Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.
Recommended read:
References :
- The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
- BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
- Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
- The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
- securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
- www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
- www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
- techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
- Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
- Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
- gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
- securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- cyble.com: CISA Alerts Users of CVE-2025-24472
- securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
- www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
- : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
- chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.
Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior.
Recommended read:
References :
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow are being actively exploited, posing a significant threat, especially to systems in Israel. Three key flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and are under active attack. These vulnerabilities, some over a year old, were initially disclosed in early 2023 and patches were provided by ServiceNow. Despite the patches, exploitation activities have surged, particularly targeting Israeli systems.
These vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. CVE-2024-4879 is a template injection vulnerability allowing remote code execution. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that can be exploited to manipulate data and bypass security controls, potentially granting full database access. Organizations that failed to apply ServiceNow patches last year are continuing to fall victim.
Recommended read:
References :
- hackread.com: Report of attacks exploiting year-old ServiceNow flaws, with Israel being the hardest hit.
- www.itpro.com: ServiceNow vulnerabilities and the impact on unpatched systems.
- Rescana: Details on the critical vulnerabilities in ServiceNow being exploited, particularly in Israel.
- www.scworld.com: The threat actors are exploiting three-year-old vulnerabilities in ServiceNow.
@thecyberexpress.com
//
US cybersecurity agencies, CISA and the FBI, have issued warnings regarding the active exploitation of four critical vulnerabilities within Ivanti Cloud Service Appliances (CSA). These flaws, designated as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, are being leveraged by Chinese state-sponsored actors to breach vulnerable networks. The agencies released detailed technical information, including indicators of compromise (IOCs), highlighting that attackers are using two primary exploit chains to gain unauthorized access, execute arbitrary code, and implant webshells on victim systems.
Specifically, one exploit chain combines CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other uses CVE-2024-8963 along with CVE-2024-9379. These vulnerabilities affect Ivanti CSA versions 4.6x before 519, and versions 5.0.1 and below for CVE-2024-9379 and CVE-2024-9380. Notably, CSA version 4.6 is end-of-life and does not receive security patches, making it particularly susceptible. The agencies urge organizations to apply patches promptly and implement robust security measures to defend against these active threats, further highlighting the speed at which disclosed vulnerabilities are weaponized.
Recommended read:
References :
- ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
- Pyrzout :vm:: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
- www.bleepingcomputer.com: CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
- thecyberexpress.com: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
- www.helpnetsecurity.com: Report on Cisco's fixes for ClamAV vulnerability and a critical Meeting Management flaw.
- www.scworld.com: Ivanti CSA exploit chains examined in joint CISA, FBI advisory
- : CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
- ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know – Source: www.securityweek.com
- Pyrzout :vm:: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks – Source:cyble.com #'Cyber
- securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
- securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
- ciso2ciso.com: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks
@gbhackers.com
//
Proof-of-concept exploit code has been released for critical vulnerabilities affecting Ivanti Endpoint Manager (EPM). Disclosed in January, these vulnerabilities allow remote, unauthenticated attackers to potentially compromise systems through credential coercion. Security firm Horizon3.ai published the exploit code and technical details on February 19, 2025, escalating the risk for organizations utilizing the Ivanti EPM platform. The vulnerabilities stem from improper validation of user input, allowing attackers to manipulate file paths and force the EPM server to authenticate to malicious SMB shares.
These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, affect the WSVulnerabilityCore.dll component of Ivanti EPM. An attacker can coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to a full domain compromise. The exploit chain involves credential harvesting and relay attacks.
Recommended read:
References :
- arcticwolf.com: On 19 February 2025, Horizon3.ai published proof-of-concept (PoC) exploit code and technical details for critical Ivanti Endpoint Manager (EPM) vulnerabilities disclosed in January.
- bsky.app: Horizon3 has published a write-up and POCs for four credential coercion vulnerabilities the company found and Ivanti patched in January. Bugs can be used by "an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks"
- gbhackers.com: PoC Exploit Released for Ivanti EPM Vulnerabilities
- gbhackers.com: GB Hackers Post on POC exploit for Ivanti vulnerabilities.
@ciso2ciso.com
//
A fake proof-of-concept (PoC) exploit, dubbed "LDAPNightmare," is targeting cybersecurity researchers by disguising itself as a fix for the critical Microsoft LDAP vulnerability CVE-2024-49113. The attackers created a malicious repository that mimics a legitimate one, containing a fake "poc.exe" file which, when executed, deploys information-stealing malware. This malicious code steals sensitive data from the infected machine, including computer information, running processes, network details, and installed updates, sending the stolen data to a remote server controlled by the attackers.
This sophisticated attack uses a multi-stage delivery process. The initial executable drops and runs a PowerShell script that then downloads and executes another malicious script from Pastebin. The attackers have specifically targeted the Windows Lightweight Directory Access Protocol (LDAP) denial-of-service vulnerability in an attempt to exfiltrate valuable data from researchers focused on mitigating security risks. Researchers are urged to verify repository authenticity, prioritize official sources, and check for any suspicious activity to avoid falling victim to this malware.
Recommended read:
References :
- ciso2ciso.com: Fake PoC Exploit Targets Cybersecurity Researchers with Malware – Source:hackread.com
- hackread.com: Fake PoC Exploit Uses Microsoft Vulnerability to Target Cybersecurity Researchers with Malware
- securityonline.info: Fake LDAPNightmare PoC Exploit Conceals Information-Stealing Malware
- Latest from TechRadar: Security experts are being targeted with fake malware discoveries
- Pyrzout :vm:: Fake PoC Exploit Targets Cybersecurity Researchers with Malware – Source:hackread.com
- osint10x.com: Fake PoC Exploit Targets Cybersecurity Researchers with Malware
|
|
FlagThis - #exploit