was compromised. Then, the victims’ contact received an email purportedly from Meta, claiming an issue with their account. To regain access to their account, they needed to verify their identity by submitting the MFA code, the front and back of their official identification, and a one-minute video of themselves.
Threat actors recently reintroduced Facebook page deletion scams from several years ago. They target businesses with phishing emails, claiming to be from Meta and falsely accusing them of violating Facebook’s trademark rights. The urgent messages threaten to permanently delete their Facebook page if they do not respond by clicking the link, which is intended to steal account credentials. Meta does send notifications for rule violations; however, they include a “disagree with decision” or appeal icon directly on the suspended page.
Other Facebook scams include potential victims buying gift cards and sending gift card numbers through Facebook Messenger, non-payment of goods sold on Facebook Marketplace, and requests to purchase Facebook Marketplace goods with pre-paid credit card links to accept the requests and enter financial information. Additionally, scam Facebook groups steal photos, videos, and posts from legitimate groups to promote as their own, engage users, and conduct fraudulent schemes, such as links for fake merchandise intended to collect information from unsuspecting victims.

Eleven11bot Botnet Grows to Over 86,000 Devices, Thousands Geolocate to New Jersey

A new botnet known as Eleven11bot quickly became one of the largest in the last several years, infecting over 86,000 Internet of Things (IoT) devices. The botnet, mainly comprised of security cameras and network video recorders, has been used to launch distributed denial-of-service (DDoS) attacks against telecommunications service providers and online gaming servers. Of the approximate 86,000 infected devices, over 2,300 device IP addresses geolocate to New Jersey.
These devices were likely compromised by brute-forcing weak or common administrator account credentials, using known default credentials, and actively scanning networks for devices exposing Telnet and SSH. Details of this botnet and associated malicious activity serve as a reminder to ensure IoT devices are configured following cybersecurity best practices.

NIST Finalizes Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data

NIST Finalizes Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data How can we glean useful insights from databases containing confidential information while protecting the privacy of the individuals whose data is contained within? Differential privacy, a way of defining privacy in a mathematically rigorous manner, can help strike this balance. Newly updated guidelines from the National Institute of Standards and Technology (NIST) are intended to assist organizations with making the most of differential privacy’s capabilities. Differential privacy, or DP, is a privacy-enhancing technology used in data analytics. In recent years, it has been successfully deployed by large technology corporations and the U.S. Census Bureau. While it is a relatively mature technology, a lack of standards can create challenges for its effective use and adoption. For example, a DP software vendor may offer guarantees that if its software is used, it will be impossible to re-identify an individual whose data appears in the database. NIST’s new guidelines aim to help organizations understand and think more consistently about such claims.

Read More

Microsoft 365 Copilot Training for IT

Join us at Microsoft 365 Copilot Training for IT to learn how to use Microsoft Copilot to simplify your everyday tasks. During this free event, discover how Copilot can help you enhance efficiency, simplify complex tasks, and optimize technical workflows. You’ll be able to: Use Copilot to summarize the information in a product spec document for a network security product and create a project plan to implement the product. Use Copilot in PowerPoint to create and customize a business presentation based on the product plan that you created for the new network security product. Use Copilot in Word to modify a technical implementation report for a customer who is planning to install your new network security product. Use Copilot in Outlook to draft an email that provides highlights from the technical implementation report that you created for the customer who is installing your new network security product. Join us at an upcoming event: Delivery Language: English
Closed Captioning Language: English
Event Delivery: Digital
  Tuesday,
March 11, 2025,  
4:00 – 5:00 PM
(GMT-05:00)
  Tuesday,
March 25, 2025, 
4:00 – 5:00 PM
(GMT-05:00)
 
  Monday,
April 07, 2025, 
12:00 – 1:00 PM
(GMT-05:00)
  Tuesday,
April 22, 2025,  
10:00 – 11:00 AM
(GMT-05:00)
 
Space is limited. Register for free today.

CSF 2.0 Webinar Series: Implementing CSF 2.0—The Why, What, and How

Register Today! Take a Deep-Dive into Implementing CSF 2.0— The Why, What, and How 

To address the ever-evolving cybersecurity landscape and equip organizations with information and resources to more quickly and effectively manage cybersecurity risk and improve their cybersecurity posture, NIST published a significant update to the NIST Cybersecurity Framework in 2024—CSF 2.0—the first major update to the framework in 10 years. Throughout the last year, organizations of all sizes and sectors have spent time familiarizing themselves with the CSF 2.0 and many are in the process of upgrading their cybersecurity posture informed by CSF 2.0. 

In the first event in NIST’s new, multi-part CSF 2.0 webinar series we will highlight:

  • Why organizations would want to upgrade and how to foster bidirectional cybersecurity risk communications between leadership and practitioners. 
  • Practical actions organizations can take to implement the CSF 2.0. 
  • What resources are available to assist with implementation.

Time will be reserved at the end for audience questions. 

Speakers:

  • Amy Mahn, International Policy Specialist, Applied Cybersecurity Division, NIST
  • Daniel Eliot, Lead for Small Business Engagement, Applied Cybersecurity Division, NIST
  • Stephen Quinn, Senior Computer Scientist and CSF Project Lead, Computer Security Division, NIST
Register Here

Multiple Vulnerabilities in VMware ESXi, Workstation, and Fusion Which Could Allow For Local Code Execution

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.
Multiple vulnerabilities discovered in VMware ESXi, Workstation, and Fusion could allow for local code execution. VMware ESXi, Workstation, and Fusion are all virtualization products that allow users to run virtual machines (VMs) on their computers. Successful exploitation of these vulnerabilities could allow for local code execution in the context of the administrator account. Threat actors could install programs; view, change, or delete data; or create new accounts with full user rights.
Threat Intelligence VMware by Broadcom has information to suggest that exploitations of the vulnerabilities have occurred in the wild.
Systems Affected
VMware ESXi 8.0, 7.0 VMware Workstation 17.x VMware Fusion 13.x VMware Cloud Foundation 5.x, 4.5x VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x VMware Telco Cloud Infrastructure 3.x, 2.x 
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Recommendations
Apply appropriate patches provided by VMware to vulnerable systems immediately after appropriate testing. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
References
Broadcom:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22226

Considerations for Achieving Crypto Agility: NIST Releases CSWP 39 for Public Comment

Advances in computing capabilities, cryptographic research, and cryptanalytic techniques periodically create the need to replace algorithms that no longer provide adequate security for their use cases. For example, the threats posed by future cryptographically-relevant quantum computers (CRQCs) to public-key cryptography are addressed by NIST post-quantum cryptography (PQC) standards.  Migrating to PQC in protocols, applications, software, hardware, and infrastructures presents an opportunity to explore capabilities that could allow this cryptographic algorithm migration and future migrations to be easier to achieve by adopting a cryptographic (crypto) agility approach.

Crypto agility describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system to achieve resiliency. NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, provides an in-depth survey of current approaches and considerations to achieving crypto agility. It discusses challenges, trade-offs, and some approaches to providing operational mechanisms for achieving crypto agility while maintaining interoperability. It also highlights some critical working areas that require additional discussion.

 The public comment period is open through April 30, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

NIST also invites discussions among stakeholders to develop sector- and environment-specific strategies for pursuing crypto agility at a future NIST virtual workshop.

Read More

North Korea Responsible for $1.5 Billion Bybit Hack

The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as “TraderTraitor.”

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

Read full details HERE

Threat Actors Exploit Trusted Accounting Software

Individuals and businesses may use trusted accounting software to keep track of finances, generate invoices, and run payroll. Accounting software can also automate bookkeeping, create reports, analyze financial trends, and organize and manage data, making tax season easier. The software is linked to a designated bank account to securely pull transactions automatically and update them regularly. Although accounting software can be convenient, there are potential risks to the security of financial information, such as accounts vulnerable to data breaches, unauthorized access to accounts, and data modification. Threat actors may also phish for credentials or sensitive information, steal funds, and install malware, including ransomware. Since the beginning of 2025 and continuing into tax season, the NJCCIC observed an uptick in threat actors exploiting trusted accounting software through impersonation, phishing emails, account compromises, fraudulent invoices or transactions, and fake manual software patches.
The NJCCIC’s email security solution identified multiple phishing and malware campaigns impersonating legitimate businesses related to accounting, tax filing, and payments. Threat actors can sign up for free accounts for legitimate services and target victims from within those services, utilizing email addresses from domains not flagged by typical security tools. In one phishing campaign, threat actors impersonated Intuit QuickBooks, using their branding and the legitimate sender’s domain name. However, the emails are suspicious because they contain phishing links to non-Intuit domain names, unlike official emails that always include links to “intuit.com” addresses. The phishing links prompt a fraudulent Intuit authentication page to harvest user credentials that can be used in account compromises.
Additionally, the NJCCIC received multiple reports of unauthorized users logging into QuickBooks Online accounts using the victim’s compromised account credentials. The unauthorized users updated existing and added new vendor accounts with their own Automated Clearing House (ACH) information. They then made payments to these vendor accounts, with some successfully deducted from the victim organization’s bank account and some failing due to insufficient funds to cover the transactions.
Threat actors targeted accounting firm employees and impersonated UltraTax CS, Thomson Reuters’ professional tax preparation software. The username in the sender’s email address was misspelled as “subcriptions.” Although UltraTax CS is configured to automatically download and install updates by default, the email recommended manually downloading and installing the supposed software patch. If clicked, potential victims were directed to a malicious link in which threat actors weaponized the legitimate ConnectWise ScreenConnect remote access software to connect to computers and send malicious commands remotely.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.

Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources.

Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages.

Safeguard your information and accounts, including account credentials and other sensitive information.

Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.

Restrict access based on assigned user roles to ensure only authorized users can view or modify financial information. Keep systems up to date and apply patches after appropriate testing.

Monitor accounts, set up alerts, review account transactions and activity, and report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the FTC, or the credit reporting bureaus.

Report phishing emails and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.