@cyberalerts.io
//
The United States has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed of Sana'a, believed to be the developer and primary operator of the 'Black Kingdom' ransomware. The charges stem from approximately 1,500 attacks conducted against Microsoft Exchange servers globally. Ahmed is accused of deploying the Black Kingdom malware on these systems between March 2021 and June 2023, targeting businesses, schools, and hospitals within the U.S. and elsewhere. He faces one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.
The attacks involved exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon, identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. This allowed Ahmed and his co-conspirators to gain access to vulnerable networks, encrypt data, or claim to have stolen information. Victims were then instructed to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator as ransom for decryption. They were also allegedly asked to send proof of payment to a Black Kingdom email address.
Cybersecurity experts described Black Kingdom ransomware as somewhat rudimentary, characterizing the attacker as a "motivated script-kiddie" leveraging ProxyLogon to deploy web shells and PowerShell commands. The indictment underscores the ongoing cybersecurity challenges posed by ransomware and highlights the importance of patching vulnerabilities promptly to prevent exploitation. If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The FBI, with assistance from the New Zealand Police, is conducting the investigation.
Recommended read:
References :
- bsky.app: Bsky.app Post on the Black Kingdom Ransomware Indictment
- The DefendOps Diaries: The DefendOpsDiaries: The Indictment of a Black Kingdom Ransomware Administrator: A Turning Point in Cybersecurity
- thehackernews.com: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems
- www.bleepingcomputer.com: BleepingComputer article on US indicting Black Kingdom Ransomware admin
- DataBreaches.Net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
- BleepingComputer: A 36-year-old Yemeni national, who is believed to be the developer and primary operator of 'Black Kingdom' ransomware, has been indicted by the United States for conducting 1,500 attacks on Microsoft Exchange servers.
- BleepingComputer: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
- Talkback Resources: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems [exp] [mal]
- The Hacker News: U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems
- DataBreaches.Net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
- securebulletin.com: US indicts Black Kingdom ransomware operator: technical analysis of ProxyLogon exploitation and law enforcement response
- www.scworld.com: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
- Secure Bulletin: US indicts Black Kingdom ransomware operator: technical analysis of ProxyLogon exploitation and law enforcement response
- securityaffairs.com: US authorities have indicted Black Kingdom ransomware admin
- bsky.app: Risky Biz podcast/newsletter covering the charges against the Black Kingdom ransomware operator
- databreaches.net: US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks
- securityonline.info: SecurityOnline article about the indictment.
- Daily CyberSecurity: Yemeni National Indicted for Black Kingdom Ransomware Attacks
- Threats | CyberScoop: Federal prosecutors indict alleged head of Black Kingdom ransomware
- cyberscoop.com: Federal prosecutors indict alleged head of Black Kingdom ransomware
- www.scworld.com: Alleged Black Kingdom hacker indicted over massive Exchange Server breach
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.
Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.
Recommended read:
References :
- Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
- securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
- techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
- The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
- The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
- cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
- securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
- www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
- thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
- cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
- socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
- Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products
@www.bleepingcomputer.com
//
Fortinet has issued critical fixes following the discovery of a new method employed by cyber attackers to maintain access to FortiGate devices, even after patches were applied. The attackers are exploiting vulnerabilities such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, creating a symlink that connects the user filesystem to the root filesystem within a folder used for SSL-VPN language files. This allows attackers to quietly read configuration files without triggering standard detection mechanisms. If SSL-VPN has never been enabled on a device, it is not affected by this vulnerability.
Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps.
The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures.
Recommended read:
References :
- Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
- gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
- systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
- gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
- dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
- thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
- www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
- cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
- cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
- hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
- gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
- Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
- Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
- gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
- securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
- OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
- cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
- cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
- Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
- securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
- fortiguard.fortinet.com: FG-IR-24-435
@securityonline.info
//
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.
This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site.
WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4).
Recommended read:
References :
- securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
- BleepingComputer: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
- thecyberexpress.com: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
- bsky.app: Bsky post on Hackers exploit WordPress plugin auth bypass hours after disclosure
- www.scworld.com: Immediate exploitation of high-severity WordPress plugin flaw reported
- securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
- gbhackers.com: GBHackers article on WordPress Plugin Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed.
- Cyber Security News: Rogue User‑Creation Bug Exposes 100,000 WordPress Sites to Takeover
- thehackernews.com: OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
- gbhackers.com: A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.
- securityaffairs.com: Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw
- ciso2ciso.com: Attackers are actively exploiting a vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin, with many websites potentially exposed to complete compromise.
- Security Risk Advisors: Critical Authentication Bypass in WordPress SureTriggers Plugin Leads to Admin Account Creation
David Jones@cybersecuritydive.com
//
DrayTek router owners across the globe experienced widespread connectivity issues recently as their devices became stuck in reboot loops. Internet service providers worldwide have alerted their customers to the problem, which began on Saturday night, affecting multiple DrayTek router models. The affected routers would intermittently lose connectivity and enter a boot loop, rendering them inoperable and disrupting internet services.
It is believed that the root cause of the reboot loops is attributed to either attacks exploiting unspecified vulnerabilities or a buggy software update pushed by DrayTek. Some experts suggest that the problem may be due to existing vulnerabilities that customers have neglected to patch. In addition, GreyNoise has observed in-the-wild activity against several known vulnerabilities in DrayTek devices. The vulnerabilities are CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124.
To address the issue, users experiencing unexpected disconnections are advised to disconnect the WAN cable, log into the router’s Web UI, and check the system uptime. DrayTek recommends checking the firmware version and ensuring that the latest version is installed and if remote access is enabled, disable it unless absolutely necessary. Users can view router logs and debug logs to identify potential causes of the reboot.
Recommended read:
References :
- BleepingComputer: Many Internet service providers (ISPs) worldwide are alerting customers of an outage that started Saturday night and triggered DrayTek router connectivity problems.
- V is for...: "Since 21:30 yesterday evening we have witnessed an unusually high volume of session drops, primarily impacting BT Wholesale and TalkTalk broadband sessions. The cause has been narrowed down to vulnerable firmware versions on Draytek routers." Shock horror. Draytek suck.
- BleepingComputer: DrayTek routers worldwide go into reboot loops over weekend
- The Register - Security: Hm, why are so many DrayTek routers stuck in a bootloop?
- The DefendOps Diaries: Understanding the DrayTek Router Reboot Loop Crisis
- bsky.app: This looks like some threat actor tried to exploit vulnerabilities in DrayTek Vigor routers.
- The GreyNoise Blog: Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
- GreyNoise: GreyNoise is bringing awareness to in-the-wild activity against multiple known vulnerabilities in DrayTek devices.
- www.cybersecuritydive.com: DrayTek routers face active exploitation of older vulnerabilities
- securityonline.info: Recent reports have highlighted widespread issues with DrayTek routers, including numerous reboots in the UK and Australia, and
- The Hacker News: CISA Flags Two Six-Year-Old Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices
- Risky Business Media: Ukraine’s state railway hit by a cyberattack, a ransomware attack reduces Malaysia’s largest airport to writing flight details on a whiteboard, buggy exploits put DrayTek routers in a reboot loop, and the NIST CVE backlog grows bigger despite efforts to address it.
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.
Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior.
Recommended read:
References :
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow are being actively exploited, posing a significant threat, especially to systems in Israel. Three key flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and are under active attack. These vulnerabilities, some over a year old, were initially disclosed in early 2023 and patches were provided by ServiceNow. Despite the patches, exploitation activities have surged, particularly targeting Israeli systems.
These vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. CVE-2024-4879 is a template injection vulnerability allowing remote code execution. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that can be exploited to manipulate data and bypass security controls, potentially granting full database access. Organizations that failed to apply ServiceNow patches last year are continuing to fall victim.
Recommended read:
References :
- hackread.com: Report of attacks exploiting year-old ServiceNow flaws, with Israel being the hardest hit.
- www.itpro.com: ServiceNow vulnerabilities and the impact on unpatched systems.
- Rescana: Details on the critical vulnerabilities in ServiceNow being exploited, particularly in Israel.
- www.scworld.com: The threat actors are exploiting three-year-old vulnerabilities in ServiceNow.
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- BleepingComputer: At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: Trend Zero Day Initiativeâ„¢ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.
Recommended read:
References :
- The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
- BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
- Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
- The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
- securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
- techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
- Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
- Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
- gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
- securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- cyble.com: CISA Alerts Users of CVE-2025-24472
- securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
- www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
- : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
- chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25
@gbhackers.com
//
Proof-of-concept exploit code has been released for critical vulnerabilities affecting Ivanti Endpoint Manager (EPM). Disclosed in January, these vulnerabilities allow remote, unauthenticated attackers to potentially compromise systems through credential coercion. Security firm Horizon3.ai published the exploit code and technical details on February 19, 2025, escalating the risk for organizations utilizing the Ivanti EPM platform. The vulnerabilities stem from improper validation of user input, allowing attackers to manipulate file paths and force the EPM server to authenticate to malicious SMB shares.
These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, affect the WSVulnerabilityCore.dll component of Ivanti EPM. An attacker can coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to a full domain compromise. The exploit chain involves credential harvesting and relay attacks.
Recommended read:
References :
- arcticwolf.com: On 19 February 2025, Horizon3.ai published proof-of-concept (PoC) exploit code and technical details for critical Ivanti Endpoint Manager (EPM) vulnerabilities disclosed in January.
- bsky.app: Horizon3 has published a write-up and POCs for four credential coercion vulnerabilities the company found and Ivanti patched in January. Bugs can be used by "an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks"
- gbhackers.com: PoC Exploit Released for Ivanti EPM Vulnerabilities
- gbhackers.com: GB Hackers Post on POC exploit for Ivanti vulnerabilities.
|
|
FlagThis - #exploit