@www.bleepingcomputer.com
//
Attackers are actively exploiting a deserialization vulnerability, identified as CVE-2025-0994, in Trimble’s Cityworks Server AMS. This flaw allows for remote code execution on Microsoft IIS web servers. The exploitation involves hackers deploying Cobalt Strike beacons for initial network access after gaining the ability to remotely execute commands. Cityworks is primarily used by local governments, utilities, and public works organizations for asset and work order management.
CISA has added the Cityworks vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary updates and search for indicators of compromise. Furthermore, Microsoft has warned of code injection attacks using publicly disclosed ASP.NET machine keys, which can lead to the delivery of the Godzilla post-exploitation framework. It is advised to not copy keys from publicly available resources, as this poses a higher risk than stolen keys because they are available in multiple code repositories. References :
Classification:
info@thehackernews.com (The Hacker News)@The Hacker News
//
A recent surge in cyberattacks has revealed that Microsoft Internet Information Services (IIS) servers are being targeted to deploy the BadIIS malware. This malware is designed for search engine optimization (SEO) fraud and malicious content injection. The campaign has been attributed to a Chinese-speaking group known as DragonRank, and it has been observed primarily in Asia, including India, Thailand, and Vietnam, with potential impact in other regions. Over 35 IIS servers across various industries, including government, universities, technology, telecommunications, and e-commerce sectors, have been compromised.
The BadIIS malware exploits vulnerabilities in unpatched IIS servers, allowing attackers to manipulate HTTP responses. It operates in two primary modes. In SEO fraud mode, it intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites. In injector mode, it embeds obfuscated JavaScript into HTTP responses, redirecting users to attacker-controlled domains hosting malware or phishing schemes. Trend Micro's analysis has linked the malware to Chinese-speaking threat actors through domain names and code patterns written in simplified Chinese, and they also employ batch scripts for automated installation of malicious IIS modules. References :
Classification:
@www.the420.in
//
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. References :
Classification:
|