News from Italy
Noname057(16) strikes Italy again
The wave of cyberattacks by the Russian group NoName057(16) continues, with Distributed Denial of Service (DDoS) operations targeting critical infrastructure and institutional websites. Among the targets were Intesa Sanpaolo bank, Milan Malpensa and Linate airports, the ports of Trieste and Taranto, as well as the Ministry of Enterprises and Made in Italy, the Guardia di Finanza (Financial Police), the High Council of the Judiciary (CSM), and the Lombardy Region.
The attacks were reportedly triggered by statements made by President Sergio Mattarella, who compared Russia’s invasion of Ukraine to the conquest wars of the Third Reich.
Although the attacks caused temporary service disruptions, the National Cybersecurity Agency (ACN) and the Postal Police implemented effective defense measures, minimizing the damage.
This episode highlights Italy’s growing exposure to cyber threats, with the country accounting for approximately 10% of global cyberattacks in 2024—particularly affecting the media, manufacturing, and transportation sectors.
World News
Malware on Github steals cryptocurrency and sensitive data
A malicious campaign known as GitVenom has recently been uncovered, in which cybercriminals exploited the GitHub platform to distribute malware disguised as legitimate open-source projects. These fake tools—advertised as offering features such as Instagram automation, Bitcoin wallet management bots via Telegram, and cheats for the game Valorant—infected users’ devices, stealing personal and financial information.
The malware was capable of replacing cryptocurrency wallet addresses copied to the clipboard with those of the attackers, leading to the theft of at least 5 Bitcoins (approximately $456,600 at the time of discovery).
The primary victims were identified in Russia, Brazil, and Turkey.
The malicious code, written in various languages including Python, JavaScript, C, and C++, downloaded and executed additional payloads from attacker-controlled GitHub repositories. These included Node.js-based infostealers and remote administration tools such as AsyncRAT and Quasar RAT.
XSS attack on Krpano targets government sites and Fortune 500 companies
A Cross-Site Scripting (XSS) vulnerability in the Krpano framework—used to create 360° virtual tours—was exploited to inject malicious scripts into hundreds of websites, including government portals, universities, hotels, car dealerships, and major Fortune 500 companies.
Named 360XSS, the campaign aimed to manipulate search engine results and distribute advertising spam. Attackers leveraged an XML parameter to load external configurations containing Base64-encoded malicious code, which redirected users to ad pages.
Despite a patch released in 2020 for vulnerability CVE-2020-24901, attackers managed to exploit the flaw again by explicitly including the XML parameter in the exception list.
In response, the Krpano developers released update 1.22.4, which completely disables support for external XML configurations and advises administrators to update the framework and disable the passQueryParameters feature.
Cyber attacks and vulnerabilities
In February 2025, several significant cybersecurity vulnerabilities were identified, revealing critical weaknesses in enterprise software, IT infrastructure, and network devices. Targeted attacks were observed against the Public Administration, Critical Infrastructure, and Cybersecurity sectors.
A total of 24 vulnerabilities were reported, 16 of which were classified as high or critical risk. Notably, Microsoft confirmed active exploitation of a flaw in .NET and a critical vulnerability in Power Pages, while Zyxel experienced in-the-wild exploitation of CVE-2024-40891, endangering enterprise network security.
At the same time, critical vulnerabilities were identified—and subsequently patched—in MongoDB, OpenSSL, and Cisco Nexus, with potential impacts on IT systems and digital infrastructure.
The device security sector also faced challenges, prompting security updates from Mozilla (for Firefox and Thunderbird), Juniper Networks, and SonicWall to mitigate potential exploits.
Additionally, a surge in smishing campaigns was reported, with a wave of targeted attacks aimed at Hype platform users, seeking to steal banking credentials.
Overall, February saw an uptick in actively exploited vulnerabilities, emphasizing the urgent need for timely interventions to protect IT systems.
The situation is summarized in the following chart:
The current cybersecurity landscape has revealed a combination of active exploitation of critical flaws, targeted attacks on IT infrastructure, and sophisticated social engineering campaigns. The vulnerabilities identified can be broadly divided into two main categories:
(1) software and network device flaws, and
(2) targeted cyberattacks.
Among the first category, major issues were reported in Zyxel, MongoDB, OpenSSL, SonicWall, and Cisco Nexus. These required urgent patches to mitigate potential attacks involving privilege escalation, remote code execution, and corporate network compromise.
Particularly noteworthy was the active exploitation of CVE-2024-40891, a vulnerability in Zyxel DSL CPE devices, which exposed numerous infrastructures to potential unauthorized access. Microsoft also reported active exploitation of vulnerabilities in .NET and Power Pages, while open-source software such as Moodle, Apache OFBiz, and Apache Fineract received high-risk security updates.
In parallel, the IT identity and authentication sector saw urgent updates released for IBM Security Verify Directory Server, Mozilla Firefox and Thunderbird, as well as critical patches for Oracle and Ivanti—highlighting increased attention on corporate data protection and digital identity security.
On the attack front, February saw a rise in threats leveraging zero-day vulnerabilities—flaws unknown to developers at the time of exploitation—making timely mitigation measures difficult. One of the most notable incidents was a smishing campaign targeting users of the Hype platform, aimed at stealing banking credentials.
Simultaneously, Advanced Persistent Threats (APTs) continued to target critical infrastructure, exploiting known vulnerabilities in 7-Zip, Rsync, and Linux systems, with the goal of maintaining persistent access within corporate and government networks for espionage or sabotage activities.
Mobile devices also came under scrutiny, with critical vulnerabilities resolved in Android and Google Pixel systems, while Xerox Versalink multifunction printers were found to have security flaws that could allow unauthorized access to sensitive data.
Additionally, ransomware attack techniques have evolved, with new methods designed to bypass corporate defenses and encrypt sensitive data more quickly and effectively. The use of advanced botnets has enabled large-scale attacks, with compromised devices acting as vectors for further intrusions.
DDoS attacks, on the other hand, targeted businesses and essential services, causing temporary disruptions and straining network infrastructure.
Finally, a rise in spear phishing attacks was observed, with messages specifically targeting company executives and IT managers. These attacks often leveraged cybersecurity or compliance themes to harvest privileged access credentials.
Among the attack methods described, zero-day exploitation is by far the most dangerous. Attackers can leverage these vulnerabilities to gain unauthorized access to systems, execute arbitrary code, and move laterally within corporate or government networks—all without being detected by traditional security systems.
We present some examples of recently identified high and critical risk vulnerabilities:
High Risk
Code Name: CVE-2025-27364
Description: The vulnerability lies in the dynamic compilation functionality of Caldera server agents (known as “implants”). An attacker can send a specially crafted web request to the Caldera server API, which is used to compile and download Sandcat or Manx agents. This request can exploit the linker flag with subcommands, allowing arbitrary code execution on the server. Fortunately, the issue has been patched.
Source: https://www.cve.org/CVERecord?id=CVE-2025-27364
Critical Risk
Code Name: CVE-2025-24989
Description: The vulnerability stems from inadequate access control in Power Pages, allowing malicious actors to bypass registration mechanisms and gain elevated privileges without authorization. This could lead to unauthorized access to sensitive data and administrative functions of the site. Microsoft has already mitigated the issue.
