Tag: vulnerability

57 Attack Reports | 0 Vulnerabilities

Attack reports

Webrat, disguised as exploits, is spreading via GitHub repositories

A new malware campaign targeting security professionals and students has been uncovered. The threat actor behind Webrat is now disguising the backdoor as exploits and proof-of-concept code for high-profile vulnerabilities, distributing it through GitHub repositories. The malware, which previously s…
malware
backdoor
exploit
vulnerability
trojan
information-stealing
social-engineering
cybersecurity
github
webrat
CVE-2025-59230
CVE-2025-59295
CVE-2025-10294
2025-12-23
Published: December 23, 2025
Linked vulnerabilities : CVE-2025-59230 (CVSS 7.8), CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), CVE-2025-11833 (CVSS 9.8), CVE-2025-11499 (CVSS 9.8), CVE-2025-12595 (CVSS 7.4), CVE-2025-12596 (CVSS 7.4), CVE-2025-55234, CVE-2025-54106, CVE-2025-54897
Downloadable IOCs: 5

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP re…
vulnerability
remote code execution
vshell
snowlight
CVE-2025-55182
react2shell
2025-12-15
etherrat
Published: December 15, 2025
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 50

Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability

A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, involving hardcoded cryptographic keys in their AES implementation. This flaw allows potential access to the web.config file, enabling deserialization and remote code execution. Attackers are actively targe…
vulnerability
cryptography
remote code execution
centrestack
triofox
deserialization
aes
CVE-2025-11371
2025-12-11
access ticket
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-11371 (CVSS 6.2)
Downloadable IOCs: 1

It didn’t take long: CVE-2025-55182 is now under active exploitation

A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a su…
xmrig
vulnerability
botnet
mirai
exploitation
gafgyt
honeypot
rondodox
CVE-2025-55182
2025-12-11
react server components
crypto miner
react4shell
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 46

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, le…
vulnerability
zero-day
cloud security
supershell
rce
CVE-2024-55947
2025-12-10
CVE-2025-8110
git service
gogs
symlink bypass
Published: December 10, 2025
Linked vulnerabilities : CVE-2024-54148 (CVSS 9.8), CVE-2024-55947, CVE-2023-46747, CVE-2024-56731 (CVSS 10.0), CVE-2025-55182 (CVSS 10.0), CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 0

Bootstrap script exposes PyPI to domain takeover attacks

A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include t…
supply chain
vulnerability
open-source
pypi
domain takeover
bootstrap script
2025-12-03
python packaging
Published: December 3, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 2

ShadowV2 Casts a Shadow Over IoT Devices

A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 …
vulnerability
ddos
iot
botnet
mirai
c2
aws
CVE-2024-10914
CVE-2024-10915
CVE-2024-53375
CVE-2023-52163
CVE-2024-3721
shadowv2
CVE-2020-25506
2025-11-27
CVE-2009-2765
CVE-2022-37055
Published: November 27, 2025
Linked vulnerabilities : CVE-2024-10914 (CVSS 8.1), CVE-2024-10915 (CVSS 8.1), CVE-2024-53375 (CVSS 8.0), CVE-2023-52163 (CVSS 5.9), CVE-2024-3721, CVE-2020-25506, CVE-2009-2765, CVE-2022-37055
Downloadable IOCs: 15

Build script exposes PyPI to domain takeover attacks

ReversingLabs researchers discovered vulnerable code in legacy Python packages that could enable an attack on the Python Package Index (PyPI) via a domain compromise. The vulnerability lies in bootstrap files for a build tool that installs the Python package 'distribute' and performs other tasks. W…
python
supply chain
vulnerability
pypi
2025-11-24
packaging
legacy code
domain takeover
CVE-2023-45311
bootstrap script
Published: November 24, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 0

Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin

On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible…
exploit
vulnerability
wordpress
authentication bypass
2025-10-09
wordfence
service finder bookings
service finder
Published: October 9, 2025
Downloadable IOCs: 5

Silent Smishing: The Hidden Abuse of Cellular Router APIs

This report analyzes a smishing campaign exploiting vulnerabilities in Milesight Industrial Cellular Routers to send malicious SMS messages. The attackers targeted primarily Belgian users by impersonating government services like CSAM and eBox. Over 18,000 vulnerable routers were identified globall…
phishing
vulnerability
smishing
api exploitation
2025-10-01
belgium
csam
cellular routers
ebox
CVE-2023-43261
Published: October 1, 2025
Linked vulnerabilities : CVE-2023-43261
Downloadable IOCs: 245

August Vulnerabilities of Note

In August 2025, eighteen high-impact vulnerabilities were identified for prioritized remediation, down from 22 in July. The month saw a focus on Citrix and D-Link flaws, with active exploitation of Citrix NetScaler products and D-Link routers. OS Command Injection was the most common weakness. One …
vulnerability
command injection
exploitation
remote code execution
snipbot
rustyclaw
patch management
deserialization
CVE-2025-8088
CVE-2025-25256
CVE-2025-8875
CVE-2025-8876
CVE-2025-20265
CVE-2025-7775
2025-09-15
mythic c2 agent
Published: September 15, 2025
Linked vulnerabilities : CVE-2024-8068, CVE-2024-8069 (CVSS 8.8), CVE-2025-54948 (CVSS 9.4), CVE-2025-8088, CVE-2024-26009 (CVSS 8.1), CVE-2025-25256 (CVSS 9.8), CVE-2025-8875 (CVSS 9.4), CVE-2025-8876 (CVSS 9.4), CVE-2025-20265 (CVSS 10.0), CVE-2025-43300 (CVSS 8.8), CVE-2025-7775 (CVSS 9.2), CVE-2025-7776 (CVSS 8.8), CVE-2025-8424 (CVSS 8.7), CVE-2025-57819, CVE-2007-0671, CVE-2013-3893, CVE-2020-25079, CVE-2020-25078, CVE-2025-48384, CVE-2022-40799
Downloadable IOCs: 11

CVE-2025-31324: Critical SAP Vulnerability & How to Protect Your Enterprise

A critical remote code execution vulnerability (CVE-2025-31324) affects SAP NetWeaver Development Server, allowing attackers to upload malicious files through the metadatauploader endpoint. This vulnerability enables unauthenticated remote code execution, potentially leading to enterprise network c…
exploit
vulnerability
remote code execution
auto-color
CVE-2025-31324
2025-09-10
netweaver
metadatauploader
sap
Published: September 10, 2025
Downloadable IOCs: 4

Loophole allows threat actors to claim VS Code extension names

A loophole in VS Code Marketplace allows malicious actors to reuse names of removed extensions. ReversingLabs discovered this vulnerability after finding a malicious extension with the same name as one previously identified. The platform's documentation states that extension names must be unique, b…
vulnerability
open-source
cybersecurity
extension
vs code
software supply chain
2025-08-29
loophole
package names
Published: August 29, 2025
Downloadable IOCs: 0

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Coordinated Brute Force Campaign Targets Fortinet SSL VPN

A significant spike in brute-force traffic targeting Fortinet SSL VPNs was observed on August 3, with over 780 unique IPs triggering the Fortinet SSL VPN Bruteforcer tag. The activity was deliberate and precise, focusing on FortiOS. Two distinct waves of attacks were identified: a long-running set …
vulnerability
fortimanager
fortinet
brute-force
ssl vpn
2025-08-13
fortios
ip blocking
fgfm
Published: August 13, 2025
Downloadable IOCs: 3

ToolShell: An all-you-can-eat buffet for threat actors

A set of zero-day vulnerabilities in SharePoint Server, dubbed ToolShell, has been exploited in the wild since July 17, 2025. The vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allow remote code execution and server spoofing, affecting on-premises SharePoint servers. Attackers have been chaini…
backdoor
apt
vulnerability
zero-day
exploitation
webshell
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-08-12
msil/webshell.js
china-aligned
Published: August 12, 2025
Linked vulnerabilities : CVE-2025-49704
Downloadable IOCs: 20

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

A zero-day vulnerability in WinRAR, CVE-2025-8088, has been discovered being exploited in the wild by the Russia-aligned group RomCom. The vulnerability allows attackers to hide malicious files in archives, which are silently deployed when extracted. The exploit was used in spearphishing campaigns …
backdoor
exploit
spearphishing
vulnerability
zero-day
mythic
winrar
snipbot
rustyclaw
russia-aligned
2025-08-11
CVE-2025-8088
Published: August 11, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2025-8088
Downloadable IOCs: 9

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

A critical vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon allows unauthenticated remote code execution, affecting critical infrastructure and operational technology networks. With a CVSS score of 10.0, it enables command execution by sending SSH connection protocol messages to open ports…
exploit
vulnerability
ssh
remote code execution
critical infrastructure
CVE-2025-32433
2025-08-11
erlang/otp
operational technology
Published: August 11, 2025
Linked vulnerabilities : CVE-2025-32433 (CVSS 10.0)
Downloadable IOCs: 2

Active Exploitation of CVE-2025-5394 in Alone WordPress Theme

A critical arbitrary file-upload vulnerability (CVE-2025-5394) in the Alone - Charity Multipurpose Non-profit WordPress theme versions 7.8.3 and earlier is being actively exploited. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to upload malicious ZIP archives containing PHP …
vulnerability
wordpress
remote code execution
web shells
CVE-2025-5394
2025-08-01
theme
alone theme
arbitrary file upload
Published: August 1, 2025
Downloadable IOCs: 0

Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

Several critical vulnerabilities in Microsoft SharePoint are being actively exploited, targeting on-premises servers in government, education, healthcare, and large enterprises. The vulnerabilities allow unauthenticated attackers to bypass security controls and gain privileged access, leading to da…
vulnerability
exploitation
web shell
sharepoint
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
on-premises
2025-07-23
unauthenticated access
Published: July 23, 2025
Downloadable IOCs: 0

Defending Against ToolShell: SharePoint's Latest Critical Vulnerability

A critical zero-day vulnerability named ToolShell (CVE-2025-53770) has been discovered in on-premises SharePoint Server deployments. This vulnerability allows unauthenticated remote code execution, posing a significant threat to organizations worldwide. SentinelOne has detected active exploitation …
vulnerability
zero-day
cybersecurity
remote code execution
threat detection
sharepoint
patch
CVE-2025-53770
toolshell
2025-07-23
Published: July 23, 2025
Downloadable IOCs: 2

SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers

A zero-day vulnerability dubbed 'ToolShell' targeting on-premises Microsoft SharePoint Servers has been actively exploited. The flaw, identified as CVE-2025-53770 with an accompanying bypass CVE-2025-53771, allows unauthenticated remote code execution. Three distinct attack clusters have been obser…
vulnerability
zero-day
webshell
remote code execution
sharepoint
CVE-2025-53770
CVE-2025-53771
toolshell
2025-07-22
CVE-2025-49704
CVE-2025-49706
Published: July 22, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-49704
Downloadable IOCs: 3

Active Exploitation of Microsoft SharePoint Vulnerabilities

Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to ac…
vulnerability
government
healthcare
exploitation
education
cve
CVE-2025-53770
CVE-2025-53771
2025-07-22
CVE-2025-49704
CVE-2025-49706
microsoft sharepoint
on-premises
Published: July 22, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-31324 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 24

Large-scale exploitation of new SharePoint RCE vulnerability chain identified

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18…
exploit
vulnerability
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1)
Downloadable IOCs: 4

Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-537…
exploit
vulnerability
webshell
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
toolshell
Published: July 21, 2025
Downloadable IOCs: 0

Apache Under the Lens: Tomcat's Partial PUT and Camel's Header Hijack

In March 2025, Apache disclosed three critical vulnerabilities: CVE-2025-24813 in Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 in Apache Camel. These flaws allow remote code execution, affecting millions of developers. The Tomcat vulnerability exploits partial PUT requests and session persis…
exploit
vulnerability
apache
remote code execution
CVE-2025-27636
CVE-2025-24813
CVE-2025-29891
2025-07-03
tomcat
Published: July 3, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-27636 (CVSS 5.6), CVE-2025-24813 (CVSS 9.8), CVE-2025-29891 (CVSS 4.2), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 23

Decrement by one to rule them all: AsIO3.sys driver exploitation

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demons…
windows
vulnerability
privilege escalation
asus
driver exploitation
CVE-2025-1533
CVE-2025-3464
2025-06-26
kernel exploitation
asio3.sys
Published: June 26, 2025
Linked vulnerabilities : CVE-2025-1533 (CVSS 8.2), CVE-2025-3464 (CVSS 8.4)
Downloadable IOCs: 0

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

DanaBot C2 Server Memory Leak Bug

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitia…
vulnerability
cybercrime
danabot
malware-as-a-service
c2 server
smokeloader
operation endgame
information theft
2025-06-10
danableed
banking fraud
memory leak
Published: June 10, 2025
Downloadable IOCs: 2

Web Scanning SonicWall for CVE-2021-20016 - Update

There has been a significant increase in scanning activity targeting SonicWall devices, specifically looking for CVE-2021-20016 vulnerability. The activity has grown tenfold over the past 14 days, with multiple sources reporting probes related to two specific URLs. The most active IP addresses orig…
vulnerability
exploitation
scanning
sonicwall
network security
2025-05-15
CVE-2021-20016
Published: May 15, 2025
Linked vulnerabilities : CVE-2021-20016
Downloadable IOCs: 6

Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw

A vulnerability in Samsung MagicINFO 9 Server, a content management system for digital signage displays, has been exploited in limited incidents. Three separate attacks were observed, with two showing organized, identical commands and one appearing to be in a research phase. The attackers attempted…
vulnerability
exploitation
reconnaissance
post-exploitation
2025-05-10
digital signage
samsung
magicinfo
service installation
Published: May 10, 2025
Downloadable IOCs: 0

Apache Tomcat: CVE-2025-24813: Active Exploitation

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certai…
vulnerability
exploitation
remote code execution
CVE-2025-24813
patching
2025-03-28
path equivalence
apache tomcat
Published: March 28, 2025
Downloadable IOCs: 0

CVE-2025-29927: Next.js Middleware Authorization Bypass Flaw

A critical vulnerability, CVE-2025-29927, with a CVSS score of 9.1 was disclosed on March 21, 2025. This flaw allows attackers to bypass authorization checks in Next.js Middleware, potentially granting unauthorized access to protected resources. The vulnerability affects applications using Middlewa…
vulnerability
CVE-2025-29927
2025-03-27
next.js
authorization bypass
javascript framework
Published: March 27, 2025
Linked vulnerabilities : CVE-2025-29927 (CVSS 9.1)
Downloadable IOCs: 0

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

Mirai Bot now incorporating (malformed?) DrayTek Vigor Router Exploits

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed …
exploit
vulnerability
iot
botnet
router
mirai
firmware
2025-03-17
vigor
draytek
Published: March 17, 2025
Downloadable IOCs: 3

Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activiti…
vulnerability
ivanti
exploitation
webshell
infrastructure
remote code execution
CVE-2024-8190
CVE-2024-8963
CVE-2024-9379
CVE-2024-9381
2025-02-11
reversessh
nhas reverse_ssh
csa
Published: February 11, 2025
Linked vulnerabilities : CVE-2024-8190 (CVSS 7.2), CVE-2024-8963 (CVSS 9.1), CVE-2024-9379 (CVSS 7.2), CVE-2024-9381 (CVSS 7.2), CVE-2020-1472, CVE-2022-1388, CVE-2023-3519, CVE-2021-4034, CVE-2021-44529
Downloadable IOCs: 19

NGC4020 Attacks: DameWare Mini Remote Control Vulnerability

The Solar 4RAYS team investigated a cyberattack on an industrial company, uncovering that attackers exploited a vulnerability in DameWare Mini Remote Control to deliver malware and disable security protections. The NGC4020 group initially compromised systems in December 2022 using CVE-2019-3980. Th…
vulnerability
quasarrat
reverse shell
antivirus bypass
2025-01-31
dameware
Published: January 31, 2025
Downloadable IOCs: 0

Zyxel vulnerability exploited by 'Helldown' ransomware group

The article details a cybersecurity incident where the "Helldown" ransomware group exploited a vulnerability in Zyxel firewall devices. The attackers gained administrator access to the firewall console, collected domain credentials, and compromised the infrastructure. They used VPN services to mask…
ransomware
vulnerability
2025-01-22
zyxel
Published: January 22, 2025
Downloadable IOCs: 0

Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

The AIRASHI botnet, an evolved version of AISURU, has been observed conducting large-scale DDoS attacks and exploiting vulnerabilities in various devices. It utilizes a 0DAY vulnerability in cnPilot routers for propagation and employs sophisticated encryption techniques for communication. The botne…
vulnerability
rc4
encryption
ddos
botnet
proxy
chacha20
hellokitty
2025-01-16
hmac-sha256
airashi
CVE-2022-3573
cnpilot
aisuru
Published: January 16, 2025
Linked vulnerabilities : CVE-2021-36260, CVE-2022-3573
Downloadable IOCs: 9

Threat actors attempt to exploit a flaw in Four-Faith routers

A high-severity vulnerability (CVE-2024-12856) affecting Four-Faith router models F3x24 and F3x36 is being actively exploited. The flaw allows OS command injection if default credentials are used, potentially leading to unauthenticated remote code execution. Attackers have been observed leveraging …
vulnerability
router
reverse shell
CVE-2024-12856
2024-12-28
four-faith
Published: December 28, 2024
Downloadable IOCs: 0

Cleo Software Actively Being Exploited in the Wild

A critical vulnerability in Cleo's LexiCom, VLTransfer, and Harmony software, used for file transfer management, is being actively exploited. The flaw allows unauthenticated remote code execution, affecting all versions up to and including 5.8.0.21. Attackers are exploiting this vulnerability to dr…
vulnerability
CVE-2024-50623
2024-12-10
cleo
file transfer software
lexicom
vltransfer
harmony
Published: December 10, 2024
Downloadable IOCs: 4

Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575)

A new threat cluster, UNC5820, has been observed exploiting a zero-day vulnerability in FortiManager appliances across multiple industries. The vulnerability allows unauthorized execution of arbitrary code or commands on vulnerable devices. The attackers staged and exfiltrated configuration data fr…
vulnerability
zero-day
exploitation
fortigate
CVE-2024-47575
2024-10-24
fortimanager
cyber-espionage
configuration-exfiltration
network-security
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 4

FortiManager fgfmd vulnerability indicators

A critical vulnerability in FortiManager's fgfmd daemon allows remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. This vulnerability, classified as CWE-306 (Missing Authentication for Critical Function), has been exploited in the wild. The attack …
vulnerability
exfiltration
authentication
remote code execution
2024-10-23
CVE-2024-47575
fortimanager
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

New macOS vulnerability, "HM Surf", could lead to unauthorized data access

A new macOS vulnerability called 'HM Surf' has been discovered that could allow attackers to bypass the Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The exploit involves removing TCC protection for the Safari browser directory and modifyin…
vulnerability
macos
adload
CVE-2024-44133
2024-10-18
privacy
safari
tcc bypass
hm surf
browser security
Published: October 18, 2024
Downloadable IOCs: 0

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

Analysis of two arbitrary code execution vulnerabilities affecting WPS Office

ESET researchers discovered two code execution vulnerabilities in WPS Office for Windows. CVE-2024-7262 was exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. The vulnerability allowed arbitrary code execution via a malicious hyperlink in a spreadshee…
windows
vulnerability
plugin
CVE-2024-7262
CVE-2024-7263
2024-08-30
wps office
taskcontroler.dll
hyperlink
spyglace
spreadsheet
code execution
Published: August 30, 2024
Linked vulnerabilities : CVE-2024-7262, CVE-2024-7263, CVE-2024-7672 (CVSS 7.8), CVE-2924-7263, CVE-2022-24934
Downloadable IOCs: 5

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 18

Increased Activity Against Apache OFBiz CVE-2024-32113

Recently, there has been a surge in malicious activity targeting a critical vulnerability (CVE-2024-32113) in the Apache OFBiz framework, a Java-based platform for developing Enterprise Resource Planning (ERP) applications. This vulnerability, a path traversal issue that can lead to remote code exe…
vulnerability
CVE-2024-32113
apache
erp
2024-08-01
remote code execution
ofbiz
Published: August 1, 2024
Linked vulnerabilities : CVE-2024-32113
Downloadable IOCs: 5

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers discovered a vulnerability named EvilVideo that allows attackers to share malicious Android payloads disguised as video files through Telegram for Android. The exploit makes the malicious files appear as multimedia content, tricking users into installing malware. The vulnerability …
malware
exploit
android
vulnerability
telegram
2024-07-23
android/spy.spymax.t
Published: July 23, 2024
Downloadable IOCs: 1

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Increase In The Exploitation Of Microsoft SmartScreen Vulnerability CVE-2024-21412

Cyble analyzes an ongoing campaign exploiting a Microsoft SmartScreen vulnerability to deliver stealers through spam emails. The campaign employs lures related to healthcare, transportation, and tax notices to trick users into downloading malicious payloads. It utilizes techniques like DLL sideload…
phishing
vulnerability
stealer
CVE-2024-21412
spam
malicious
2024-07-11
lumma
meduza stealer
Published: July 11, 2024
Downloadable IOCs: 12

Ransomware: Activity Levels Remain High Despite Disruption

While overall activity levels dipped slightly in the first quarter of 2024, the number of claimed attacks remained high, with LockBit accounting for over 20%. The report explores the changing tactics employed by ransomware actors, including the exploitation of vulnerabilities, the use of Bring-Your…
ransomware
lockbit
vulnerability
blackcat
alphv
encryption
phobos
cyclops blink
CVE-2024-4577
noberus
tellyouthepass
blacksuit
2024-07-11
akira
warp av killer
qilin
disruption
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 27

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

Exploiting CVE-2021-40444 to Infiltrate Systems

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTM…
vulnerability
spyware
keylogger
2024-07-02
information theft
CVE-2021-40444
merkspy
Published: July 2, 2024
Linked vulnerabilities : CVE-2021-40444
Downloadable IOCs: 6

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
evasion
cryptocurrency
vulnerability
persistence
apache
2024-06-06
irc
rocketmq
lateral
muhstik
CVE-2023-33246
Published: June 6, 2024
Linked vulnerabilities : CVE-2023-33246
Downloadable IOCs: 21

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports