CyberSecurity news
FlagThis
|
info@thehackernews.com (The@The Hacker News
//
References:
The Hacker News
, The GreyNoise Blog
,
GreyNoise has issued a warning regarding a coordinated brute force campaign targeting Apache Tomcat Manager interfaces. On June 5, 2025, their threat intelligence system detected a significant surge in malicious activity, specifically brute-force and login attempts against these interfaces. This spike prompted GreyNoise to issue tags for "Tomcat Manager Brute Force Attempt" and "Tomcat Manager Login Attempt," both registering well above their usual baseline volumes, suggesting a deliberate and widespread effort to identify and exploit exposed Tomcat services.
295 unique IP addresses were observed engaging in brute-force attempts, while 298 IPs conducted login attempts. Almost all were classified as malicious. Much of the activity originated from infrastructure hosted by DigitalOcean. The concentrated nature of these attacks, focusing primarily on Tomcat services, indicates a coordinated campaign rather than random, opportunistic scanning. GreyNoise believes that such activity serves as an early warning sign of future exploitation. Organizations are urged to immediately block the malicious IPs identified by GreyNoise and to strengthen their security posture regarding exposed Tomcat Manager interfaces. This includes implementing robust authentication mechanisms, enforcing strict access restrictions, and carefully reviewing recent login activity for any anomalies. With a focus on helping defenders take faster action on emerging threats, GreyNoise continues to monitor the situation and is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Recommended read:
References :
@techcrunch.com
//
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.
The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist. Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Trend Micro has released security updates to address critical vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. These vulnerabilities, which include remote code execution and authentication bypass flaws, pose a significant risk to affected systems. The company urges administrators to apply the necessary security updates as soon as possible to mitigate potential exploitation. While Trend Micro states there is no evidence of active exploitation in the wild, the severity of the flaws necessitates immediate action.
One specific vulnerability, tracked as ZDI-25-371, exists within the Endpoint Encryption product and involves the DeserializeFromBase64String method. This flaw stems from a lack of proper validation of user-supplied data, which can lead to the deserialization of untrusted data. An attacker who successfully exploits this vulnerability can execute code in the context of SYSTEM, potentially gaining complete control over the affected system. Although authentication is required, the existing authentication mechanism can be bypassed, making exploitation easier. The vulnerabilities were reported to Trend Micro on October 11, 2024, by Piotr Bazydlo of Trend Micro's Zero Day Initiative. A coordinated public release of the advisory followed on June 11, 2025. Users of Apex Central and Endpoint Encryption (TMEE) PolicyServer products are advised to visit the Trend Micro website for details on obtaining and applying the necessary patches. Further information on the specific fixes can be found at https://success.trendmicro.com/en-US/solution/KA-0019928. Recommended read:
References :
@securityonline.info
//
References:
securityonline.info
, Virus Bulletin
,
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.
The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry. The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
SinoTrack GPS Devices Prone to Remote Control - CISA is warning of two vulnerabilities in SinoTrack GPS devices, which could allow attackers to remotely control vehicles and track their locations.
ImgSrc: securityaffairs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.
The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences. Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request. Recommended read:
References :
David Marshall@@VMblog
//
A new ransomware operation known as Fog is making headlines due to its unusual and sophisticated attack methods. A recent report from Symantec and the Carbon Black Threat Hunter team reveals that Fog leverages a rare combination of legitimate software, open-source tools, and stealthy delivery mechanisms to compromise organizations. This approach allows the attackers to evade detection and maintain a persistent presence within the victim's network.
The attackers are deploying legitimate employee monitoring software, such as Syteca (formerly known as Ekran), which is typically used for insider threat detection and compliance. In the hands of these threat actors, however, it transforms into a covert surveillance tool, capturing screen activity and keystrokes, including credentials typed by unsuspecting users. The delivery of Syteca is often facilitated by Stowaway, an open-source proxy utility, and executed using SMBExec, a part of the Impacket framework commonly used for lateral movement. Notably, Fog also incorporates GC2, a less common post-exploitation backdoor that leverages Google Sheets or Microsoft SharePoint as a command-and-control (C2) mechanism, effectively concealing malicious traffic within legitimate cloud communications. After deploying the ransomware, the attackers have been observed creating services to establish persistence, an atypical step indicating their desire to retain access to the victim's network. Security experts emphasize the need for organizations to enforce least privilege, eliminate unnecessary local administrator rights, and tightly control which applications can be installed or executed to mitigate the risk posed by Fog and similar evolving threats. Recommended read:
References :
@socprime.com
//
A critical zero-click AI vulnerability, dubbed "EchoLeak," has been discovered in Microsoft 365 Copilot, potentially allowing attackers to exfiltrate sensitive data without any user interaction. The vulnerability, identified as CVE-2025-32711, has been assigned a CVSS score of 9.3. Aim Security, the firm that discovered and reported the vulnerability, described it as an instance of a Large Language Model (LLM) Scope Violation, paving the way for indirect prompt injection and leading to unintended behavior. This allows attackers to automatically exfiltrate sensitive and proprietary information from Microsoft 365 Copilot's context without any specific action from the user, relying on Copilot's default behavior to combine and process content.
The attack sequence involves an attacker sending an innocuous-looking email containing a malicious prompt payload to an employee's Outlook inbox. When the user asks Microsoft 365 Copilot a business-related question, the system mixes the untrusted attacker input with sensitive data to the LLM context through its Retrieval-Augmented Generation (RAG) engine. This process results in Copilot leaking private data to the attacker via Microsoft Teams and SharePoint URLs. This means attackers can exploit a flaw where Copilot doesn't isolate trust boundaries when processing content from Outlook and SharePoint, turning a helpful automation feature into a potential data leak. Microsoft has addressed the EchoLeak vulnerability and released an advisory stating that no further action is needed by customers. The company has implemented defense-in-depth measures and updated its products to mitigate the issue. While there is no evidence of malicious exploitation in the wild, the discovery highlights the importance of ongoing security research and proactive measures to protect AI-powered systems from potential vulnerabilities. Microsoft expressed appreciation to Aim Labs for responsibly reporting the issue, enabling them to address it before any customers were impacted. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.
The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures. Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers. Recommended read:
References :
@cyberscoop.com
//
INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.
Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes. The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams. Recommended read:
References :
Kaspersky@Securelist
//
References:
Securelist
, Catalin Cimpanu
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.
The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner. Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m. Recommended read:
References :
Tyler McGraw@Rapid7 Cybersecurity Blog
//
References:
Rapid7 Cybersecurity Blog
, BlackFog
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.
The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code. ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively. Recommended read:
References :
@research.checkpoint.com
//
Microsoft June 2025 Patch Tuesday Addresses Actively Exploited - Microsoft’s June 2025 Patch Tuesday addressed 65 CVEs, including two zero-day vulnerabilities, with one actively exploited in the wild.
ImgSrc: research.checkp
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.
The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file. Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Texas DOT Data Breach Exposes Crash Records - The Texas Department of Transportation (TxDOT) suffered a data breach after a hacker downloaded almost 300,000 crash reports containing sensitive personal information.
ImgSrc: www.bleepstatic
The Texas Department of Transportation (TxDOT) is alerting the public to a significant data breach that compromised nearly 300,000 crash records. The incident, discovered on May 12th, 2025, involved unauthorized access to its Crash Records Information System (CRIS). Texas officials revealed that a hacker gained entry through a compromised user account and proceeded to download a large volume of sensitive data. This data included personally identifiable information such as names, addresses, driver's license numbers, license plate numbers, and car insurance policy numbers.
The compromised crash reports contain detailed information about individuals involved in traffic accidents, including summaries of injuries sustained during the crash and narratives of the incidents. While TxDOT is not legally obligated to notify the public, it has chosen to proactively inform those affected by sending letters to individuals whose information was included in the stolen crash reports. TxDOT immediately disabled access from the compromised account upon discovering the unusual activity and launched an investigation into the matter. The Texas Department of Public Safety is currently investigating how the breach occurred and is attempting to determine the identity of the responsible parties. TxDOT is urging individuals who may have been affected to be cautious of potential scams and fraudulent activities. Letters sent to victims advise them to be wary of unsolicited emails, texts, or calls related to past crashes, and a dedicated call line has been established to address any questions or concerns. The exposed data poses a significant risk of financial fraud and identity theft for those affected, as the compromised information can be valuable for malicious actors. Recommended read:
References :
@gbhackers.com
//
SAP NetWeaver Application Server Authorization Bypass - SAP fixed a critical NetWeaver flaw that let attackers bypass authorization and escalate privileges, addressed in the June 2025 Security Patch.
ImgSrc: blogger.googleu
SAP has released its June 2025 Security Patch Day update, addressing a critical vulnerability in SAP NetWeaver Application Server for ABAP, identified as CVE-2025-42989. The flaw, which carries a CVSS score of 9.6, allows attackers to bypass authorization checks and escalate privileges. This could grant unauthorized access to critical system functions, allowing manipulation of application data or disruption of services. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, making patching an urgent priority.
SAP warns that successful exploitation of this vulnerability could critically impact the integrity and availability of affected systems. The flaw stems from a missing authorization check within the Remote Function Call (RFC) framework, which enables authenticated attackers to bypass standard authorization checks on the S_RFC object when leveraging transactional or queued RFCs under specific conditions. SAP advises immediate patching and notes that post-patch, additional S_RFC permissions may need to be assigned to certain users. Detailed guidance on identifying affected users and activating enhanced checks is provided in SAP Note #3601919. Beyond the critical NetWeaver vulnerability, SAP's June Patch Day addresses a total of 14 new vulnerabilities across multiple enterprise products. These include high-severity flaws in SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI. A serious information disclosure vulnerability in SAP GRC (CVE-2025-42982) could allow non-administrative users to initiate sensitive transactions and manipulate system credentials. A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42983) could allow authenticated users to delete arbitrary database tables, resulting in data loss. Additionally, a cross-site scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace (CVE-2025-23192) could allow attackers to execute code in the browser of unsuspecting users, risking data theft and interface manipulation. Recommended read:
References :
@cyberpress.org
//
Marks (and) Spencer Hit by DragonForce Ransomware - Marks & Spencer (M&S) suffered a ransomware attack by the DragonForce hacker group, disrupting online ordering and causing significant financial losses.
ImgSrc: blogger.googleu
References:
Malware ? Graham Cluley
, bsky.app
,
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.
An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales. DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident. Recommended read:
References :
@Links
//
Spyware maker Paragon has severed ties with the Italian government following a dispute over an investigation into the alleged hacking of journalist Francesco Cancellato’s phone. Paragon stated that it offered its assistance to determine whether its Graphite system was used against the journalist in violation of Italian law and contractual terms. However, the Italian authorities declined Paragon’s offer to independently verify the matter, leading the company to terminate its contracts in Italy. This marks the first instance of a spyware provider publicly acknowledging ending a contract with a government client due to concerns over potential abuse.
The Italian government, through its Department of Information for Security (DIS), rejected Paragon’s proposal, deeming it an “invasive practice” that was “unverifiable in scope, results and method.” The government also expressed concerns that accepting Paragon’s help would compromise national security and expose confidential data to a foreign private company. Several Italian news outlets reported on the government's decision. The Parliamentary Committee for the Security of the Republic (COPASIR) conducted its own investigation, acknowledging that Italian intelligence services had used Paragon’s Graphite spyware to target phones belonging to civil society activists. However, the committee found no evidence that Cancellato was specifically targeted using the technology. This incident has raised questions about the use of spyware by governments and the need for greater transparency and accountability in the industry. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.
The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`. Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators. Recommended read:
References :
Eric Geller@cybersecuritydive.com
//
SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.
The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs. SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks. Recommended read:
References :
Sam Silverstein@cybersecuritydive.com
//
Major US Grocery Distributor Hit by Cyberattack - United Natural Foods (UNFI), a major grocery distributor, suffered a cyberattack disrupting operations and impacting customer order fulfillment.
ImgSrc: imgproxy.divecd
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.
UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales. This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032. Recommended read:
References :
|
