@www.bleepingcomputer.com
//
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software. Recommended read:
References :
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community. Recommended read:
References :
Sunny Yadav@eSecurity Planet
//
Cybersecurity experts are warning of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms. Threat intelligence firm GreyNoise reported on March 9, 2025, that approximately 400 unique IP addresses were actively involved in exploiting multiple SSRF vulnerabilities simultaneously. These attacks span several countries, including the United States, Germany, Singapore, India, Japan, and Lithuania, targeting critical systems in cloud environments and enterprise infrastructures.
This alarming trend highlights the persistent risks organizations face from evolving attack methods. The SSRF vulnerabilities being exploited include critical flaws in widely used software platforms like Zimbra Collaboration Suite (CVE-2020-7796), VMware products (CVE-2021-21973 and CVE-2021-22054), and multiple CVEs in GitLab's CE/EE versions, along with targets in DotNetNuke and Ivanti Connect Secure. GreyNoise also observed Grafana path traversal attempts preceding the SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation. Defenders should identify and disrupt early-stage activity by monitoring for reconnaissance behaviors, such as path traversal attempts, which may provide early warning signs before full-scale exploitation occurs. Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. The attacks reflect a shift from opportunistic scanning to more deliberate, coordinated campaigns that aim to breach internal systems and extract valuable data. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
References:
thecyberexpress.com
, research.kudelskisecurity.com
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.
The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws. Recommended read:
References :
|