Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Zero Click Exploit. Show all posts
Zero Click Exploit
APT28 Cloud Data Theft cyber attack GRU Hackers Malware Chain Attack Sandworm APT44 Task Scheduler Flaw Vulnerabilities and Exploits Windows Vulnerability Zero Click Exploit

Russian Threat Actors Deploy Zero-Click Exploit in High-Impact Attack on France


 

The end of 2025 and global cybersecurity assessments indicated that one of the most formidable state-aligned hacking units in Russia has changed its tactics significantly. It has been widely reported that state-sponsored threat actors linked to the GRU's cyber-operations arm, widely known by various nicknames such as Sandworm, APT44, and Microsoft's Seashell Blizzard cluster, are recalibrating their approach with noticeable precision as they approach their target market. 

A group that once was renowned for exploiting zero-day vulnerabilities and newly disclosed ones with high-profile and disruptive effects, the group has now shifted into a quieter, yet equally strategic approach, systematically targeting weaknesses resulting from human and network misconfigurations rather than exploits resulting from cutting-edge techniques.

The analysis published by Amazon Threat Intelligence, based on findings obtained by Amazon’s Threat Intelligence division, illustrates this shift, revealing that the cluster is increasingly concentrating on exploiting incorrectly configured network edge devices, suggesting a deliberate move away from overt zero-day or zero-n-day intrusion techniques to the use of sustained reconnaissance and exploitation of exposed infrastructure at the digital perimeter, signaling an intentional shift away from overt zero-day or n-day intrusion techniques. 

An intrusion campaign that lasted only a few weeks, but was exceptionally powerful, was uncovered in early October by investigators attributed to RomCom, a Russia-connected advanced persistent threat group that has also been identified by Storm 0978, Tropical Scorpius, and UNC2596. 

The ESET cybersecurity researchers found malicious files on a Russian-managed server on October 8, and they traced the availability of these malicious files back to October 3, just five days before they were discovered by the researchers. 

The technical analysis revealed that both of these files exploited two previously unknown zero-day vulnerabilities, one of which affected Mozilla browsers used both in Firefox and Tor environments, while the other was targeted at a Windows operating system vulnerability. 

By combining these weaknesses, it became possible for RomCom to deliver a silent backdoor to any device accessing a compromised website without the visitor interacting with them, consenting to them, or even clicking a single button. 

Although attackers initially had the capability of executing arbitrary code globally on a global scale, the exposure window remained narrow even though attackers had the capability. Romain Dumont, a malware researcher for ESET, noted that while the operation was constrained by quick defensive actions, highlighting that even though the vulnerabilities were severe, they were patched within days, sharply limiting the likelihood of mass compromises occurring. 

A deliberate and multilayered attack chain was used to perpetrate the intrusion in a manner that was designed for both reach and discretion. It was the first part of the campaign where a browser-level vulnerability was exploited to gain access to a target computer by invoking it, and this setup created the conditions for a secondary breach that was made possible via a critical flaw within the Windows Task Scheduler service known as CVE-2024-49039. 

An insufficient ability to handle permissions enabled malicious tasks to execute without being detected by security prompts or requiring the user's consent. As a result of linking the two vulnerabilities, the attackers were able to achieve a zero-click compromise by granting complete system control when a victim loaded a booby-trapped webpage, eliminating traditional interaction-based warnings. 

There is a concealed PowerShell process in the payload that connects to a remote command server, downloads malware and deploys it aggressively in rapid succession, so the infection timeline can be compressed to near on-the-spot execution as a result. 

As researchers noted, the initial distribution vector of the attack is unclear, but the operational design strongly emphasized automation, persistence, and a minimal forensic footprint, which reduced visible indications of compromise and complicated the investigation of the incident afterward.

There has been a continuous coordination of Russian-aligned cyber units across geopolitical targets during the same monitoring period, with the country of Ukraine experiencing most sustained pressure during the period. 

Despite the fact that Gamaredon appears to have been linked with Russia's Federal Security Service and has been tracked by several security indices such as Primitive Bear, UNC530, and Aqua Blizzard, it continues to be the most active hacker targeting Ukrainian government networks. As well as improving malware obfuscation frameworks, the group deployed a cloud-enabled file stealer called PteroBox that used legitimate services like Dropbox to extract data. 

Fancy Bear, a cyber-intelligence division of the GRU reportedly responsible for APT28, expanded Operation RoundPress at the same time, refining its exploitation of cross-site scripting vulnerabilities within webmail platforms. 

The attacker leveraged the zero-day vulnerability in the MDaemon Email Server (CVE-2024-11182) to exploit the penetration of Ukrainian private-sector systems using a zero-day exploit. One of the clusters linked to GRU, Sandworm, was also indexed under APT44 and has traditionally been associated with disruptive campaigns that targeted Ukrainian energy infrastructure, exploiting weaknesses in Active Directory Group Policies, which enabled it to deploy ZEROLOT, a new tool designed to destroy networks. A parallel investment in high-impact exploit development was demonstrated at RomaCom, a company operating within a broader Russian-aligned threat ecosystem.

It chained zero-day vulnerabilities across widely used software platforms, including Firefox and Windows, confirming that zero-interaction intrusion methods are gaining traction, reinforcing the trend toward zero-interaction intrusion methods. In addition to putting these operations into a global context, ESET’s intelligence reports also identified persistent activity from state-backed groups in the context of the operations. 

APT actors aligned with China, such as Mustang Panda, have continued a campaign against governments and maritime transportation companies by using Korplug loaders and weaponized USB vectors, while PerplexedGoblin has deployed the NanoSlate espionage backdoor against a government network in Central Europe.

The operations of North Korea-aligned threat actors, such as Kimsuky and Konni, increased significantly in early 2025 after a temporary decline in late 2024 as they shifted their attentions from South Korean institutions to in-country diplomatic personnel. Andariel reappeared after nearly a year of being out of the game, when an industrial software provider in South Korea was breached, while DeceptiveDevelopment continued to conduct social engineering operations to spread the multi-platform WeaselStore malware.

This led to the spreading of fraudulent cryptocurrency and finance job postings, which enabled the malware to be distributed on multiple platforms. The APT-C-60 group also uploaded to VirusTotal in late February 2025 a VHDX archive containing an encrypted downloader and a malicious shortcut, which is internally called RadialAgent and uploaded through a Japan-based submission to the web security company. 

ESET's leadership explained that the disclosures were only a small portion of the intelligence data gathered during that period, however they did represent a broad tactical trajectory that was reflected in the disclosures. To increase the effectiveness of their operations, threat actors have increasingly prioritized stealth, infrastructure exposure, malware modularity, and long-range intrusion campaigns that align with active geopolitical fault lines in order to increase their operational efficiency. 

It remains unclear how the exploit chain is likely to impact the victims as well as the precise scope of damages caused. The identities of the victims who may have been affected remain unclear. This underscores the difficulty of uncovering campaigns that are designed for speed and opacity. 

A pronounced concentration of targets has been observed across North America and Europe based on ESET's telemetry. Investigators have been able to confirm this based on ESET's telemetry. The Czech Republic, France, Germany, Poland, Spain, Italy, and the United States are among the notable clusters, and New Zealand and French Guiana have been identified as having a smaller number of dispersed cases. 

There was no evidence of compromise among any of the victims tracked by ESET that had used the Tor browser even though the exploit theoretically was capable of reaching users accessing the web from privacy-hardened environments. According to Damien Schaeffer, a senior malware researcher at ESET, it may have been the configuration differences between Tor and standard Firefox, particularly the default permission settings, that disrupted the exploit's execution path, an idea that is reinforced by the target profile of the exploit. 

In the period between RomCom's activities and the period after it, it seemed that its activities were focused primarily on corporate networks and commercial infrastructure, environments that tended not to use Tor, limiting the exploit's viability in those channels. The two vulnerabilities in the chain, Mozilla's CVE-2024-9680 and Windows Task Scheduler's CVE-2024-49039, were remediated and fixed since then. In the case of the attack, the payload was triggered by a permissions error in the Windows Task Scheduler service that caused it to connect to a remote command server and retrieve malicious software without generating security prompts or requiring the user to authorize the process. 

This allowed the attack to execute. Infections had a consistent exposure point - loading a compromised or counterfeit website - which led to the deployment sequence running to completion within seconds. There were very few observable indicators and it was very difficult to detect an endpoint once the infection had been installed. In the middle of October, Mozilla released browser patches for Firefox and Tor, followed by a Thunderbird security update on October 10. 

The vulnerability disclosure was received about 25 hours after Thunderbird's security update was released. A Microsoft security update on Windows was released on Nov. 12, which effectively ended the exploit chain, effectively severing any systemic exposure before it could be widespread. 

As researchers have acknowledged, the original distribution vector used in seeding the infected URLs has yet to be identified, further raising concerns about the group's preference for automated campaigns over traceability campaigns. 

It is important to note that even though the operation was ultimately limited by the rapid vendor response, cybersecurity specialists continue to emphasize the importance of routinely verifying software updates and to urge users and businesses to ensure that all necessary browser patches are applied. Additionally, industry experts are advocating a more rigorous validation of digital touchpoints, particularly in corporate environments, warning that infrastructure exposure, rather than novelty software, is increasingly becoming the weakest link in high-impact intrusion chains, which, if not removed, will lead to increased cyber-attacks. 

As 2025 dawned on us, a stark reminder was in front of us that today's cyber conflict is no longer simply defined by the discovery of rare vulnerabilities, but by the strategic exploitation of overlooked ones, as well. In spite of the fact that RomCom and the broader Russia-aligned threat ecosystem have been implicated in a number of incidents, operational success has become increasingly dependent on persistence, infrastructure visibility, and abuse of trust - whether through network misconfiguration, poisoned policy mechanisms, or malware distribution without interaction. 

There has been a limited amount of disruption since Mozilla and Microsoft released their patches, but there remains some uncertainty around initial link distribution, victim identification, and possible data impact, which illustrates a broader truth: even short access to powerful exploit chains can have lasting consequences that go far beyond their lifetime. 

There is a growing awareness among security experts that defense must evolve at the same pace as offense, so organizations should implement layered intrusion monitoring systems, continuous endpoint behavior analyses, stricter identity policy audits, and routinely verifying the integrity of software as a replacement for updating only providing security. 

A greater focus on the external digital assets, supply chains, and risks of cloud exfiltration will be critical in the year to come. As a result of the threat landscape in 2025, there is clear evidence that resilience can be built not only by applying advanced tools, but also through disciplined configuration hygiene, rapid incident transparency, and an attitude towards security that anticipates rather than reacts to compromise.
Read more »
Zoom Security
Mobile Security User Security Zero Click Exploit Zoom Zoom Security

Two Critical Zero-Day Bugs Identified in Zoom Users and MMR Servers

 

Two critical bugs in videoconferencing app 'Zoom' could have led to remote exploitation in users and MMR servers. Natalie Silvanovich of Google's Project Zero bug-hunting team on Tuesday released an analysis of the security bugs; the vulnerabilities were uncovered as part of an investigation after a zero-click attack was demonstrated at Pwn2Own.

The researcher spotted two different flaws, a buffer overflow issue that impacted both Zoom users and Zoom Multimedia Routers (MMRs), and the second one transmits audio and video content between clients in on-premise deployments. Additionally, the platform possessed a lack of Address Space Layout Randomization (ALSR), a security mechanism that helps to guard against memory corruption assaults.

"In the past, I hadn't prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user," the researcher explained in a blog post. "That said, it's likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios."

"ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective," Silvanovich noted. "There is no good reason for it to be disabled in the vast majority of software." 

As MMR servers process call content including audio and video, the researcher says that the bugs are "especially concerning" – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping, 

As per recent reports, the vulnerabilities were reported to the vendor and patched on November 24, 2021, and Zoom has since enabled ASLR. While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom's use of proprietary formats and protocols as well as its high licensing fees (nearly $1,500) as barriers to security research.

"These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered," Silvanovich said. "Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it." 

Last year in November, Zoom rolled out automatic updates for the software's desktop customers on Windows and macOS, as well as on mobile. Previously, this feature was only accessible to business users.
Read more »
Zero Day
Chinese developers Smart contract Vulnerability and Exploits Zero Click Exploit Zero Day

University of California Researchers Develop a Technique to Discover Inconsistencies in Smart Contracts


Researchers from the University of California, Santa Barbara, presented a "scalable technique" to check smart contracts and minimize state-inconsistency bugs, finding forty-seven zero-day vulnerabilities on the Ethereum blockchain during the process. Smart contracts are programs stored on the blockchain that are executed automatically when default conditions are met, depending on the encoded terms of the agreement. 

These programs let authorized transactions agreements be used by unknown parties without having the need of a central authority. In simple terms, the code is in itself a final party of the trade it is presenting, the program controls all the execution aspects, also provides an immutable evidentiary audit chain of transactions, both irreversible and trackable. As per the paper and researchers, "since smart contracts are not easily upgradable, auditing the contract's source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software."

About Sailfish 

It aims to find inconsistencies in smart contracts, that allows an attacker to meddle with execution order or transactions, affecting control flow in a single transaction, for instance, reentrancy. Sailfish is a tool that converts a contract into a dependency graph, capturing control and data flow relations between state-changing instructions and storage variables of a smart contract. The tool helps to find potential inconsistencies. The researchers analyzed Sailfish on 89,853 contracts retrieved from Etherscan. 

Finding forty-seven zero-day vulnerabilities that can be exploited to extract Ether and might also comprise application-specific metadata. This will include vulnerable contracts implementing a house tracker that may be exploited so that house owners can do multiple active listings. "This is not the first time problematic smart contracts have attracted attention from academia. In September 2020, Chinese researchers designed a framework for categorizing known weaknesses in smart contracts with the goal of providing a detection criterion for each of the bugs," reports the hacker news.
Read more »
Zero Click Exploit
Apple BlastDoor Cyber Security iMessage iPhone Pegasus Spyware Zero Click Exploit

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."
Read more »
Zero Click Exploit
CERT ConnMan Tesla Vulnerabilities and Exploits Zero Click Exploit

Tesla Car Hacked Remotely by Drone Via Zero-Click Exploit

 

Two researchers have shown how a Tesla and probably other cars can be remotely hacked without the involvement of the operator. 

Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research last year that led to this conclusion. The investigation was conducted for the Pwn2Own 2020 hacking competition, which offered a car and other substantial prizes for hacking a Tesla, but the results were later submitted to Tesla via its bug bounty programme after Pwn2Own organizers planned to temporarily exclude the automotive category due to the coronavirus pandemic. 

TBONE is an attack that includes exploitation of two vulnerabilities in ConnMan, an internet connection manager for embedded devices. An intruder may use these bugs to take complete control of Tesla's infotainment system without requiring any user interaction. 

A hacker who exploits the vulnerabilities may use the infotainment system to perform any normal user task. This involves things like opening doors, adjusting seat positions, playing music, regulating the air conditioning, and changing the steering and acceleration modes. 

The researchers explained, “However, this attack does not yield drive control of the car”. They presented how an intruder could use a drone to launch a Wi-Fi assault on a parked car and open its doors from up to 100 meters away (roughly 300 feet). The exploit, they said, worked on Tesla S, 3, X, and Y models. 

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann stated. 

Tesla apparently stopped using ConnMan after patching the vulnerabilities with an update released in October 2020. Intel was also notified because it was the original creator of ConnMan, but according to the researchers, the chipmaker believed it was not its responsibility. 

According to the researchers, the ConnMan component is commonly used in the automotive industry, suggesting that similar attacks may be launched against other vehicles as well. Weinmann and Schmotzle sought assistance from Germany's national CERT in informing potentially affected vendors, but it's uncertain if other manufacturers have responded to the researchers' findings. 

Earlier this year, the researchers presented their results at the CanSecWest meeting. A video of them using a drone to hack a Tesla is also included in the presentation. In recent years, several corporations' cybersecurity researchers have shown that a Tesla can be hacked, in most cases remotely.
Read more »
Subscribe to: Comments (Atom)