CyberSecurity news

FlagThis - #enterprises

Julian Tuin@Arctic Wolf //

Critical RCE Vulnerability in Veeam Backup Replication - A critical vulnerability (CVE-2025-23120) in Veeam Backup & Replication allows authenticated domain users to execute remote code, potentially compromising enterprise backup infrastructures; users are urged to apply the patch immediately.
A critical vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication software. This flaw allows authenticated domain users to execute remote code, potentially leading to the compromise of enterprise backup infrastructures. The vulnerability affects versions 12, 12.1, 12.2, and 12.3 of Veeam Backup & Replication and has been assigned a CVSS score of 9.9, indicating a critical severity. The issue was reported by Piotr Bazydlo of watchTowr and highlights the importance of community engagement in addressing security issues.

Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139), and users are strongly urged to apply the patch immediately. The vulnerability specifically impacts domain-joined backup servers, which goes against Security & Compliance Best Practices. It is imperative for organizations to prioritize updates to ensure their systems remain secure. The company also emphasizes its commitment to customer security through a Vulnerability Disclosure Program and rigorous internal code audits.

Recommended read:
References :
  • gbhackers.com: Critical Veeam Backup & Replication Vulnerability Allows Remote Execution of Malicious Code
  • securityonline.info: CVE-2025-23120 (CVSS 9.9): Critical RCE Vulnerability Discovered in Veeam Backup & Replication
  • Help Net Security: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)
  • www.redhotcyber.com: Vulnerabilità critica da 9.9 di Score in Veeam Backup & Replication che consente RCE
  • borncity.com: Warning for users of Veeam Backup & Replication. Vendor Veeam has informed it's customers on March 19, 2025 about a Remote Code Execution (RCE) vulnerability CVE-2025-23120 in various versions of the mentioned product. It can be abused in domain joined
  • Vulnerability-Lookup: You can now share your thoughts on vulnerability CVE-2025-23120 in Vulnerability-Lookup: Veeam - Backup and Recovery
  • Rescana: Urgent Alert: CVE-2025-23120 Vulnerability in Veeam Backup & Replication Risks RCE Exploitation
  • The DefendOps Diaries: Understanding and Mitigating the CVE-2025-23120 Vulnerability in Veeam Backup & Replication
  • Security Affairs: Veeam fixed critical Backup & Replication flaw CVE-2025-23120
  • socradar.io: Critical Veeam Vulnerability (CVE-2025-23120) Enables Remote Code Execution by Domain Users
  • Arctic Wolf: CVE-2025-23120: Critical Remote Code Execution Vulnerability in Veeam Backup & Replication
  • Blog: Another critical deserialization flaw found in Veeam backup
  • www.bleepingcomputer.com: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read. Summary This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.
  • MSSP feed for Latest: Veeam patches critical Backup & Replication flaw CVE-2025-23120
  • www.techradar.com: Researchers criticize the way Veeam handled deserialization flaws.
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
  • bsky.app: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
  • Security Risk Advisors: Critical RCE in #Veeam Backup & Replication (CVE-2025-23120) lets domain users run rogue code.
  • research.kudelskisecurity.com: A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • www.sentinelone.com: A newly disclosed vulnerability, tracked as CVE-2025-23120, affecting Veeam Backup & Replication, enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • Cyber Security News: CyberPress : Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
  • www.scworld.com: Veeam patches critical 9.9 flaw in backup and replication product
  • www.csoonline.com: A critical remote code execution flaw patched in Veeam backup servers
  • Arctic Wolf: On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software.
  • Help Net Security: Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware
cybernewswire@The Last Watchdog //

SquareX Uncovers Browser Native Ransomware Undetectable - SquareX disclosed a browser-native ransomware undetectable by antivirus, posing a significant threat to enterprises by targeting digital identities and exploiting cloud-based storage and browser-based authentication.
Palo Alto, USA, March 29, 2025 - SquareX has disclosed a new form of ransomware that operates natively within web browsers and is undetectable by traditional antivirus software. This browser-native ransomware poses a significant threat to enterprises, potentially putting millions at risk. The disclosure comes as ransomware continues to be a major cybersecurity concern, with Chainalysis estimating that corporations spend nearly $1 billion annually on ransom payments alone. The true cost, however, is often much higher due to reputational damage and operational disruption.

SquareX's research highlights that unlike traditional ransomware, this new variant does not require victims to download and install malicious files. Instead, it targets the user's digital identity, exploiting the increasing reliance on cloud-based enterprise storage and browser-based authentication. SquareX founder, Vivek Ramachandran, warns that the rise in browser-based identity attacks indicates that the "ingredients" for browser-native ransomware are already being used by adversaries. He emphasizes the need for browser-native solutions to combat this emerging threat, as traditional endpoint security measures are ineffective against these attacks.

Recommended read:
References :
  • gbhackers.com: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • hackread.com: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • The Last Watchdog: News alert: SquareX discloses nasty browser-native ransomware that’s undetectable by antivirus
  • NextBigFuture.com: Palo Alto, USA, 29th March 2025, CyberNewsWire
  • thehackernews.com: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • Daily CyberSecurity: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • hackernoon.com: Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment.
  • Cyber Security News: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • gbhackers.com: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • ciso2ciso.com: SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk
  • ciso2ciso.com: News alert: SquareX discloses nasty browser-native ransomware that’s undetectable by antivirus – Source: www.lastwatchdog.com
  • securityboulevard.com: News alert: SquareX discloses nasty browser-native ransomware that’s undetectable by antivirus
  • www.scworld.com: Significant enterprise data compromise could be facilitated by browser-native ransomware attacks, which set sights on users' digital identities and exploit the increasing adoption of cloud-based enterprise storage instead of depending on the execution of malicious files, SiliconAngle reports.
Matt Kapko@CyberScoop //

Identity-Based Attacks Dominate Cyber Incidents in 2024 - Cisco Talos reports identity-based attacks, involving misuse of tools and older vulnerabilities, were the primary cause of cyber incidents in 2024, accounting for 60% of incidents, highlighting the importance of IAM and zero-trust security.
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.

This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments.

Recommended read:
References :
  • Threats | CyberScoop: Identity lapses ensnared organizations at scale in 2024
  • SiliconANGLE: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
  • www.scworld.com: Sixty percent of cybersecurity incidents around the world last year were identity-based intrusions, with identity targeting being prominent across all attack stages, SiliconAngle reports.
@www.networkworld.com //

Versa Networks Launches Sovereign SASE Platform - Versa Networks launches sovereign SASE, offering enterprises control over network security within their own environments, challenging the cloud-only model.
Versa Networks has launched its Sovereign SASE platform, presenting a new option for enterprises and service providers seeking greater control over their network security. This solution allows organizations to deploy a SASE platform within their own on-premises or private cloud environments, moving away from the traditional cloud-only security model. Versa's Sovereign SASE is designed to run entirely on customer-controlled infrastructure, offering a "do-it-yourself" model for customized networking and security services.

Increased privacy and control, reduced risk of service disruption, and eased regulatory compliance are key benefits. The platform enables organizations to build and manage their SASE environment on their own infrastructure, ensuring greater autonomy and data protection. By eliminating reliance on third-party SaaS platforms, Versa Sovereign SASE reduces operational risks and costs tied to unplanned outages, strengthening business continuity. The "air-gapped" infrastructure also simplifies meeting strict requirements for regulatory compliance, data residency, and security.

Recommended read:
References :
  • @VMblog: Versa Redefines SASE with Industry-First Sovereign SASE for Enterprises and Service Providers
  • Help Net Security: Versa Sovereign SASE enables organizations to create self-protecting networks
  • www.networkworld.com: Versa Networks launches sovereign SASE, challenging cloud-only security model
  • www.helpnetsecurity.com: Versa releases Versa Sovereign SASE, allowing enterprises, governments, and service providers to deploy customized networking and security services directly from their own infrastructure in a “do-it-yourself†model.
Zimperium@Zimperium //

Rooted and Jailbroken Mobile Devices Increase Corporate Risk - Rooted and jailbroken mobile devices pose a persistent threat to enterprises, bypassing security protocols and increasing vulnerability to malware and data breaches, with rooted Android devices being significantly more susceptible to security incidents.
Zimperium, a mobile security firm, has issued a warning about the persistent and evolving threat that rooted and jailbroken mobile devices pose to enterprises. Their recent report highlights that these compromised devices, which bypass security protocols, make organizations increasingly vulnerable to mobile malware, data breaches, and full system compromises. According to Zimperium's research, rooted Android devices are significantly more susceptible to security incidents, with a 3.5 times greater likelihood of malware attacks and a staggering 250 times higher risk of system compromise.

Rooting and jailbreaking, initially used for device customization, grant users full control but remove crucial security protections. This allows the installation of apps from unverified sources, disabling security features, and modifying system files, making them prime targets for cybercriminals. Hackers are continuously developing sophisticated toolkits, such as Magisk and APatch, to hide their presence and evade detection. These tools employ techniques like "systemless" rooting and on-the-fly kernel memory modification, making it increasingly difficult for cybersecurity researchers to identify compromised devices before they inflict damage, emphasizing the need for constant monitoring and updated security measures.

Recommended read:
References :
  • hackread.com: A new Zimperium report reveals that rooted Android phones and jailbroken iOS devices face growing threats, with advanced toolkits making detection nearly impossible for cybersecurity researchers.
  • www.scworld.com: Rooted, jailbroken mobile devices pose security risk to organizations
  • Zimperium: Zimperium warns that mobile rooting and jailbreaking remain a persistent and evolving threat to enterprises worldwide. The post appeared first on .
  • ai-techpark.com: AI-TechPark : Zimperium Warns of Ongoing Threats from Rooting, Jailbreaking
@cyberalerts.io //

ClickFix Attack Deploys Havoc C2 via SharePoint - A ClickFix phishing campaign tricks victims into deploying the Havok framework, using SharePoint and the Microsoft Graph API to hide malicious communications within trusted Microsoft services.
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.

The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.

Recommended read:
References :
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
  • BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
  • Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
  • bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
  • Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
  • Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.
toddrweiss@gmail.com (Todd R. Weiss)@Blog (Main) //

Compliance vs. Effective Cybersecurity Practices - Compliance as cybersecurity is being scrutinized as risk management becomes a checkbox activity, potentially shifting authority from security experts to lawyers.
The push for compliance as cybersecurity is under scrutiny, as risk management risks becoming a simple checkbox exercise. While compliance to standards is vital, it doesn't guarantee complete protection against threats. Experts like Chris Hughes, CEO of Aquia, view compliance as a starting point to make cybersecurity a priority. He argues it is a major factor in prompting organizations to invest in security, especially when cyberattack impact on share prices is often minimal. Compliance is essential to aim for to ensure stealthier cybersecurity for enterprises.

However, there is growing concern that the emphasis on compliance is shifting power from security professionals to legal departments. This trend is further fueled by the SEC's recent push for disclosure by public companies and guidelines from CISA. A recent blog post cited by Hughes, argues that this compliance-as-security trend means "that the future of security will be defined by lawyers, not security practitioners." Additionally, research has shown cybersecurity is becoming increasingly intertwined with legal issues. The move towards compliance shouldn't overshadow sound security practices which are needed to manage cyber security.

Recommended read:
References :
  • ciso2ciso.com: Compliance as cybersecurity: A reality check on checkbox risk management – Source: securityboulevard.com
  • malware.news: Compliance as cybersecurity: A reality check on checkbox risk management
  • Security Boulevard: Compliance as cybersecurity: A reality check on checkbox risk management
  • Pyrzout :vm:: Compliance as cybersecurity: A reality check on checkbox risk management – Source: securityboulevard.com

Posts

Blogs

Research Tools