Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability. Show all posts
Vulnerability
Breach Cyber Security Data DragonForce MSP Ransomware Retail SimpleHelp Sophos Vulnerability

DragonForce Targets MSPs Using SimpleHelp Exploit, Expands Ransomware Reach

 


The DragonForce ransomware group has breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) tool to exfiltrate data and launch ransomware attacks on downstream clients.

Cybersecurity firm Sophos, which was brought in to assess the situation, believes that attackers exploited a set of older vulnerabilities in SimpleHelp—specifically CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—to gain unauthorized access.

SimpleHelp is widely adopted by MSPs to deliver remote support and manage software deployment across client networks. According to Sophos, DragonForce initially used the compromised tool to perform system reconnaissance—gathering details such as device configurations, user accounts, and network connections from the MSP's customers.

The attackers then moved to extract sensitive data and execute encryption routines. While Sophos’ endpoint protection successfully blocked the deployment on one customer's network, others were not as fortunate. Multiple systems were encrypted, and data was stolen to support double-extortion tactics.

In response, Sophos has released indicators of compromise (IOCs) to help other organizations defend against similar intrusions.

MSPs have consistently been attractive targets for ransomware groups due to the potential for broad, multi-company impact from a single entry point. Some threat actors have even tailored their tools and exploits around platforms commonly used by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This trend has previously led to large-scale incidents, such as the REvil ransomware attack on Kaseya that affected over 1,000 businesses.

DragonForce's Expanding Threat Profile

The DragonForce group is gaining prominence following a string of attacks on major UK retailers. Their tactics reportedly resemble those of Scattered Spider, a well-known cybercrime group.

As first reported by BleepingComputer, DragonForce ransomware was used in an attack on Marks & Spencer. Shortly after, the same group targeted another UK retailer, Co-op, where a substantial volume of customer data was compromised.

BleepingComputer had earlier noted that DragonForce is positioning itself as a leader in the ransomware-as-a-service (RaaS) space, offering a white-label version of its encryptor for affiliates.

With a rapidly expanding victim list and a business model that appeals to affiliates, DragonForce is cementing its status as a rising and formidable presence in the global ransomware ecosystem.
Read more »
Vulnerability
AI Cybersecurity Data Encryption Hacking Passwords penetration redteam SharePoint Vulnerabilities and Exploits Vulnerability

Pen Test Partners Uncovers Major Vulnerability in Microsoft Copilot AI for SharePoint

 

Pen Test Partners, a renowned cybersecurity and penetration testing firm, recently exposed a critical vulnerability in Microsoft’s Copilot AI for SharePoint. Known for simulating real-world hacking scenarios, the company’s redteam specialists investigate how systems can be breached just like skilled threatactors would attempt in real-time. With attackers increasingly leveraging AI, ethical hackers are now adopting similar methods—and the outcomes are raising eyebrows.

In a recent test, the Pen Test Partners team explored how Microsoft Copilot AI integrated into SharePoint could be manipulated. They encountered a significant issue when a seemingly secure encrypted spreadsheet was exposed—simply by instructing Copilot to retrieve it. Despite SharePoint’s robust access controls preventing file access through conventional means, the AI assistant was able to bypass those protections.

“The agent then successfully printed the contents,” said Jack Barradell-Johns, a red team security consultant at Pen Test Partners, “including the passwords allowing us to access the encrypted spreadsheet.”

This alarming outcome underlines the dual-nature of AI in informationsecurity—it can enhance defenses, but also inadvertently open doors to attackers if not properly governed.

Barradell-Johns further detailed the engagement, explaining how the red team encountered a file labeled passwords.txt, placed near the encrypted spreadsheet. When traditional methods failed due to browser-based restrictions, the hackers used their red team expertise and simply asked the Copilot AI agent to fetch it.

“Notably,” Barradell-Johns added, “in this case, all methods of opening the file in the browser had been restricted.”

Still, those download limitations were sidestepped. The AI agent output the full contents, including sensitive credentials, and allowed the team to easily copy the chat thread, revealing a potential weak point in AI-assisted collaborationtools.

This case serves as a powerful reminder: as AItools become more embedded in enterprise workflows, their securitytesting must evolve in step. It's not just about protecting the front door—it’s about teaching your digital assistant not to hold it open for strangers.

For those interested in the full technical breakdown, the complete Pen Test Partners report dives into the step-by-step methods used and broader securityimplications of Copilot’s current design.

Davey Winder reached out to Microsoft, and a spokesperson said:

“SharePoint information protection principles ensure that content is secured at the storage level through user-specific permissions and that access is audited. This means that if a user does not have permission to access specific content, they will not be able to view it through Copilot or any other agent. Additionally, any access to content through Copilot or an agent is logged and monitored for compliance and security.”

Further, Davey Winder then contacted Ken Munro, founder of Pen Test Partners, who issued the following statement addressing the points made in the one provided by Microsoft.

“Microsoft are technically correct about user permissions, but that’s not what we are exploiting here. They are also correct about logging, but again it comes down to configuration. In many cases, organisations aren’t typically logging the activities that we’re taking advantage of here. Having more granular user permissions would mitigate this, but in many organisations data on SharePoint isn’t as well managed as it could be. That’s exactly what we’re exploiting. These agents are enabled per user, based on licenses, and organisations we have spoken to do not always understand the implications of adding those licenses to their users.”
Read more »
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Vulnerability
China Cybersecurity espionage Ivanti malware VPN Vulnerability

Chinese Cyber Espionage Suspected in New Ivanti VPN Malware Attack

 

A newly discovered cyberattack campaign targeting Ivanti VPN devices is suspected to be linked to a Chinese cyberespionage group. Security researchers believe the attackers exploited a critical vulnerability in Ivanti Connect Secure, which was patched by the Utah-based company in February. The attack is yet another example of how state-backed Chinese threat actors are rapidly taking advantage of newly disclosed vulnerabilities and frequently targeting Ivanti’s infrastructure.

On Thursday, researchers from Mandiant revealed that a group tracked as UNC5221 exploited a stack-based buffer overflow vulnerability to deploy malicious code from the Spawn malware ecosystem—an attack technique often associated with Chinese state-sponsored activity. Mandiant also identified two previously unknown malware families, which they've named Trailblaze and Brushfire. As seen in earlier attacks tied to Chinese hackers, this group attempted to manipulate Ivanti’s internal Integrity Checker Tool to avoid detection.

The vulnerability, officially tracked as CVE-2025-22457, was used to compromise multiple Ivanti products, including Connect Secure version 22.7R2.5 and earlier, the legacy Connect Secure 9.x line, Policy Secure (Ivanti’s network access control solution), and Zero Trust Access (ZTA) gateways. Ivanti released a patch for Connect Secure on February 11, emphasizing that Policy Secure should not be exposed to the internet, and that "Neurons for ZTA gateways cannot be exploited when in production."

Ivanti acknowledged the attack in a statement: "We are aware of a limited number of customers whose appliances have been exploited." The incident follows warnings from Western intelligence agencies about China's increasing speed and aggression in leveraging newly disclosed software vulnerabilities—often before security teams have time to deploy patches.

Many of the devices targeted were legacy systems no longer receiving software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on December 31, 2024. Older versions of the Connect Secure product line, which were set to be replaced by version 22.7R2.6 as of February 11, were also compromised.

This marks the second consecutive year Ivanti has had to defend its products from persistent attacks by suspected Chinese state-backed hackers. Thursday’s advisory from Mandiant and Ivanti highlights a vulnerability separate from the one flagged in late March by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which had allowed attackers to install a Trojan variant linked to Spawn malware in Ivanti systems.
Read more »
Vulnerability
CrwodStrike CyberCrime Cyberhacker Cybersecurity CyberThreat Network PowerSchool Social Security SSN Vulnerability

Hackers Infiltrated PowerSchool Network Well Before December Attack

 


It has been announced that the CrowdStrike investigation into PowerSchool's large-scale data breach that took place in December 2024 has been published. It was determined during the investigation that unauthorized access to the company's systems occurred four months prior, beginning in August and continuing in September, with the initial breach taking place in August and September. With more than 60 million students and 18,000 customers worldwide, PowerSchool is the world's leading cloud-based software provider for K-12 education. 

Among the many services PowerSchool offers are enrollment management, communication tools, attendance tracking, staff administration, learning solutions, analytics, and financial management, among others. PowerSchool disclosed in December of an unauthorized access to its customer support portal, PowerSource, which had been compromised by threat actors. It was discovered in this portal that there was a remote maintenance tool that was used by attackers to connect with customer databases. As a result of this vulnerability, sensitive information such as full name, physical address, contact information, Social Security number (SSN), medical records, and academic grades could have been accessed. 

According to CrowdStrike's investigation findings, there was an extensive amount of information about the security incident that gave further insight into the timeline and scope, emphasizing the need for enhanced cybersecurity measures to protect sensitive educational data. CrowdStrike conducted an investigation recently and it revealed that a hacker had stolen the company's support credentials several months ago to access the company's network. 

CrowdStrike's report indicates that PowerSchool's network has been accessed between August 16, 2024, and September 17, 2024 with the same compromised credentials as those used in December. By using these credentials, unauthorized access was granted to PowerSchool's PowerSource, the customer support portal which was later exploited in December to gain access to PowerSchool's network. 

According to CrowdStrike's report, PowerSource is intended to provide support technicians with the necessary privileges to access customer SIS database instances to perform maintenance purposes. CrowdStrike noted that limited data available in PowerSchool's log data prevented further analysis, but the investigation did not find sufficient evidence to conclusively link the August and September activity to the threat actor responsible for the December breach. According to the report, the December security breach could have been avoided had the compromised credentials been updated on time. 

However, it does suggest that if the credentials were updated on time, the December breach could have been avoided. Several cybersecurity measures, including frequent credential updates and enhanced monitoring, can prevent unauthorized access to sensitive data and safeguard sensitive information. PowerSchool released a report recently containing findings from CrowdStrike's investigation on February 28, 2025. This update highlights the importance of proactive cybersecurity measures. 

Using compromised credentials, the cyberattack has been carried out on the PowerSource customer support portal, according to the report. This unauthorized access has been in place since December 19, 2024, when it was notified at 19:43:14 UTC, until December 28, 2024, at 06:31:18 UTC, when it was discovered and mitigated. A cybersecurity firm called CrowdStrike has found that the attackers successfully removed sensitive data belonging to teachers and students from the compromised systems, but has not found any evidence that suggests that other databases were accessed or stolen by these attackers. 

As a result of the investigation, it was found that PowerSchool did not have malware deployed within its infrastructure, nor did the investigation indicate that privileges were escalating, lateral movement occurred, or downstream customer or school systems had been compromised. Based on CrowdStrike's dark web intelligence as of January 2, 2025, it appears that the attackers kept their promise not to publish the stolen data after receiving an extortion payment in return for not publishing it. 

The firm has not identified any instances of the information being sold or leaked online, and further analysis has shown that a breach of the PowerSource portal occurred in August and September of 2024, using the same compromised credentials, suggesting that it could have occurred even earlier than August and September of 2024. However, due to limitations in log data retention, there are insufficient evidence to confirm whether the same threat actor is behind both the earlier breaches as well as the December attack, due to limitations in log data retention. 

Specifically, the report stated that PowerSource logs for August 16, 2024, at 01:27:29 UTC, indicated that an unauthorized attack was performed by an unidentified actor using compromised support credentials on this date. In addition, CrowdStrike pointed out that the available SIS log data did not extend far enough to be able to determine whether the access resulted in the exfiltration of data from PowerSchool's SIS. 

PowerSchool has not publicly disclosed the number of schools, students, and teachers affected by the breach despite its severity, raising questions about transparency. According to the report, the breach affects 6,505 school districts across the United States, Canada, and other countries. The stolen data set contains approximately 62,488,628 student records and 9,506,624 teacher records. 

In light of these findings, stringent cybersecurity measures must be put in place, including timely credential management and enhanced monitoring, to protect sensitive educational data and prevent unauthorized access to it. PowerSchool has assured stakeholders that all necessary precautions have been taken to ensure that no further unauthorized access to the compromised data will take place. The company notified parents and guardians in a communication that the stolen information was not expected to be released to the public and that they could permanently delete it without duplicating or spreading it further. 

According to an in-depth analysis of PowerSchool system logs that began on December 22, 2024, unusual activity was identified by both on-premises and cloud-hosted PowerSchool customers. According to our investigations, two key data tables - Students_export.csv and Teachers_export.csv - were transferred to an IP address which was traced back to Ukraine and then were deleted. There are two IP addresses on the domain, 91.218.50.11, which belong to Virtual Systems, a legitimate hosting provider. This indicates that the attacker is likely to have either rented a service directly or exploited an existing account. 

As soon as PowerSchool discovered the breach on December 28, 2024, it promptly contacted CyberSteward, a cybersecurity incident response company, to negotiate with the attacker and resolve the problem. As the cybersecurity journalist Brian Krebs reported in an internal FAQ, PowerSchool requested assurances concerning the fate of the stolen data based on the internal FAQ. The threat actor subsequently confirmed with PowerSchool that all the data that had been exfiltrated had been erased and that no additional copies were kept of any of the data. 

Additionally, the attacker is alleged to have provided a video that shows how the process of file deletion is conducted. According to the findings, the cyber threat landscape has evolved dramatically over the past decade and there is an increasing trend for organizations to implement robust security measures to limit unauthorized access and exploitation of sensitive information. As a result of CrowdStrike's investigation, it was clear that cyber threats to schools and education institutions have become increasingly sophisticated and that action must be taken to prepare for them. 

It is important to note that the PowerSchool breach, which went undetected for months, illustrates the dangers posed by compromised credentials, as well as the potential risks posed by unauthorized access to students' and faculty's sensitive data. PowerSchool has assured that necessary precautions have been taken to prevent further misuse of the stolen data, yet this incident is considered to be a critical reminder of the vulnerabilities that exist in the digital infrastructure that handles vast amounts of information related to individual students and teachers. 

Given the tardy detection of the breach, as well as the extent of data exfiltration, it is imperative that continuous monitoring is maintained, credential updates are made promptly, and robust access control measures are implemented. To ensure that education institutions and technology providers remain secure moving forward, they must adopt advanced threat detection mechanisms, enforcing multi-factor authentication, and following rigorous incident response protocols. 

As a result of maintaining public trust and making sure that affected stakeholders are informed about data breaches, transparency remains crucial when revealing them. Despite the ever-changing tactics of cybercriminals, organizations remain vigilant and must enhance their security frameworks to mitigate the risk of a future breach and prevent it from happening again in the future. As a result of this event, all institutions that handle sensitive data should take note. It should serve as a strong reminder that cybersecurity is more than just a precaution, but one of the essential responsibilities of modern educational institutions.
Read more »
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Vulnerability
CyberCrime Cyberhackers Cybersecurity CyberThreat Internet of Things Password Privacy Security Security Risk Vulnerability

Default Password Creates Major Security Risk for Apartment Complexes

 


Under research conducted by security researchers, it was discovered that a widely used door access control system includes an inherently insecure default password. Thousands of buildings across the country have insecure default passwords that can be accessed easily and remotely by anyone. It was discovered by Eric Daigle that there is still a lot of residential and commercial properties in North America that have not yet modified the default passwords for their access control systems, many of them are not even aware that this is a good idea.   

When security researcher Eric Daigle examined an apartment building’s access control panel, he inadvertently discovered one of the most concerning security issues in recent years while inspecting the access control panel. Initially, a routine observation while waiting for a ferry led to the discovery of a critical security flaw affecting hundreds of residential buildings across the country, which caused a widespread financial loss for thousands of people.

In late last year, Eric Daigle became interested in the system when he noticed an unusual access control panel on his normal daily activities. He conducted a short online search for “MESH by Viscount” and found a sales page for its remote access capability, followed by the discovery of a PDF installation guide available for download. It is typical for access control systems to be configured with a default password, which administrators are supposed to change to match their credentials. 

However, Daigle observed that the installation manual did not provide clear instructions regarding how these credentials were to be modified. It was later revealed, after further investigation into the user interface's login page title, that multiple publicly accessible login portals are available for this product. Alarmingly, as a result of this research, he was able to access the first one with default credentials, which highlights a critical security vulnerability. 

The Enterphone MESH door access system is currently owned by Hirsch, and Hirsch has announced that to address this security vulnerability, a software patch will be released shortly that will require users to change their default password, as soon as possible. An internet-connected device will often have a default password, which is often included in the product manual to facilitate the initial setup process. 

There is, however, a significant security risk in requiring end users to manually update these credentials, since if they fail to do so, their systems can be vulnerable to unauthorized access. Hirsch’s door access solutions are not prompted to customers when they are installed, nor are they required to modify the default passwords, leaving many systems at risk of unauthorized access. This vulnerability had been discovered by security researcher Eric Daigle, based on the findings he made, according to his findings. 

The vulnerability has been designated as CVE-2025-26793 as a result of his findings. Modern building security systems have become increasingly integrated with the Internet of Things (IoT) technology, especially in apartment complexes seeking a more advanced alternative to traditional phone-line-based access control systems. Among these key fob systems, Hirsch Mesh features a web-based portal that enables the use of key fobs throughout a large building to be tracked and logged, as well as allowing remote access to various entry points also within the building to be controlled remotely. 

The accessibility of the system's default login credentials, however, raises a crucial security concern because they are openly published in the installation manual, which is easily accessible via an online search, as the installer provides a list of the default login credentials. While waiting at a bus stop for his bus, Eric Daigle made a quick internet search based on the name of the product displayed on the security terminal of the apartment complex across the street. He located the manual in just a few minutes, which identified a way to circumvent the building's security measures. This highlighted a significant flaw in the system's design, leading to a serious risk of abuse. 

The default password that is set on internet-connected devices has historically posed a significant security threat because unauthorized individuals can gain access under the guise of legitimate users, leading to data breaches or the possibility of malicious actors hijacking these devices to carry out large-scale cyberattacks. In recent years, there have been several governments, including the UK, Germany, the US, and other countries, which have been encouraging technology manufacturers to adopt more robust security measures to avoid the security risks associated with using default credentials that were considered insecure in the first place. 

Having been rated as highly vulnerable by the FBI as a result of its ease of exploit, Hirsch's door entry system has been rated as a high threat as well with a severity rating of 10. Exploiting the flaw involves a minimal amount of effort. There is a public documentation available on Hirsch's website, which contains the installation manual for the system, which can be used to obtain the default password. An affected building is vulnerable to unauthorized access if individuals with these credentials log in to the login window of the building's system through the login portal; this highlights a critical security flaw in the system.
Read more »
Vulnerability
CISA Critical Exploits cyberattacks trending news News Vulnerabilities Vulnerability

CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems


Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has discovered and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, impacting North Grid Proself, ProjectSend, and Zyxel firewalls, are being actively exploited, posing serious risks of data breaches and operational disruptions to unpatched systems. At the time of publishing, Zyxel acknowledged the issue and advised users to update their firmware promptly and strengthen admin credentials.

Vulnerabilities Identified in North Grid Proself, ProjectSend, and Zyxel Firewalls

North Grid Proself Vulnerability (CVE-2023-45727): A severe XML processing vulnerability in North Grid Proself has been identified, allowing attackers to bypass restrictions and access sensitive server data. Systems running versions older than 5.62, 1.65, and 1.08 are vulnerable to exploitation through maliciously crafted XML requests, which can extract sensitive account information.

ProjectSend Vulnerability (CVE-2024-11680): A critical authentication flaw in ProjectSend, an open-source file-sharing platform, has been flagged with a CVSS severity score of 9.8. Versions prior to r1720 are susceptible to attacks where malicious actors manipulate the options.php file using crafted HTTP requests. This enables them to create unauthorized accounts, upload webshells, and inject harmful JavaScript code. Security researchers from VulnCheck report that attackers are leveraging automated tools such as Nuclei and Metasploit to exploit this vulnerability.

Notably, exploitation attempts are marked by altered server configurations, including random strings in landing page titles—a trend observed since September 2024. Despite a patch being released in May 2023, over 4,000 exposed instances remain vulnerable.

Zyxel Firewall Vulnerability (CVE-2024-11667): Zyxel firewalls running firmware versions between V5.00 and V5.38 are vulnerable to a directory traversal attack. This flaw allows attackers to upload or download files via manipulated URLs within the web management interface, potentially compromising system integrity.

Exploitation Attempts and Mitigation Strategies

ProjectSend instances have been the primary focus of attackers. Public-facing systems have seen unauthorized user registrations—a setting not enabled by default—facilitating access for malicious actors. Webshells uploaded during these attacks are often stored in predictable directories, with filenames tied to timestamps and user data. Organizations are urged to review server logs to identify and address suspicious activities.

Under Binding Operational Directive (BOD) 22-01, federal agencies must prioritize these vulnerabilities, while CISA has recommended that private organizations take immediate action to mitigate the risks. Updating software, reviewing server configurations, and enhancing log analysis are critical steps to safeguard systems from exploitation.

Read more »
Vulnerability
AI developers CISA Cyber Security data security Encryption Executive Order 14117 government data National Security U.S. personal data Vulnerability

CISA Proposes New Security Measures to Protect U.S. Personal and Government Data

 

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has proposed a series of stringent security requirements to safeguard American personal data and sensitive government information from potential adversarial states. The initiative aims to prevent foreign entities from exploiting data vulnerabilities and potentially compromising national security.

These new security protocols target organizations involved in restricted transactions that handle large volumes of U.S. sensitive personal data or government-related data, especially when such information could be exposed to "countries of concern" or "covered persons." This proposal is part of the broader implementation of Executive Order 14117, signed by President Biden earlier this year, which seeks to address critical data security risks that could pose threats to national security.

The scope of affected organizations is wide, including technology companies such as AI developers, cloud service providers, telecommunications firms, health and biotech organizations, financial institutions, and defense contractors. These businesses are expected to comply with the new security measures to prevent unauthorized access to sensitive information.

"CISA’s security requirements are split into two main categories: organizational/system-level requirements and data-level requirements," stated the agency. Below is a breakdown of some of the proposed measures:

  • Monthly Asset Inventory: Organizations must maintain and update a comprehensive asset inventory that includes IP addresses and hardware MAC addresses.
  • Vulnerability Remediation: Known exploited vulnerabilities should be addressed within 14 days, while critical vulnerabilities, regardless of known exploitation, must be remediated within 15 days. High-severity vulnerabilities should be resolved within 30 days.
  • Accurate Network Topology: Companies must maintain a precise network topology, which is crucial for identifying and responding to security incidents swiftly.
  • Multi-Factor Authentication (MFA): All critical systems must enforce MFA, and passwords must be at least 16 characters long. Immediate access revocation is required upon employee termination or a change in roles.
  • Unauthorized Hardware Control: Organizations must ensure that unauthorized hardware, such as USB devices, cannot be connected to systems handling sensitive data.
  • Log Collection: Logs of access and security-related events, including intrusion detection/prevention, firewall activity, data loss prevention, VPN usage, and login events, must be systematically collected.
  • Data Reduction and Masking: To prevent unauthorized access, organizations should reduce the volume of data collected or mask it, and encrypt data during restricted transactions.
  • Encryption Key Security: Encryption keys must not be stored alongside the encrypted data, nor in any country of concern.
  • Advanced Privacy Techniques: The use of techniques like homomorphic encryption or differential privacy is encouraged to ensure sensitive data cannot be reconstructed from processed data.
CISA has called for public feedback on the proposed security measures before they are finalized. Interested parties can submit their comments by visiting regulations.gov, entering CISA-2024-0029 in the search bar, and submitting feedback through the available form.
Read more »
Windows
Authentication CVE-2024-8260 Cyber Security NTLM OPA Patch relay Tenable Vulnerability Windows

Critical Flaw in Open Policy Agent Exposed NTLM Credentials, Patch Released

 

A now-resolved security vulnerability in Styra's Open Policy Agent (OPA) could have exposed New Technology LAN Manager (NTLM) hashes, potentially leading to credential leakage. If exploited, the flaw allowed attackers to capture the NTLM credentials of the OPA server’s local user account and send them to a remote server. From there, they could either crack the password or relay the authentication, according to a report by cybersecurity firm Tenable, shared with The Hacker News.

The vulnerability, identified as CVE-2024-8260 and classified as a Server Message Block (SMB) force-authentication flaw, affected both the Command Line Interface (CLI) and the Go software development kit (SDK) on Windows. The issue arose from improper input validation, enabling unauthorized access by leaking the Net-NTLMv2 hash of the logged-in user on the Windows device running OPA.

Exploiting this vulnerability required specific conditions: the victim had to initiate outbound SMB traffic over port 445, gain an initial foothold through social engineering, or run the OPA CLI using a Universal Naming Convention (UNC) path rather than a Rego rule file.

Tenable security researcher Shelly Raban explained that when a Windows machine accesses a remote share, it sends the NTLM hash of the local user to authenticate to the remote server. Attackers can capture these credentials to perform relay attacks or crack the password offline. Following the responsible disclosure in June 2024, the issue was patched in version 0.68.0, released on August 29, 2024.

Tenable emphasized the importance of securing open-source projects to avoid exposing vendors and users to potential threats. The disclosure of this vulnerability coincides with Akamai's revelation of a privilege escalation flaw (CVE-2024-43532) in Microsoft's Remote Registry Service, which also involved NTLM relay attacks.

Microsoft, in response to NTLM vulnerabilities, reiterated its commitment to replace NTLM with Kerberos in Windows 11 to enhance authentication security.
Read more »
Vulnerability
Awareness Cyber Criminals Cyber Fraud Cybersecurity elderly Financial Loss fraud prevention Online Scams Scams vigilance Vulnerability

India's Digital Rise Sees Alarming Surge in Online Scams Targeting the Elderly

 

With India advancing in the digital landscape, the country is also witnessing a concerning rise in online scams. In recent months, thousands of individuals have lost substantial sums to these cyber criminals, either hoping to earn more money or after being threatened. Scammers employ new tricks, targeting people across all age groups, with a notable increase in elderly victims. Cyber criminals use increasingly sophisticated techniques to exploit the vulnerability and trust of senior citizens, causing significant financial and emotional distress.

In one case from Bengaluru, a 77-year-old woman named Lakshmi Shivakumar lost Rs 1.2 crore to a scam. It began with a call from someone posing as a Telecom Department representative, falsely claiming a SIM card in her name was involved in illegal activities in Mumbai. The caller mentioned a complaint with the Mumbai Crime Branch to add credibility.

Within hours, she received another call from individuals impersonating Mumbai Crime Branch officers, accusing her of laundering Rs 60 crore and demanding her bank account details for verification. Using threats of arrest and showing a fabricated FIR and arrest warrant, the scammers coerced her into sharing her bank details, ultimately transferring Rs 1.28 crore from her account, promising the money's return after the investigation.

In another case from Chandigarh, an elderly woman was deceived out of Rs 72 lakh under the pretense of a digital arrest scam. She received a call from someone claiming to be from the Central Bureau of Investigation (CBI) office in Andheri, Mumbai, falsely implicating her in a drug case connected to a man named Naresh Goyal and threatening to freeze her bank accounts.

The scammer linked her ATM card to the suspect and claimed obscene messages from her phone were circulating. Under immense pressure, she complied with the demands, participating in a video call where a fake police ID was shown. Over a week, the scammers defrauded her of Rs 72 lakh, promising to return the money after proving her innocence.

Older people are particularly vulnerable to such scams due to several reasons. They often struggle to keep up with the latest technology and digital security measures, making them easy targets for tech-savvy criminals. Additionally, older adults are more likely to trust authoritative figures and may not recognize the signs of deceit in official-looking communications. Their financial stability and natural inclination to trust and cooperate with law enforcement further increase their susceptibility.

How to stay safe and protect the elderly from scams

To protect the elderly from falling prey to such scams, awareness and vigilance are crucial. Here are some essential tips:

  • Inform elderly family members about common types of scams and the tactics used by fraudsters. Regular discussions can help them recognize and avoid potential threats.
  • Encourage seniors to verify any unsolicited calls or messages by contacting the official organization directly using known contact details, not the ones provided by the caller.
  • Ensure that devices used by the elderly have updated security software to protect against malware.
Read more »
Vulnerability
Cyber Attacks Cyber space Cyberattack Intel CPU Vulnerability

New Intel CPU Vulnerability 'Indirector' Found

Researchers from the University of California, San Diego, have discovered a new vulnerability in modern Intel processors, specifically the Raptor Lake and Alder Lake generations. This vulnerability, named 'Indirector,' can be used to steal sensitive information from the CPU. 

The problem lies in two components of the CPU: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). These components help the CPU make quick decisions, but they have flaws that attackers can exploit. The researchers identified three main techniques used in Indirector attacks: 

1. iBranch Locator: A tool that helps attackers find specific parts of the CPU's decision-making process by identifying the indices and tags of victim branches. 

2. IBP/BTB Injections: Tricks to manipulate the CPU's predictions, causing it to run unauthorized code through targeted injections. 

3. ASLR Bypass: A method to break security measures that protect the memory layout, making it easier to predict and control the CPU. 

By using these techniques, attackers can trick the CPU into running their own code and accessing sensitive data like passwords or encryption keys. This is accomplished by combining the speculative execution achieved through targeted injections with cache side-channel techniques, such as measuring access times, to infer the accessed data. 

To protect against Indirector attacks, the researchers suggest two main defenses: 

1. Use IBPB More: The Indirect Branch Predictor Barrier (IBPB) can prevent certain types of speculative execution, but it can slow down the CPU by up to 50%. 

2. Improve CPU Design: Making the CPU's prediction systems more complex and secure by adding encryption and randomization, which could involve incorporating more complex tags. 

Intel was informed about the Indirector vulnerability in February 2024 and has shared the information with other affected companies. Intel reviewed the findings and believes that existing protections, such as IBRS, eIBRS, and BHI, are effective against this new attack, so no new mitigations or guidance are required. 

The researchers will present their full findings at the USENIX Security Symposium in August 2024. They have also published more detailed information, proof-of-concept code, and tools related to Indirector on GitHub for further study and understanding. 

These publications provide a deeper dive into the attack methodologies, potential data leak mechanisms, and suggested mitigations. Modern CPUs from Intel are vital for many applications, and discovering such vulnerabilities highlights the importance of continually improving hardware security. 

By addressing these flaws and implementing the recommended defenses, the problem security of these processors can be significantly enhanced, protecting users from potential data leaks and other malicious activities.
Read more »
Vulnerability
ConnectWise ScreenConnect Cyber Security Cybersecurity Mass Exploitation Ransomware remote desktop management Supply Chain Attack Vulnerability

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.
Read more »
Vulnerability
attacks Flaws Openfire Servers Risk Vulnerabilities and Exploits Vulnerability

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Read more »
Vulnerability
Australia Breach Customer Cyber Attacks Data Energy Experts Investigation Ransomware Report Security Software threat UK Vulnerability

Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.
Read more »
Vulnerability
CISO Cyber Attacks Data Exploits Ransomware Safety Security Vulnerability

This Ransomware Targets Several English-Speaking Nations

 

According to findings by Cisco Talos, a group of researchers, a fresh variant of ransomware is suspected to be employed in a series of attacks on entities situated in China, Vietnam, Bulgaria, and a number of English-speaking nations. 

The cybersecurity experts disclosed on Monday that they have come across a hitherto unidentified threat actor, reportedly based in Vietnam, who has been launching these attacks since as far back as June 4.

This newly identified malware is a modified version of the Yashma ransomware. It's worth noting that the Yashma strain had become significantly less active following the release of a decryption tool last year.

“Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report.

“The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”

The perpetrator's ransom note closely resembles that of WannaCry, a notorious ransomware that gained widespread attention in 2017 due to its high-profile attacks. The ransom note is available in multiple languages, including English, Bulgarian, Vietnamese, and Chinese.

If victims fail to make the payment within three days, the ransom amount will double. The attackers have provided a Gmail address for communication. Interestingly, the ransom note lacks a specified ransom amount, and the Bitcoin account shared in the note doesn't contain any funds, suggesting that the operation might still be in its early stages.

Upon encrypting victim systems, the wallpaper is changed to display a message asserting that all files have been encrypted.

According to Cisco Talos, the Yashma ransomware is essentially a rebranded version of Chaos ransomware, which first emerged in May 2022. After a thorough examination of Yashma's features by BlackBerry security researchers last year, Cisco Talos observed that the new variant mostly retains the core elements of the original ransomware.

One significant change highlighted by Cisco Talos is that this new variant no longer embeds the ransom note within the ransomware itself. Instead, it retrieves the ransom note from a GitHub repository controlled by the threat actors. This modification is intended to evade endpoint detection solutions and antivirus software, which typically detect ransom note strings embedded in the binary.

Another noteworthy characteristic preserved in this variant is Yashma's anti-recovery capability. This involves wiping the content of the original unencrypted files, replacing them with a single character '?' before deleting the file altogether. This tactic complicates efforts by incident responders and forensic analysts to recover deleted files from the victim's hard drive.

Various organizations monitoring ransomware attacks have noted a substantial increase in the emergence of different strains. FortiGuard Labs reported a significant uptick in the growth of ransomware variants, largely attributed to the adoption of Ransomware-as-a-Service (RaaS).

Ransomware expert Allan Liska from Recorded Future pointed out that many so-called "new" ransomware strains are essentially variations of previously released versions. Data gathered by his team demonstrated that fewer than 25% of the supposed 328 "new" ransomware variants are genuinely novel.
Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
Vulnerability
CISA Clop Ransomware Cyberattacks Cybersecurity ID malware MOVIEit Ransomeware Vulnerability

Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform

 


Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. 

There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. 

A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. 

As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. 

Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. 

BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. 

The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. 

It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. 

It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. 

It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. 

During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. 

It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. 

In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".
Read more »
Subscribe to: Posts (Atom)