Cybersecurity threats continue to evolve, and last week was no exception. From high-profile data breaches to emerging vulnerabilities that put millions at risk, the digital landscape saw a wave of security incidents that demand attention. Whether it was a massive ransomware attack crippling critical infrastructure or newly discovered exploits shaking up the tech world, staying informed is the first line of defense. Here’s a roundup of the six biggest cybersecurity news stories from last week, highlighting the key takeaways and their potential impact on businesses and individuals.

Microsoft Warns of Attackers Exploiting Exposed ASP.NET Machine Keys to Deploy Malware

Attackers are exploiting exposed ASP.NET machine keys to hijack user sessions, escalate privileges, and deploy malware on compromised servers, Microsoft has warned. These machine keys, critical for securing authentication tokens and cryptographic operations in ASP.NET applications, are being abused to bypass security controls and execute malicious code remotely.

How Attackers Exploit Exposed Keys

Cybercriminals leverage misconfigured or publicly accessible machine keys to:
Forge authentication tokens and impersonate users.
Gain unauthorized access and escalate privileges.
Deploy malware and web shells to maintain persistence.
Move laterally across networks, exfiltrating sensitive data.

Who’s at Risk?

Organizations running ASP.NET applications with weak security configurations, including:

• Web applications on IIS servers
• Cloud-hosted ASP.NET platforms
• Enterprise systems using authentication mechanisms

Microsoft’s Security Recommendations

Rotate machine keys regularly.
Restrict access to sensitive configuration files.
Enforce strict permissions on web directories.
Use Web Application Firewalls (WAFs) to detect forgery attempts.
Enable monitoring & logging to track suspicious activity.

Final Thoughts

This growing attack vector poses a serious risk to ASP.NET applications, allowing attackers to bypass authentication, plant malware, and establish persistence. Securing machine keys and implementing Microsoft’s security measures is crucial to preventing unauthorized access and system compromise.

Critical Cisco ISE Bug Allows Attackers to Execute Commands as Root

A high-severity vulnerability (CVE-2024-20248) has been discovered in Cisco Identity Services Engine (ISE), potentially allowing attackers to execute commands as root.

Organizations using Cisco ISE versions 3.1, 3.2, and 3.3 are at risk. This command injection flaw could let attackers bypass security controls and gain full system access.

What’s at Stake?

• Unauthorized root access
• Network-wide compromise
• Data manipulation and security breaches

What to Do Now?

• Update immediately to the latest Cisco ISE patch.
• Restrict admin access to prevent exploitation.
• Monitor logs for suspicious activity.

Although no active exploits have been reported yet, security experts warn that delayed patching could lead to severe breaches. Take action now to protect your network infrastructure.

Ransomware Payments Drop 35% in 2024, Totaling $813.55 Million

Ransomware payments took a significant hit in 2024, dropping 35% compared to 2023. Reports indicate that victims collectively paid $813.55 million in ransom, marking a notable shift in how businesses respond to cyber extortion.

Why Are Payments Declining?

• Stronger Cybersecurity Measures → Organizations are investing in advanced security solutions.
• Improved Incident Response → Businesses are better prepared to contain and recover from attacks.
• Better Backup Strategies → Reliable data backups reduce the urgency to pay ransoms.
• Law Enforcement Crackdowns → Authorities are taking stronger action against ransomware groups.
• Legal & Compliance Risks → Governments discourage ransom payments to prevent funding cybercrime.

Ransomware Still a Threat

Despite the drop in payments, ransomware remains a critical cybersecurity issue. Attackers are constantly adapting, using new techniques to pressure victims into paying. Organizations must stay vigilant, prioritize cybersecurity training, and implement proactive defense strategies to mitigate risks.

 Hackers Exploit Microsoft ADFS Login Pages to Steal Credentials

A new phishing campaign is targeting Microsoft Active Directory Federation Services (ADFS), using fake login pages to steal credentials and bypass multi-factor authentication (MFA).

• Hackers send phishing emails pretending to be from IT departments.
• Victims are tricked into clicking links leading to fraudulent ADFS login pages.
• Once entered, credentials and MFA codes are captured, allowing attackers to access corporate accounts.

Targeted Sectors and Attack Impact

The attack has already affected at least 150 organizations, with education, healthcare, and government sectors being the primary targets.

• Stolen credentials can be used for further phishing or business email compromise (BEC) schemes.
• Financial fraud, unauthorized email access, and internal phishing attacks are common consequences.

How to Protect Your Organization

To mitigate the threat, security experts recommend:

Switching to Microsoft Entra – a more secure authentication alternative.
Strengthening email security – filtering and anomaly detection help spot phishing attempts.
User education – continuous training on recognizing phishing scams.
Verifying login requests – employees should confirm security-related emails before clicking links.

This phishing campaign highlights the risks of social engineering, even when attacks appear to come from internal departments. Organizations must adopt advanced security measures and educate employees to reduce vulnerability.

Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials

A new phishing attack is targeting organizations using Microsoft Active Directory Federation Services (ADFS). Hackers create fake login pages to steal credentials and bypass multi-factor authentication (MFA).

How the Attack Works

Phishing Emails: Fake IT department emails urge users to update security settings.
Spoofed Login Pages: Links redirect victims to realistic-looking but fraudulent ADFS login pages.
Credential Theft: Users enter their login details and MFA codes, handing them over to attackers.
Unauthorized Access: Stolen credentials are used for further attacks, including business email compromise (BEC).

Who is at Risk?

Government agencies
Healthcare institutions
Educational organizations

How to Stay Safe

Educate Employees – Train staff to spot phishing attempts and suspicious emails.
Filter Emails – Use advanced spam filters to detect and block phishing attacks.
Monitor Logins – Set up alerts for unusual login activities, especially MFA approvals.
Strengthen MFA – Consider additional layers of security beyond standard MFA.

Act Now: Organizations must reinforce authentication security to prevent unauthorized access.

 Hackers Exploit Cityworks RCE Bug to Breach Microsoft IIS Servers

Critical Threat:

Attackers are actively exploiting a deserialization vulnerability in Trimble’s Cityworks software (CVE-2025-0994) to gain remote access and execute commands on Microsoft IIS servers.

What’s Happening?

• This high-severity Remote Code Execution (RCE) vulnerability (CVSS 8.6) allows authenticated users to execute malicious commands remotely.
• Threat actors are using this flaw to deploy Cobalt Strike beacons, a known tool for deeper network infiltration.

Who’s Affected?

• Cityworks versions prior to 15.8.9
• Cityworks Office Companion versions before 23.10
• Microsoft IIS servers running vulnerable Cityworks instances

How Does It Work?

• Attackers exploit a deserialization flaw in Cityworks.
• They execute arbitrary code on compromised IIS servers.
• Once inside, they escalate privileges and move laterally across networks.

What You Should Do Now

Immediate Patch:

• Upgrade to Cityworks 15.8.9 (or later).
• Cloud users (CWOL) will receive automatic updates.

Secure IIS Servers:

• Review permissions—IIS should not run with administrative privileges.
• Restrict attachment root directories to prevent file execution.

Monitor for Breaches:

• Check for unauthorized access logs.
• Scan for Cobalt Strike indicators on your network.

Stay Secure. Stay Updated.

Apply security updates immediately to prevent exploitation. Attackers are actively leveraging this vulnerability—don’t wait to act!