Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Exploits. Show all posts
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
Zero Day Vulnerabilities
CIS CISA Cyber Exploits Cyber Security CyberCrime DNA Global Attacks Malicious Software Microsoft 365 SharePoint Storm 2603 Zero Day Vulnerabilities

SharePoint Exploit Emerges as Root of Global Cyber Threat

 


A global cybersecurity crisis has been triggered by a newly discovered and unpatched vulnerability in Microsoft SharePoint Server, prompting the Governments of the United States, Canada, and Australia to conduct urgent investigations. In what experts are calling a coordinated and large-scale zero-day attack, which is a breach that takes advantage of a previously unknown security vulnerability, an exploit that enables remote code execution without the user's input, a critical flaw has been exploited to exploit a critical flaw that enables remote code execution without user interaction. 

A widely used enterprise platform called SharePoint, which facilitates the sharing and collaboration of documents and ideas, has been identified as one of the latest attack vectors by threat actors looking to gain access to high-value systems. Thousands of servers are said to be vulnerable to the attack, with organisations across the public and private sectors scrambling to protect their systems since there has been no official security patch available from Microsoft for some time. 

After this incident, concerns over Microsoft's security posture continue to grow, coming after a Chinese spying campaign in 2023 compromised email accounts belonging to U.S. government officials, including those belonging to the highest levels of the executive branch. As a result of the review, both the U.S. government and industry experts heavily criticised the company's security practices. 

The latest breach highlights persistent vulnerabilities in widely-used platforms, as well as raising serious concerns about whether the global infrastructure is sufficiently prepared for sophisticated, evolving cyber threats that are rapidly evolving in complexity. There has been an increase in threats surrounding the SharePoint vulnerability following the emergence of a ransomware attack by the threat actor referred to as Storm-2603. 

The group has changed its strategy from initially focusing on cyber-espionage operations to one focused on more destructive tactics, which is a troubling development in its campaign strategy. It appears that Storm-2603 is currently exploiting a vulnerable SharePoint flaw in order to infiltrate vulnerable systems and spread ransomware payloads. This is a worrying shift in the group's strategy. 

By encrypting entire networks with malicious software, this malicious software demands cryptocurrency payments to restore access, effectively paralysing the operations of the targeted businesses. As a result of this strategic pivot, Microsoft announced this in a blog post released late Wednesday. During its extended analysis, it found that the transition from silent data theft to overt disruption and extortion had occurred over the past couple of years. 

A ransomware campaign using this same zero-day vulnerability not only amplifies the threat posed by the campaign but also demonstrates that cybercriminal groups are blurring the line between espionage and financially motivated attacks as they become more prevalent in the world. As analysts warn, this dual-purpose exploitation could result in a greater financial and operational impact, especially for organisations that have not yet implemented compensating control or detection measures, which will lead to greater operational damage. 

Moreover, this incident underscores the urgency of timely patching, comprehensive threat monitoring, as well as cross-border cybersecurity collaboration, which are all imperative to preventing any future attacks on SharePoint. Microsoft has attributed the ongoing exploitation of the SharePoint vulnerability to a threat group known as Storm-263, which is rated as based in China with moderate confidence. 

Storm-2603 has not been directly connected to any other known Chinese threat actors, but has been linked to the attempted exfiltration of sensitive data, including MachineKeys, via on-premises SharePoint flaws. As of July 18, 2025, Microsoft has been observing the group actively deploying ransomware using the exploited vulnerability, despite not being directly linked to any Chinese threat actors. 

An attack chain for this attack starts when a malicious payload (spinstall0.aspx) is executed on internet-exposed SharePoint servers in order to enable the execution of commands through the w3wp.exe process. In addition to conducting reconnaissance through tools such as whoami, cmd.exe, and batch scripts, Storm-2603 disables Microsoft Defender by altering the system registry. 

An actor maintains persistence by installing web shells, creating scheduled tasks, and manipulating IIS components in a way that allows malicious .NET assemblies to be loaded and to maintain persistence. In order to move around and steal credentials, tools such as Mimikatz, PsExec, Impacket, and WMI are employed. 

Ultimately, the operation results in the installation of the Warlock ransomware using modified Group Policy Objects (GPOs). Moreover, Microsoft warns that other threat actors may exploit the same vulnerability, which emphasises the necessity of organisations to implement security mitigations and apply patches without delay to prevent further damage from occurring. 

According to the CVSS scale, CVE-2025-53770 is the critical zero-day vulnerability at the centre of the ongoing exploitation campaign. It has been assigned a severity score of 9.8 on the CVSS scale, meaning it is a critical zero-day flaw. There has been a classification given by security researchers for this vulnerability that which is a variation of the CVE-2025-49704 vulnerability that has been patched in the past, with a slightly less severe rating of 8.8. This vulnerability entailed code injection and remote code execution within Microsoft SharePoint Server. 

Although Microsoft's Patch Tuesday release of July 2025 addressed the earlier flaw, the newly discovered variant has not been patched, which leaves many SharePoint environments running on-premises at risk. A Microsoft advisory issued on July 19 says that the core problem stems from the derivation of untrusted data, which could lead to attackers remotely executing arbitrary code over a network without authenticating themselves. 

According to the company, the exploit is a serious one, and a comprehensive fix is in the process of being developed and undergoing extensive testing at the moment. Viettel Cyber Security has been credited with discovering the vulnerability via Trend Micro Zero Day Initiative (ZDI). The issue was reported to Trend Micro via the Zero Day Initiative (ZDI) and has been credited with the discovery. 

As outlined in a separate security bulletin released by Microsoft on the following weekend, Microsoft has confirmed that an active exploit of the vulnerability is still in progress, specifically targeting on-premise deployments. However, according to the company, SharePoint Online services within Microsoft 365 are not affected by the threat. 

A zero-day vulnerability known as CVE-2025-53770 has become a growing threat to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as a result of its increasing threats. Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a list of the Known Exploited Vulnerabilities (KEV) catalogue. 

Federal agencies have a limited timeframe—until Monday—to implement immediate mitigations. As a consequence of the active exploitation, according to Chris Butera, Acting Executive Assistant Director for Cybersecurity, the agency was alerted to the issue by a trusted partner, who promptly coordinated with Microsoft to resolve it. 

Researchers have attributed this vulnerability to the broader version of CVE-2025-49706, a vulnerability that was previously patched by Microsoft for spoofing. This vulnerability has been referred to as "ToolShell" by researchers. As the first cybersecurity firm to notice the attacks in action, Eye Security, a Dutch cybersecurity firm, reported that several high-profile targets, including multinational corporations, government institutions, and major banks, have already been compromised across several countries, including the United States, Germany, France, and Australia. 

It has been stated by Eye Security CTO Piet Kerkhofs that attackers are executing large numbers of exploit waves to gain unauthorised control through the use of the remote code execution (RCE) flaw. As a result of a technical analysis, it has been discovered that attackers are using the exploit to install web shells on compromised SharePoint servers and then to retrieve cryptographic keys from those servers. 

Through these keys, adversaries can forge authentication tokens and retain privileged access even after patches have been applied. Microsoft has advised organisations to make sure that all SharePoint servers have Defender Antivirus installed and that the Antimalware Scan Interface (AMSI) is integrated into SharePoint.

In case AMSI implementation is not possible, Microsoft recommends that vulnerable SharePoint instances be temporarily disconnected from the internet until a full security update is made available. Note that this vulnerability does not affect users of SharePoint Online within Microsoft 365, which is the cloud-based version of SharePoint. 

It has been reported that the CISA was first notified by a private cyber research firm on Friday of an active exploit of the SharePoint vulnerability, and Microsoft has been immediately notified, according to a spokesperson for the agency. A number of critical questions have been raised once again regarding Microsoft’s vulnerability management procedures as a result of this incident. 

There has previously been controversy surrounding the company due to its narrowly focused patches that do not often address similar attack paths, leaving organisations vulnerable to follow-up attacks that target similar exploits. It has been reported that Microsoft, one of the largest technology providers to global governments, has experienced a number of cybersecurity failures over the past two years, including attacks on its corporate infrastructure and executive email accounts, among other high-profile incidents. 

The Chinese government-backed threat actors were able to access federal official emails by exploiting a programming flaw in Microsoft's cloud services in one major incident. In addition, controversy was sparked after investigative outlet ProPublica reported Microsoft had hired engineers based in China to work on Department of Defence cloud projects. In response to the report, Defence Secretary Pete Hegseth immediately inspected the Pentagon cloud contracts and a formal review was initiated. 

Additionally, the nonprofit Centre for Internet Security (CIS) warned more than 100 vulnerable organisations, including public schools and universities, that they were at risk of being compromised by the threat. While Randy Rose, Vice President of CIS, indicated that incident response efforts had been significantly delayed as a result of a 65% cut to funding, CISA has had to significantly reduce its threat intelligence staffing.

In the future, this incident should serve as a crucial turning point for enterprises as they attempt to develop a comprehensive cybersecurity strategy beyond immediate containment. Organisations will need to adopt a mindset of continuous vigilance, integrating secure architecture with timely intelligence sharing, and automating threat detection into their operational DNA. 

When threat actors are constantly adapting and repurposing vulnerabilities, it is no longer sufficient to rely on vendor assurances without independent validation, especially in an environment where threat actors are constantly adapting and repurposing vulnerabilities. To minimise the blast radius in the event of a breach, organisations should prioritise scenario-based resilience planning, routine red teams, and strict access governance. 

Additionally, a close alignment between cybersecurity, legal, and executive leadership is essential in order to make informed decisions at the speed of modern threats. There is more to security than patchwork responses, as the threat matrix is evolving; it requires a security-first culture that is backed by investment, accountability, and strategic planning.
Read more »
Vulnerabilities and Exploits
Cyber Bug Cyber Exploits Cyberattacks CyberCrime Cybersecurity MySQL database zero day vulnerability Vulnerabilities and Exploits

Exploit PoC Validates MiCollab Zero-Day Flaw Risks

 


A zero-day arbitrary file read vulnerability found in Mitel MiCollab has raised significant concerns about data security. Attackers can exploit this flaw and chain it with a critical bug (CVE-2024-35286) to access sensitive data stored on vulnerable instances of the platform. Mitel MiCollab is a cross-platform collaboration tool offering services such as instant messaging, SMS, voice and video calls, file sharing, and remote desktop sharing, designed to enhance workplace collaboration without verbal communication.

The Risks of Collaboration Platform Vulnerabilities

Data storage and handling of sensitive information are integral to modern organizations' operations. According to WatchTower researchers, the Mitel MiCollab platform has a zero-day vulnerability that allows attackers to perform arbitrary file reads. However, to exploit this issue, attackers require access to the server's filesystem. The vulnerability impacts a range of businesses, from large corporations to SMEs and remote or hybrid workforce setups, all relying on MiCollab for unified communication.

WatchTower reported the issue to Mitel on August 26, 2024, but after 90 days without a fix, the vulnerability remains unresolved. A report by WatchTower revealed that more than 16,000 MiCollab instances accessible via the internet are affected. Despite the lack of a CVE number assigned to the flaw, attackers can inject path traversals via the 'ReconcileWizard' servlet, exploiting the 'reportName' parameter in API requests. This facilitates unauthorized access to restricted files, posing a critical security threat.

Combining Vulnerabilities for Exploitation

The vulnerability gains heightened severity when paired with CVE-2024-35286 (CVSS score 9.8), a critical path traversal flaw that enables authentication bypass. Additionally, CVE-2024-41713, another zero-day issue identified by researchers, allows arbitrary file reading. Together, these flaws enable attackers to gain system visibility, perform malicious operations, and propagate file access across systems. Proof-of-concept (PoC) exploit code for this chain has been published by WatchTower on GitHub.

While the newer vulnerability is technically less critical than the others, it still poses a significant threat by granting unauthorized access to sensitive files. Recent incidents show that threat actors have targeted MiCollab, underlining the urgent need for mitigation measures. Organizations using MiCollab must act promptly to address this risk.

Mitigating the Threat

Until Mitel releases a patch for this zero-day flaw, organizations are advised to:

  1. Update MiCollab to the Latest Version
    Install version 9.8 service pack 2 (9.8.2.12) or later, which addresses other known vulnerabilities such as CVE-2024-41713.
  2. Restrict Server Access
    Limit access to trusted IP ranges and internal networks, and implement firewall rules to block unauthorized access.
  3. Monitor Log Files
    Check for path traversal patterns that might indicate exploitation attempts.
  4. Disable the Vulnerable Servlet
    If feasible, disable the 'ReconcileWizard' servlet to prevent exploitation of the flaw.

The Broader Impact

As security risks related to MiCollab persist, reports indicate that the collaboration platform has been targeted by a group of threat actors, allegedly linked to "Salt Typhoon," a Chinese intelligence operation. These attacks have affected US telecommunications firms, including Verizon, AT&T, and T-Mobile, exposing sensitive customer data.

Organizations must adopt robust security practices to mitigate risks while waiting for Mitel to address these vulnerabilities. Proactively safeguarding sensitive systems and implementing strict access controls are essential for minimizing exposure. By combining organizational vigilance with updated software practices, businesses can navigate these challenges and protect critical infrastructure from exploitation.

Read more »
GeoServer
APAC Cyber Exploits Cyber Security Cyberattacks CyberCrime Cyberthreats Earth Baxia GeoServer

Earth Baxia Exploits GeoServer to Launch APAC Spear-Phishing Attacks


 

An analysis by Trend Micro indicates that the cyber espionage group Earth Baxia has been attempting to target government agencies in Taiwan, as well as potentially other countries in the Asia-Pacific (APAC) region, through spear-phishing campaigns and exploitation of a critical GeoServer vulnerability known as CVE-2024-36401, a critical security vulnerability. 

It is part of an ongoing campaign intended to infiltrate key sectors of society, including one of the most vital sectors of the economy: telecommunications, energy, and government. There are several vulnerabilities within GeoServer, an open-source platform for sharing geospatial data, which may allow hackers to execute remote code through an exploit known as CVE-2024-36401. 

Earth Baxia could exploit this vulnerability by downloading malicious components directly into the victim environment, using tools such as "curl" and "scp" to cast harmful files, including customized Cobalt Strike beacons, and other payloads directly into the victim's environment. By deploying these payloads, attackers were able to execute arbitrary commands inside compromised systems, which gave them a foothold within those compromised environments. 

The Earth Baxia threat actor used a wide range of technologies to break into several countries in the Asia-Pacific region, targeting government organizations, telecommunications companies, and the energy industry. During the attack, the group employed sophisticated techniques, like spear-phishing emails and exploiting a GeoServer vulnerability (CVE-2024-36401) to achieve their goal. 

The attackers deployed custom Cobalt Strike components as well as a new backdoor, called EAGLEDOOR, on computers that were compromised. Multiple communication protocols can be used to gather information and deliver payloads for EAGLEDOOR. To be able to track these attackers, they utilized public cloud services to host the malicious files. 

It was also possible to deploy additional payloads via methods such as GrimResource injection and AppDomainManager injection, which were utilized by them. Among the countries that were affected by this campaign are Taiwan, the Philippines, South Korea, Vietnam, Thailand, and possibly China as well. The subject lines in most of the emails are meticulously tailored with varying content, and the attachment ZIP file contains a decoy MSC file called RIPCOY which is used as a decoy file in the email subject lines. 

By double-clicking this file, the embedded obfuscated VBScript will attempt to download multiple files from a public cloud service, typically Amazon Web Services via a mechanism called GrimResource, which extracts the data from the cloud service in the best way possible. In addition to the decoy PDF document, there are also .NET applications and a configuration file included in this pack. 

As a result of being dropped by the MSC file, .NET applications and configuration files became vulnerable to malicious injection as a result of using a technique known as AppDomainManager injection. This allows the injection of a custom application domain within the target application process so that it can run arbitrary code. 

It's a mechanism that provides the ability for any .NET application to load an arbitrarily managed DLL on its own, either locally or remotely, without directly invoking any Windows API calls, and it can be used in any scenario. The next-stage downloader is downloaded by legit .NET applications based on a URL specified in the application configuration file (.config), which points to a file that includes a .NET DLL. 

To encrypt the URL of this download, it has been encrypted in Base64 with AES obfuscation. During this stage, most of the download sites available for downloading through public cloud services, usually Aliyun were considered to be hosting websites. After retrieving the shellcode from the DLL, it executes it using the CreateThread API, with all processes being executed in the DLL being run entirely in memory at the same time. Vision One Threat Intelligence from Trend Micro provides the following features:  

Keeping pace with emerging threats is Trend Micro customers' number one priority, which is why Trend Micro Vision One users have access to a range of Intelligence Reports and Threat Insights. With Threat Insights, customers will be able to stay on top of cyber threats long before they happen and be more prepared when new cyber threats emerge. This report contains comprehensive information about threat actors, their malicious activities, and the techniques that they employ to harm users. 

Using this intelligence as a basis for proactive measures, customers can reduce their risks and ensure that they respond effectively to threats by taking proactive steps to protect their environment. In the context of various countries in the Asian Pacific region, Earth Baxia is likely to be based in China and carry out sophisticated campaigns targeting the government and energy sectors. 

To infiltrate and exfiltrate data, they employ advanced tactics such as GeoServer exploitation, spear-phishing, customized malware (Cobalt Strike and EAGLEDOOR), and a combination of these. Even though EAGLEDOOR uses public cloud services for hosting malicious files and supports a wide range of protocols, their operations are complex and highly adaptable as a result. 

Continuous vigilance and sophisticated threat detection measures are essential for such threats to be dealt with effectively. To mitigate the risks associated with such threats, security teams are advised to implement several best practices. One critical measure is the implementation of continuous phishing awareness training for all employees. This ensures that staff remain informed about evolving phishing techniques and are better equipped to identify and respond to malicious attempts. 

Additionally, employees should be encouraged to thoroughly verify the sender and subject of any emails, especially those originating from unfamiliar sources or containing ambiguous subject lines. This practice helps in identifying potentially harmful communications before they lead to further complications. It is equally important to deploy multi-layered protection solutions, which serve to detect and block threats early in the malware infection chain. Such solutions enhance the organization’s overall security posture by providing multiple defences, significantly reducing the likelihood of a successful attack.
Read more »
Vulnerablities and Exploits
Cyber Exploits CyberCrime Document Document Scam Ms Words MSHTML Scam Alert skype Visual Studio Vulnerablities and Exploits

Word Document Scam Alert: Windows Users Vulnerable to Cyber Exploits

 


As a result of a recently discovered bug, hackers are able to execute remote code in all versions of Microsoft's proprietary MSHTML browser engine without having to install the application. There is a zero-day vulnerability in Microsoft Word that attackers are taking advantage of by crafting specially crafted documents. 

Microsoft's products such as Skype, Visual Studio, and Microsoft Outlook, as well as several others, also use MSHTML, so the problem really is widespread, since MSHTML is also used by several Microsoft products. A zero-day vulnerability in a Windows tool has been exploited by hackers via malicious Word documents to be able to compromise networks that have been protected by Microsoft's workaround for administrators. 

The Google-owned antivirus service VirusTotal detected a malicious Word document uploaded on 25 May from a Belarusian IP address on its website that was uploaded on the weekend.  As a result of Kevin Beaumont's analysis, he discovered that despite macros being disabled, the malicious document - or "malloc" - was able to generate code through the legitimate Microsoft Support Diagnostic Tool (msdt.exe) despite the fact that macros were enabled. 

MSDT is accessed through the ms-msdt URL protocol in Windows from the malicious Word document in order to execute the malware. There is now a "troubleshooter pack" available for download from the MSDT website.  Using malicious Microsoft Word documents, North Koreans are attempting to steal sensitive information from Russian targets by exploiting the weaknesses in the security software. 

A Fortinet researcher named Cara Lin made the following observation about how a group called Konni (although there are so many similarities between it and Kimsuky aka APT43 that it is also possible that it could be this group) attempted to deliver a malicious Russian-language Microsoft document in the form of an attachment. This malware has the appearance of a macro, which is typical of malware that is downloaded as a file. 

According to the document that is being distributed, there is an article in the Russian language, which apparently describes Western assessments on the progress of the Special Military Operation. It is noted in the piece that The Hacker News commented that Konni is a "notable" application for its anti-Russian values.  

A majority of the time, the group would engage in spear-phishing emails and malicious documents in an attempt to gain access to targets' endpoints, which was done by spear-phishing. It has been reported that earlier attacks taken advantage of a vulnerability in WinRAR (CVE-2023-38831) were spotted by cybersecurity researchers Knowsec and ThreatMon, it has been reported. 

A major objective of Konni is to smuggle data and conduct espionage activities around the world, as reported by ThreatMon. During this process, the group uses a wide array of malware and tools in order to accomplish its objectives, frequently adapting its tactics in order to avoid detection by the authorities. The sabotage of Russian firms by North Korean hackers is not the first instance on which we have seen similar attacks.
Read more »
Subscribe to: Posts (Atom)