CyberSecurity news

FlagThis - #security

Lawrence Abrams@BleepingComputer //
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.

Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected.

The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences.

Recommended read:
References :
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • The DefendOps Diaries: Microsoft Entra ID Glitch: Lessons from a Security Feature Misstep
  • www.bleepingcomputer.com: Widespread Microsoft Entra lockouts tied to new security feature rollout
  • bsky.app: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • www.techradar.com: Microsoft appears to have flagged some users’ credentials as being compromised erroneously, locking them out.
  • Blog: Microsoft leaked credentials false positives trigger widespread lockouts
  • www.bleepingcomputer.com: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • cybersecuritynews.com: Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users
  • hackread.com: Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
  • www.bleepingcomputer.com: Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.
  • Anonymous ???????? :af:: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.

@hackread.com //
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.

Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink.

Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging.

Recommended read:
References :
  • Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
  • thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
  • cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
  • Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
  • gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
  • securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
  • cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
  • Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access

@www.bleepingcomputer.com //
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.

Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions.

When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely.

Recommended read:
References :
  • The Register - Software: ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?
  • Will Dormann: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 About damn time!
  • www.bleepingcomputer.com: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • IT-Connect: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • www.it-connect.fr: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • BleepingComputer: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • Cyber Security News: Microsoft Disables ActiveX by Default in 365 to Block Malware Execution by Hackers

@www.bleepingcomputer.com //
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.

Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.

Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
  • www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
  • The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
  • MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
  • Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
  • BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
  • www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method

@securityonline.info //
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.

This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site.

WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4).

Recommended read:
References :
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • BleepingComputer: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
  • thecyberexpress.com: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
  • bsky.app: Bsky post on Hackers exploit WordPress plugin auth bypass hours after disclosure
  • www.scworld.com: Immediate exploitation of high-severity WordPress plugin flaw reported
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • gbhackers.com: GBHackers article on WordPress Plugin Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed.
  • Cyber Security News: Rogue User‑Creation Bug Exposes 100,000 WordPress Sites to Takeover
  • thehackernews.com: OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
  • gbhackers.com: A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.
  • securityaffairs.com: Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw
  • ciso2ciso.com: Attackers are actively exploiting a vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin, with many websites potentially exposed to complete compromise.
  • Security Risk Advisors: Critical Authentication Bypass in WordPress SureTriggers Plugin Leads to Admin Account Creation

@Talkback Resources //
A critical spoofing vulnerability, identified as CVE-2025-30401, has been discovered in WhatsApp for Windows. Meta, the parent company of WhatsApp, has released a security update to address this flaw, which impacts versions prior to 2.2450.6. The vulnerability could allow attackers to trick users and enable remote code execution on their devices. Users of WhatsApp for Windows are strongly advised to update to the latest version immediately to mitigate the risk. This issue arises from a discrepancy in how WhatsApp handles file attachments, specifically the mismatch between the MIME type and file extension handling.

The exploit mechanism involves attackers sending maliciously crafted files with altered file types to potential targets. The WhatsApp application displays attachments based on their MIME type but selects the file opening handler based on the attachment's filename extension. This allows an attacker to craft a malicious file that appears harmless, such as an image, but when opened, executes arbitrary code. The spoofing technique takes advantage of the discrepancy between MIME type and file extension handling, allowing attackers to execute arbitrary code on the victim’s system.

The discovery of CVE-2025-30401 has raised concerns within the cybersecurity community, highlighting the importance of maintaining robust security practices in widely-used applications. While Meta has not reported any exploitation of this vulnerability in the wild, vulnerabilities in messaging applications like WhatsApp are frequently targeted by malicious actors. The impact of a successful exploit could include unauthorized system access and data theft, posing significant risks to users. To ensure protection, users should promptly update their WhatsApp for Windows application to version 2.2450.6 or later.

Recommended read:
References :
  • securityaffairs.com: WhatsApp fixed a spoofing flaw that could enable Remote Code Execution
  • Talkback Resources: WhatsApp Vulnerability Could Facilitate Remote Code Execution [app] [exp]
  • The DefendOps Diaries: Understanding the WhatsApp for Windows Vulnerability: CVE-2025-30401
  • BleepingComputer: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • hackread.com: WhatsApp for Windows Flaw Could Let Hackers Sneak In Malicious Files
  • infosec.exchange: vulnerability CVE-2025-30401 impacting all WhatsApp versions can let attackers execute malicious code on your devices. The flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets:
  • PCMag UK security: WhatsApp Patches Bug That Can Execute Malware on Windows PCs
  • darkwebinformer.com: DarkWebInformer Article on CVE-2025-30401: WhatsApp for Windows Spoofing Prior to Version 2.2450.6
  • cyberinsider.com: WhatsApp for Windows Vulnerable to Spoofing Flaw Leading to Code Execution
  • securityonline.info: SecurityOnline news detail for WhatsApp for Windows Spoofing Vulnerability: Execute Code Risk (CVE-2025-30401)
  • The Register - Security: What a MIME field A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
  • bsky.app: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • ComputerWeekly.com: Spoofing vuln threatens security of WhatsApp Windows users
  • www.csoonline.com: CSOOnline article on Whatsapp plugs bug allowing RCE with spoofed filenames
  • Help Net Security: WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401)
  • Malwarebytes: WhatsApp for Windows vulnerable to attacks. Update now!
  • www.bleepingcomputer.com: WhatsApp flaw can let attackers run malicious code on Windows PCs
  • www.scworld.com: Malicious code execution possible with patched WhatsApp flaw

@blog.extensiontotal.com //
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.

The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.

This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.

Recommended read:
References :
  • blog.extensiontotal.com: reports on a VSCode extension cryptojacking campaign.
  • Secure Bulletin: reports on the malicious VSCode extensions and a growing threat to developers
  • The DefendOps Diaries: Discusses safeguarding VSCode and addressing the threat of malicious extensions.
  • BleepingComputer: Details how malicious VSCode extensions infect Windows with cryptominers.
  • www.csoonline.com: CSOOnline reports the malicious tools.
  • securebulletin.com: Malicious VSCode extensions: a growing threat to developers
  • bsky.app: Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
  • www.scworld.com: Cryptojacking facilitated by nefarious VS Code extensions
  • aboutdfir.com: Malicious VSCode extensions infect Windows with cryptominersÂ
  • securityonline.info: Malicious VSCode Extensions Caught Mining Crypto with XMRig