CyberSecurity news
FlagThis - #vpn
|
info@thehackernews.com (The@The Hacker News
//
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.
The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC. Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods. Recommended read:
References :
Ddos@securityonline.info
//
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.
Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025. The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data. Recommended read:
References :
Krista Lyons@OpenVPN Blog
//
References:
Blog
, OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.
Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates. Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce. Recommended read:
References :
@ciso2ciso.com
//
References:
ciso2ciso.com
, securityonline.info
SonicWall has released patches to address three newly discovered vulnerabilities in its NetExtender Windows client, a widely-used VPN tool providing secure remote access to internal networks for organizations. The vulnerabilities affect NetExtender for Windows versions 10.3.1 and earlier, and include a high-severity flaw related to improper privilege management, identified as CVE-2025-23008, with a CVSS score of 7.2. This vulnerability could allow a low-privileged attacker to modify critical configurations, potentially re-routing VPN connections or weakening security settings.
The updates also address two medium-severity vulnerabilities: CVE-2025-23009, a local privilege escalation vulnerability via arbitrary file deletion, and CVE-2025-23010, a link following file access issue. The file deletion flaw could allow attackers to delete arbitrary files on the system, potentially escalating privileges or disrupting services. The symlink vulnerability could allow attackers to manipulate file operations and redirect them to unauthorized locations. SonicWall strongly advises users of the NetExtender Windows (32 and 64 bit) client to upgrade to version 10.3.2 or later to mitigate these risks. While there is no evidence of active exploitation of these vulnerabilities in the wild, SonicWall notes that its products are often targeted by malicious actors. The NetExtender for Linux client is not affected by these security defects. Organizations are urged to apply the patches promptly to prevent potential unauthorized configuration changes, privilege escalation, or file path manipulation. Recommended read:
References :
@The DefendOps Diaries
//
Vivaldi browser has integrated Proton VPN directly into its system, offering users a seamless way to protect their data from 'Big Tech' surveillance. The integration means users can now access VPN services without the need for external downloads or plugin activations. This move signifies a commitment to enhancing user privacy and challenging the data collection practices of major tech firms. The VPN button is available directly in the toolbar to improve user experience.
Vivaldi's partnership with Proton VPN brings browser-level privacy tools to users, allowing them to encrypt all internet traffic and protect them from persistent tracking. When enabled, browsing activity is transmitted through Proton VPN's encrypted tunnels, which obfuscates the user's IP address. The integration aims to provide enhanced protection against tracking and surveillance and sets new standards in digital security. Recommended read:
References :
Mandvi@Cyber Security News
//
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Recommended read:
References :
@gbhackers.com
//
SonicWall firewalls are facing a critical threat due to a high-severity authentication bypass vulnerability, identified as CVE-2024-53704. This flaw allows attackers to hijack active SSL VPN sessions, potentially granting them unauthorized access to networks. Bishop Fox researchers discovered nearly 4,500 internet-exposed SonicWall firewalls at risk, highlighting the widespread nature of the vulnerability. The affected SonicOS versions include 7.1.x, 7.1.2-7019, and 8.0.0-8035, which are used in various Gen firewalls.
A proof-of-concept exploit has been released for CVE-2024-53704, increasing the urgency for organizations to apply the necessary patches. The exploit involves sending a specially crafted session cookie to the SSL VPN endpoint, bypassing authentication mechanisms, including multi-factor authentication. By exploiting this vulnerability, attackers can access sensitive internal resources, Virtual Office bookmarks, and VPN client configurations, establishing new VPN tunnels into private networks. SonicWall has urged organizations to immediately apply patches to mitigate the vulnerability. Recommended read:
References :
@gbhackers.com
//
A massive brute force password attack is currently targeting a wide range of networking devices, including VPNs and firewalls from Palo Alto Networks, Ivanti, and SonicWall. The attack, which began recently, utilizes almost 2.8 million IP addresses in an attempt to guess the credentials for these devices. Once access is gained, threat actors can hijack devices or gain access to entire networks.
A brute force attack involves repeatedly attempting to log into an account or device using numerous username and password combinations until the correct one is discovered. This type of attack highlights the importance of strong, unique passwords and multi-factor authentication to protect sensitive systems and data from unauthorized access. The attack was first reported by BleepingComputer on February 8, 2025. Recommended read:
References :
|