CyberSecurity news

FlagThis - #exploitation

@www.bleepingcomputer.com //

SimpleHelp RMM Exploits Lead to Ransomware Deployment - Threat actors are exploiting SimpleHelp RMM software vulnerabilities to gain initial access, establish persistent remote access, and potentially deploy ransomware, with observed TTPs similar to the Akira Ransomware group.
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.

Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.

Recommended read:
References :
  • Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
  • The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
  • www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
  • Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
  • www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
  • fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
  • gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
@Talkback Resources //

APT28 Leverages Sagerunex in Cyber Espionage - Microsoft’s MSTIC security team uncovered a cyber espionage campaign by APT group Lotus Blossom, using Sagerunex backdoor and third-party cloud services for command-and-control, while APT28 employs advanced obfuscation tactics in their HTA Trojan targeting Central Asia and Kazakhstan diplomatic relations.
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Recommended read:
References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
Sunny Yadav@eSecurity Planet //

SSRF Exploitation Surge Targets Critical Vulnerabilities - Cybersecurity experts warn of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms, urging organizations to update defenses and monitor suspicious activity.
Cybersecurity experts are warning of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms. Threat intelligence firm GreyNoise reported on March 9, 2025, that approximately 400 unique IP addresses were actively involved in exploiting multiple SSRF vulnerabilities simultaneously. These attacks span several countries, including the United States, Germany, Singapore, India, Japan, and Lithuania, targeting critical systems in cloud environments and enterprise infrastructures.

This alarming trend highlights the persistent risks organizations face from evolving attack methods. The SSRF vulnerabilities being exploited include critical flaws in widely used software platforms like Zimbra Collaboration Suite (CVE-2020-7796), VMware products (CVE-2021-21973 and CVE-2021-22054), and multiple CVEs in GitLab's CE/EE versions, along with targets in DotNetNuke and Ivanti Connect Secure. GreyNoise also observed Grafana path traversal attempts preceding the SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.

Defenders should identify and disrupt early-stage activity by monitoring for reconnaissance behaviors, such as path traversal attempts, which may provide early warning signs before full-scale exploitation occurs. Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. The attacks reflect a shift from opportunistic scanning to more deliberate, coordinated campaigns that aim to breach internal systems and extract valuable data.

Recommended read:
References :
  • securityaffairs.com: Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilities
  • eSecurity Planet: SSRF Exploitation Surge Highlights Evolving Cyberthreats
  • The GreyNoise Blog: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
  • GreyNoise: řŸš¨ 400+ Malicious IPs Targeting SSRF Vulnerabilities. We have detected a coordinated surge in SSRF exploitation, with attackers systematically targeting multiple CVEs across different platforms.
  • Security Risk Advisors: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
Ashish Khaitan@The Cyber Express //

CISA Updates KEV Catalog with Critical Vulnerabilities - CISA updated its KEV Catalog, adding critical vulnerabilities in VMware ESXi and Linux kernel that are actively exploited, posing a significant risk, particularly for federal government organizations.
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.

The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws.

Recommended read:
References :

Posts

Blogs

Research Tools