Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability. Show all posts
Vulnerability
cyber attack React2Shell Vulnerabilities and Exploits Vulnerability

React2Shell Exploited Within Hours as Firms Rush to Patch

 

Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public. 

The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers. 

The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems. 

AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia. 

Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware. 

AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers. 

Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems. 

A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages. 

The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix. 

Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default. 

Cybersecurity firms and cloud providers are urging organizations to take action immediately: 


  1. Apply official patches for React, Next.js and related RSC frameworks.
  2. Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
  3. Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.

Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 
Read more »
Windows
AI Android Bug Data Exploit Internet Technology Vulnerability Windows

CISA Lists Citrix Bleed 2 as Exploit, Gives One Day Deadline to Patch

CISA Lists Citrix Bleed 2 as Exploit, Gives One Day Deadline to Patch

CISA confirms bug exploit

The US Cybersecurity & Infrastructure Security Agency (CISA) confirms active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777 in Citrix NetScaler ADC and Gateway. It has given federal parties one day to patch the bugs. This unrealistic deadline for deploying the patches is the first since CISA issued the Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of attacks abusing the security gaps. 

About the critical vulnerability

CVE-2025-5777 is a critical memory safety bug (out-of-bounds memory read) that gives hackers unauthorized access to restricted memory parts. The flaw affects NetScaler devices that are configured as an AAA virtual server or a Gateway. Citrix patched the vulnerabilities via the June 17 updates. 

After that, expert Kevin Beaumont alerted about the flaw’s capability for exploitation if left unaddressed, terming the bug as ‘CitrixBleed 2’ because it shared similarities with the infamous CitrixBleed bug (CVE-2023-4966), which was widely abused in the wild by threat actors.

What is the CitrixBleed 2 exploit?

According to Bleeping Computer, “The first warning of CitrixBleed 2 being exploited came from ReliaQuest on June 27. On July 7, security researchers at watchTowr and Horizon3 published proof-of-concept exploits (PoCs) for CVE-2025-5777, demonstrating how the flaw can be leveraged in attacks that steal user session tokens.”

The rise of exploits

During that time, experts could not spot the signs of active exploitation. Soon, the threat actors started to exploit the bug on a larger scale, and after the attack, they became active on hacker forums, “discussing, working, testing, and publicly sharing feedback on PoCs for the Citrix Bleed 2 vulnerability,” according to Bleeping Computers. 

Hackers showed interest in how to use the available exploits in attacks effectively. The hackers have become more active, and various exploits for the bug have been published.

Now that CISA has confirmed the widespread exploitation of CitrixBleed 2 in attacks, threat actors may have developed their exploits based on the recently released technical information. CISA has suggested to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Read more »
Vulnerability
Breach Cyber Security Data DragonForce MSP Ransomware Retail SimpleHelp Sophos Vulnerability

DragonForce Targets MSPs Using SimpleHelp Exploit, Expands Ransomware Reach

 


The DragonForce ransomware group has breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) tool to exfiltrate data and launch ransomware attacks on downstream clients.

Cybersecurity firm Sophos, which was brought in to assess the situation, believes that attackers exploited a set of older vulnerabilities in SimpleHelp—specifically CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—to gain unauthorized access.

SimpleHelp is widely adopted by MSPs to deliver remote support and manage software deployment across client networks. According to Sophos, DragonForce initially used the compromised tool to perform system reconnaissance—gathering details such as device configurations, user accounts, and network connections from the MSP's customers.

The attackers then moved to extract sensitive data and execute encryption routines. While Sophos’ endpoint protection successfully blocked the deployment on one customer's network, others were not as fortunate. Multiple systems were encrypted, and data was stolen to support double-extortion tactics.

In response, Sophos has released indicators of compromise (IOCs) to help other organizations defend against similar intrusions.

MSPs have consistently been attractive targets for ransomware groups due to the potential for broad, multi-company impact from a single entry point. Some threat actors have even tailored their tools and exploits around platforms commonly used by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This trend has previously led to large-scale incidents, such as the REvil ransomware attack on Kaseya that affected over 1,000 businesses.

DragonForce's Expanding Threat Profile

The DragonForce group is gaining prominence following a string of attacks on major UK retailers. Their tactics reportedly resemble those of Scattered Spider, a well-known cybercrime group.

As first reported by BleepingComputer, DragonForce ransomware was used in an attack on Marks & Spencer. Shortly after, the same group targeted another UK retailer, Co-op, where a substantial volume of customer data was compromised.

BleepingComputer had earlier noted that DragonForce is positioning itself as a leader in the ransomware-as-a-service (RaaS) space, offering a white-label version of its encryptor for affiliates.

With a rapidly expanding victim list and a business model that appeals to affiliates, DragonForce is cementing its status as a rising and formidable presence in the global ransomware ecosystem.
Read more »
Vulnerability
AI Cybersecurity Data Encryption Hacking Passwords penetration redteam SharePoint Vulnerabilities and Exploits Vulnerability

Pen Test Partners Uncovers Major Vulnerability in Microsoft Copilot AI for SharePoint

 

Pen Test Partners, a renowned cybersecurity and penetration testing firm, recently exposed a critical vulnerability in Microsoft’s Copilot AI for SharePoint. Known for simulating real-world hacking scenarios, the company’s redteam specialists investigate how systems can be breached just like skilled threatactors would attempt in real-time. With attackers increasingly leveraging AI, ethical hackers are now adopting similar methods—and the outcomes are raising eyebrows.

In a recent test, the Pen Test Partners team explored how Microsoft Copilot AI integrated into SharePoint could be manipulated. They encountered a significant issue when a seemingly secure encrypted spreadsheet was exposed—simply by instructing Copilot to retrieve it. Despite SharePoint’s robust access controls preventing file access through conventional means, the AI assistant was able to bypass those protections.

“The agent then successfully printed the contents,” said Jack Barradell-Johns, a red team security consultant at Pen Test Partners, “including the passwords allowing us to access the encrypted spreadsheet.”

This alarming outcome underlines the dual-nature of AI in informationsecurity—it can enhance defenses, but also inadvertently open doors to attackers if not properly governed.

Barradell-Johns further detailed the engagement, explaining how the red team encountered a file labeled passwords.txt, placed near the encrypted spreadsheet. When traditional methods failed due to browser-based restrictions, the hackers used their red team expertise and simply asked the Copilot AI agent to fetch it.

“Notably,” Barradell-Johns added, “in this case, all methods of opening the file in the browser had been restricted.”

Still, those download limitations were sidestepped. The AI agent output the full contents, including sensitive credentials, and allowed the team to easily copy the chat thread, revealing a potential weak point in AI-assisted collaborationtools.

This case serves as a powerful reminder: as AItools become more embedded in enterprise workflows, their securitytesting must evolve in step. It's not just about protecting the front door—it’s about teaching your digital assistant not to hold it open for strangers.

For those interested in the full technical breakdown, the complete Pen Test Partners report dives into the step-by-step methods used and broader securityimplications of Copilot’s current design.

Davey Winder reached out to Microsoft, and a spokesperson said:

“SharePoint information protection principles ensure that content is secured at the storage level through user-specific permissions and that access is audited. This means that if a user does not have permission to access specific content, they will not be able to view it through Copilot or any other agent. Additionally, any access to content through Copilot or an agent is logged and monitored for compliance and security.”

Further, Davey Winder then contacted Ken Munro, founder of Pen Test Partners, who issued the following statement addressing the points made in the one provided by Microsoft.

“Microsoft are technically correct about user permissions, but that’s not what we are exploiting here. They are also correct about logging, but again it comes down to configuration. In many cases, organisations aren’t typically logging the activities that we’re taking advantage of here. Having more granular user permissions would mitigate this, but in many organisations data on SharePoint isn’t as well managed as it could be. That’s exactly what we’re exploiting. These agents are enabled per user, based on licenses, and organisations we have spoken to do not always understand the implications of adding those licenses to their users.”
Read more »
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
Webshell
Authentication Breach CVE202531324 Cybersecurity malware NetWeaver Patch SAP servers VisualComposer Vulnerability Webshell

Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild

 

Security researchers have issued a warning about a severe vulnerability affecting SAP systems, with over 1,200 instances potentially exposed to remote exploitation. This comes after SAP disclosed a critical flaw in the NetWeaver Visual Composer’s Metadata Uploader earlier this week.

The NetWeaver Visual Composer is a development environment designed for building web-based business applications without coding. It is widely used to develop dashboards, forms, and interactive reports. The Metadata Uploader enables developers to import external metadata into the platform, establishing connections with remote data sources such as databases, web services, and other SAP systems.

SAP has identified the vulnerability as CVE-2025-31324, assigning it the highest severity rating of 10 out of 10. The flaw arises due to a lack of authentication in the Metadata Uploader, allowing attackers to upload malicious files without needing authorization.

Cybersecurity company Keeper, known for its password management and digital vault solutions, highlights the growing need for secure authentication frameworks. The platform utilizes zero-knowledge encryption and provides tools such as two-factor authentication, secure storage, dark web monitoring, and breach alerts.

Upon discovering the issue, SAP first released a workaround, followed by a comprehensive patch in late April. The company is now urging all users to implement the fix immediately. Multiple cybersecurity firms — including ReliaQuest, watchTowr, and Onapsis — have observed real-world exploitation of the flaw. According to reports, attackers have been using it to deploy web shells on compromised servers.

SAP, however, stated to BleepingComputer:

"It is not aware of any attacks that impacted customer data or systems."

There is some discrepancy in the actual number of affected systems. While the Shadowserver Foundation identified 427 exposed servers, Onyphe reports as many as 1,284 vulnerable SAP instances, with 474 already compromised.
Read more »
Vulnerability
China Cybersecurity espionage Ivanti malware VPN Vulnerability

Chinese Cyber Espionage Suspected in New Ivanti VPN Malware Attack

 

A newly discovered cyberattack campaign targeting Ivanti VPN devices is suspected to be linked to a Chinese cyberespionage group. Security researchers believe the attackers exploited a critical vulnerability in Ivanti Connect Secure, which was patched by the Utah-based company in February. The attack is yet another example of how state-backed Chinese threat actors are rapidly taking advantage of newly disclosed vulnerabilities and frequently targeting Ivanti’s infrastructure.

On Thursday, researchers from Mandiant revealed that a group tracked as UNC5221 exploited a stack-based buffer overflow vulnerability to deploy malicious code from the Spawn malware ecosystem—an attack technique often associated with Chinese state-sponsored activity. Mandiant also identified two previously unknown malware families, which they've named Trailblaze and Brushfire. As seen in earlier attacks tied to Chinese hackers, this group attempted to manipulate Ivanti’s internal Integrity Checker Tool to avoid detection.

The vulnerability, officially tracked as CVE-2025-22457, was used to compromise multiple Ivanti products, including Connect Secure version 22.7R2.5 and earlier, the legacy Connect Secure 9.x line, Policy Secure (Ivanti’s network access control solution), and Zero Trust Access (ZTA) gateways. Ivanti released a patch for Connect Secure on February 11, emphasizing that Policy Secure should not be exposed to the internet, and that "Neurons for ZTA gateways cannot be exploited when in production."

Ivanti acknowledged the attack in a statement: "We are aware of a limited number of customers whose appliances have been exploited." The incident follows warnings from Western intelligence agencies about China's increasing speed and aggression in leveraging newly disclosed software vulnerabilities—often before security teams have time to deploy patches.

Many of the devices targeted were legacy systems no longer receiving software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on December 31, 2024. Older versions of the Connect Secure product line, which were set to be replaced by version 22.7R2.6 as of February 11, were also compromised.

This marks the second consecutive year Ivanti has had to defend its products from persistent attacks by suspected Chinese state-backed hackers. Thursday’s advisory from Mandiant and Ivanti highlights a vulnerability separate from the one flagged in late March by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which had allowed attackers to install a Trojan variant linked to Spawn malware in Ivanti systems.
Read more »
Vulnerability
CrwodStrike CyberCrime Cyberhacker Cybersecurity CyberThreat Network PowerSchool Social Security SSN Vulnerability

Hackers Infiltrated PowerSchool Network Well Before December Attack

 


It has been announced that the CrowdStrike investigation into PowerSchool's large-scale data breach that took place in December 2024 has been published. It was determined during the investigation that unauthorized access to the company's systems occurred four months prior, beginning in August and continuing in September, with the initial breach taking place in August and September. With more than 60 million students and 18,000 customers worldwide, PowerSchool is the world's leading cloud-based software provider for K-12 education. 

Among the many services PowerSchool offers are enrollment management, communication tools, attendance tracking, staff administration, learning solutions, analytics, and financial management, among others. PowerSchool disclosed in December of an unauthorized access to its customer support portal, PowerSource, which had been compromised by threat actors. It was discovered in this portal that there was a remote maintenance tool that was used by attackers to connect with customer databases. As a result of this vulnerability, sensitive information such as full name, physical address, contact information, Social Security number (SSN), medical records, and academic grades could have been accessed. 

According to CrowdStrike's investigation findings, there was an extensive amount of information about the security incident that gave further insight into the timeline and scope, emphasizing the need for enhanced cybersecurity measures to protect sensitive educational data. CrowdStrike conducted an investigation recently and it revealed that a hacker had stolen the company's support credentials several months ago to access the company's network. 

CrowdStrike's report indicates that PowerSchool's network has been accessed between August 16, 2024, and September 17, 2024 with the same compromised credentials as those used in December. By using these credentials, unauthorized access was granted to PowerSchool's PowerSource, the customer support portal which was later exploited in December to gain access to PowerSchool's network. 

According to CrowdStrike's report, PowerSource is intended to provide support technicians with the necessary privileges to access customer SIS database instances to perform maintenance purposes. CrowdStrike noted that limited data available in PowerSchool's log data prevented further analysis, but the investigation did not find sufficient evidence to conclusively link the August and September activity to the threat actor responsible for the December breach. According to the report, the December security breach could have been avoided had the compromised credentials been updated on time. 

However, it does suggest that if the credentials were updated on time, the December breach could have been avoided. Several cybersecurity measures, including frequent credential updates and enhanced monitoring, can prevent unauthorized access to sensitive data and safeguard sensitive information. PowerSchool released a report recently containing findings from CrowdStrike's investigation on February 28, 2025. This update highlights the importance of proactive cybersecurity measures. 

Using compromised credentials, the cyberattack has been carried out on the PowerSource customer support portal, according to the report. This unauthorized access has been in place since December 19, 2024, when it was notified at 19:43:14 UTC, until December 28, 2024, at 06:31:18 UTC, when it was discovered and mitigated. A cybersecurity firm called CrowdStrike has found that the attackers successfully removed sensitive data belonging to teachers and students from the compromised systems, but has not found any evidence that suggests that other databases were accessed or stolen by these attackers. 

As a result of the investigation, it was found that PowerSchool did not have malware deployed within its infrastructure, nor did the investigation indicate that privileges were escalating, lateral movement occurred, or downstream customer or school systems had been compromised. Based on CrowdStrike's dark web intelligence as of January 2, 2025, it appears that the attackers kept their promise not to publish the stolen data after receiving an extortion payment in return for not publishing it. 

The firm has not identified any instances of the information being sold or leaked online, and further analysis has shown that a breach of the PowerSource portal occurred in August and September of 2024, using the same compromised credentials, suggesting that it could have occurred even earlier than August and September of 2024. However, due to limitations in log data retention, there are insufficient evidence to confirm whether the same threat actor is behind both the earlier breaches as well as the December attack, due to limitations in log data retention. 

Specifically, the report stated that PowerSource logs for August 16, 2024, at 01:27:29 UTC, indicated that an unauthorized attack was performed by an unidentified actor using compromised support credentials on this date. In addition, CrowdStrike pointed out that the available SIS log data did not extend far enough to be able to determine whether the access resulted in the exfiltration of data from PowerSchool's SIS. 

PowerSchool has not publicly disclosed the number of schools, students, and teachers affected by the breach despite its severity, raising questions about transparency. According to the report, the breach affects 6,505 school districts across the United States, Canada, and other countries. The stolen data set contains approximately 62,488,628 student records and 9,506,624 teacher records. 

In light of these findings, stringent cybersecurity measures must be put in place, including timely credential management and enhanced monitoring, to protect sensitive educational data and prevent unauthorized access to it. PowerSchool has assured stakeholders that all necessary precautions have been taken to ensure that no further unauthorized access to the compromised data will take place. The company notified parents and guardians in a communication that the stolen information was not expected to be released to the public and that they could permanently delete it without duplicating or spreading it further. 

According to an in-depth analysis of PowerSchool system logs that began on December 22, 2024, unusual activity was identified by both on-premises and cloud-hosted PowerSchool customers. According to our investigations, two key data tables - Students_export.csv and Teachers_export.csv - were transferred to an IP address which was traced back to Ukraine and then were deleted. There are two IP addresses on the domain, 91.218.50.11, which belong to Virtual Systems, a legitimate hosting provider. This indicates that the attacker is likely to have either rented a service directly or exploited an existing account. 

As soon as PowerSchool discovered the breach on December 28, 2024, it promptly contacted CyberSteward, a cybersecurity incident response company, to negotiate with the attacker and resolve the problem. As the cybersecurity journalist Brian Krebs reported in an internal FAQ, PowerSchool requested assurances concerning the fate of the stolen data based on the internal FAQ. The threat actor subsequently confirmed with PowerSchool that all the data that had been exfiltrated had been erased and that no additional copies were kept of any of the data. 

Additionally, the attacker is alleged to have provided a video that shows how the process of file deletion is conducted. According to the findings, the cyber threat landscape has evolved dramatically over the past decade and there is an increasing trend for organizations to implement robust security measures to limit unauthorized access and exploitation of sensitive information. As a result of CrowdStrike's investigation, it was clear that cyber threats to schools and education institutions have become increasingly sophisticated and that action must be taken to prepare for them. 

It is important to note that the PowerSchool breach, which went undetected for months, illustrates the dangers posed by compromised credentials, as well as the potential risks posed by unauthorized access to students' and faculty's sensitive data. PowerSchool has assured that necessary precautions have been taken to prevent further misuse of the stolen data, yet this incident is considered to be a critical reminder of the vulnerabilities that exist in the digital infrastructure that handles vast amounts of information related to individual students and teachers. 

Given the tardy detection of the breach, as well as the extent of data exfiltration, it is imperative that continuous monitoring is maintained, credential updates are made promptly, and robust access control measures are implemented. To ensure that education institutions and technology providers remain secure moving forward, they must adopt advanced threat detection mechanisms, enforcing multi-factor authentication, and following rigorous incident response protocols. 

As a result of maintaining public trust and making sure that affected stakeholders are informed about data breaches, transparency remains crucial when revealing them. Despite the ever-changing tactics of cybercriminals, organizations remain vigilant and must enhance their security frameworks to mitigate the risk of a future breach and prevent it from happening again in the future. As a result of this event, all institutions that handle sensitive data should take note. It should serve as a strong reminder that cybersecurity is more than just a precaution, but one of the essential responsibilities of modern educational institutions.
Read more »
Subscribe to: Comments (Atom)