CyberSecurity news

FlagThis - #vpn

@ciso2ciso.com //

SonicWall Patches NetExtender VPN Client High Severity Vulnerabilities - SonicWall released patches for NetExtender VPN client vulnerabilities, including CVE-2025-23008 (high severity) and CVE-2025-23009 (improper privilege management), advising users to update to version 10.3.2 or later to mitigate potential risks.
SonicWall has released patches to address three newly discovered vulnerabilities in its NetExtender Windows client, a widely-used VPN tool providing secure remote access to internal networks for organizations. The vulnerabilities affect NetExtender for Windows versions 10.3.1 and earlier, and include a high-severity flaw related to improper privilege management, identified as CVE-2025-23008, with a CVSS score of 7.2. This vulnerability could allow a low-privileged attacker to modify critical configurations, potentially re-routing VPN connections or weakening security settings.

The updates also address two medium-severity vulnerabilities: CVE-2025-23009, a local privilege escalation vulnerability via arbitrary file deletion, and CVE-2025-23010, a link following file access issue. The file deletion flaw could allow attackers to delete arbitrary files on the system, potentially escalating privileges or disrupting services. The symlink vulnerability could allow attackers to manipulate file operations and redirect them to unauthorized locations.

SonicWall strongly advises users of the NetExtender Windows (32 and 64 bit) client to upgrade to version 10.3.2 or later to mitigate these risks. While there is no evidence of active exploitation of these vulnerabilities in the wild, SonicWall notes that its products are often targeted by malicious actors. The NetExtender for Linux client is not affected by these security defects. Organizations are urged to apply the patches promptly to prevent potential unauthorized configuration changes, privilege escalation, or file path manipulation.

Recommended read:
References :
  • ciso2ciso.com: SonicWall Patches High-Severity Vulnerability in NetExtender – Source: www.securityweek.com
  • securityonline.info: SonicWall Patches Multi Vulnerabilities in NetExtender VPN Client
@The DefendOps Diaries //

Vivaldi Integrates Proton VPN for Enhanced Browser Privacy - Vivaldi browser integrates Proton VPN natively, offering users seamless VPN access without external downloads or plugins to protect their data against 'Big Tech' surveillance.
References: CyberInsider , Sam Bent , BleepingComputer ...
Vivaldi browser has integrated Proton VPN directly into its system, offering users a seamless way to protect their data from 'Big Tech' surveillance. The integration means users can now access VPN services without the need for external downloads or plugin activations. This move signifies a commitment to enhancing user privacy and challenging the data collection practices of major tech firms. The VPN button is available directly in the toolbar to improve user experience.

Vivaldi's partnership with Proton VPN brings browser-level privacy tools to users, allowing them to encrypt all internet traffic and protect them from persistent tracking. When enabled, browsing activity is transmitted through Proton VPN's encrypted tunnels, which obfuscates the user's IP address. The integration aims to provide enhanced protection against tracking and surveillance and sets new standards in digital security.

Recommended read:
References :
  • CyberInsider: Privacy-focused browser Vivaldi has announced the direct integration of Proton VPN, offering users seamless VPN access without external downloads or plug-ins.
  • Sam Bent: Vivaldi's new partnership with Proton VPN brings browser-level privacy tools into the hands of users, but it's crucial to understand where privacy ends and anonymity begins. This move is a strong statement against Big Tech surveillance, yet the protection it offers is not a blanket solution.
  • The DefendOps Diaries: Discover how Vivaldi's integration of Proton VPN enhances browser privacy and user control, setting new standards in digital security.
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.
  • bsky.app: Vivaldi has released a new version of its browser with built-in support for ProtonVPN, now available as a VPN button in the toolbar https://vivaldi.com/blog/privacy-without-compromise-proton-vpn-is-now-built-into-vivaldi/
  • BleepingComputer: Vivaldi has announced the integration of Proton VPN directly into its browser without requiring add-on downloads or plugin activations, allowing users to protect their data against 'Big Tech' surveillance for free.
Mandvi@Cyber Security News //

FishMonger APT Linked to I-SOON Targets Govs - Chinese FishMonger APT, linked to I-SOON, targeted governments, NGOs, and think tanks across Asia, Europe, and the United States in 2022 using custom tools for cyber espionage and data theft.
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.

The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.

Recommended read:
References :
  • Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
  • Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
  • : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
  • gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
  • Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]
info@thehackernews.com (The@The Hacker News //

SideWinder APT Targets Maritime, Nuclear Sectors - The SideWinder APT group is intensifying attacks on the maritime sector and nuclear power plants across Asia, the Middle East, and Africa, using phishing tactics and exploiting old vulnerabilities.
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
@gbhackers.com //

SonicWall Firewall Bug Allows VPN Hijacking - A high-severity authentication bypass vulnerability, CVE-2024-53704, affects SonicWall firewalls, allowing attackers to hijack active SSL VPN sessions and gain unauthorized network access.
SonicWall firewalls are facing a critical threat due to a high-severity authentication bypass vulnerability, identified as CVE-2024-53704. This flaw allows attackers to hijack active SSL VPN sessions, potentially granting them unauthorized access to networks. Bishop Fox researchers discovered nearly 4,500 internet-exposed SonicWall firewalls at risk, highlighting the widespread nature of the vulnerability. The affected SonicOS versions include 7.1.x, 7.1.2-7019, and 8.0.0-8035, which are used in various Gen firewalls.

A proof-of-concept exploit has been released for CVE-2024-53704, increasing the urgency for organizations to apply the necessary patches. The exploit involves sending a specially crafted session cookie to the SSL VPN endpoint, bypassing authentication mechanisms, including multi-factor authentication. By exploiting this vulnerability, attackers can access sensitive internal resources, Virtual Office bookmarks, and VPN client configurations, establishing new VPN tunnels into private networks. SonicWall has urged organizations to immediately apply patches to mitigate the vulnerability.

Recommended read:
References :
  • gbhackers.com: SonicWall firewalls running specific versions of SonicOS are vulnerable to a critical authentication bypass flaw, tracked as CVE-2024-53704, which allows attackers to hijack active SSL VPN sessions. This vulnerability has been classified as high-risk, with a CVSS score of 8.2.
  • MSSP feed for Latest: Nearly 4,500 internet-exposed SonicWall firewalls were discovered by Bishop Fox researchers to be at risk of having their VPN sessions taken over in attacks exploiting a recently patched high-severity authentication bypass flaw within the SonicOS SSLVPN application, tracked as CVE-2024-53704, according to BleepingComputer.
  • cyberpress.org: A critical security flaw, CVE-2024-53704, has been identified in SonicWall’s SonicOS SSLVPN application, enabling remote attackers to bypass authentication and hijack active SSL VPN sessions.
  • securityaffairs.com: Detailed findings and mitigation strategies related to the SonicWall firewall bug.
  • Cyber Security News: SonicWall Firewalls Exploit Let Attackers Remotely Hack Networks Via SSL VPN Sessions Hijack
  • gbhackers.com: SonicWall Firewalls Exploit Hijack SSL VPN Sessions to Gain Networks Access
  • www.bleepingcomputer.com: SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
  • arcticwolf.com: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • arcticwolf.com: On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • The Register - Security: SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
  • bishopfox.com: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
  • Christoffer S.: Arctic Wolf: Published a blog about observing active exploitation of SonicWALL vulnerability, which Bishop Fox published a PoC for on Feb 10. Unfortunately NO indicators or otherwise actionable intelligence provided beyond active exploitation.
  • BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.
  • www.bleepingcomputer.com: BleepingComputer reports on attackers exploiting a SonicWall firewall vulnerability after the release of PoC exploit code.
  • Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • www.heise.de: Heise Online article urging users to patch their SonicWall devices.
  • www.bleepingcomputer.com: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • securityonline.info: SonicWall Firewalls Under Attack: CVE-2024-53704 Exploited in the Wild, PoC Released
@gbhackers.com //

Massive Brute Force Attack Targets VPNs and Firewalls - A large-scale brute force password attack is targeting web login pages of edge devices, including firewalls and VPNs from Palo Alto Networks, Ivanti, and SonicWall, originating from approximately 2.8 million IP addresses, primarily from Brazil.
A massive brute force password attack is currently targeting a wide range of networking devices, including VPNs and firewalls from Palo Alto Networks, Ivanti, and SonicWall. The attack, which began recently, utilizes almost 2.8 million IP addresses in an attempt to guess the credentials for these devices. Once access is gained, threat actors can hijack devices or gain access to entire networks.

A brute force attack involves repeatedly attempting to log into an account or device using numerous username and password combinations until the correct one is discovered. This type of attack highlights the importance of strong, unique passwords and multi-factor authentication to protect sensitive systems and data from unauthorized access. The attack was first reported by BleepingComputer on February 8, 2025.

Recommended read:
References :
  • BleepingComputer: A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from  Palo Alto Networks, Ivanti, and SonicWall.
  • www.bleepingcomputer.com: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Anonymous ???????? :af:: A large-scale brute force password attack using almost 2.8 million IP addresses is underway
  • BleepingComputer: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Troy Hunt: Infosec.exchange post about the large-scale brute-force attack targeting networking devices.
  • bsky.app: BleepingComputer post on the brute-force attack targeting Palo Alto, Ivanti and Sonicwall devices.
  • bsky.app: BleepingComputer mentions the attack in a news summary.
  • www.scworld.com: Millions of IP addresses leveraged in ongoing brute force intrusion
  • gbhackers.com: Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with cybercriminals using as many as 2.8 million unique IP addresses daily to conduct relentless login attempts.
  • securityboulevard.com: Security Boulevard report on Major brute force attack
CISO2CISO Editor 2@ciso2ciso.com //

PlushDaemon APT Hits VPN Provider Via Supply Chain - A China-aligned APT group, PlushDaemon, is conducting cyber espionage using a supply chain attack by replacing legitimate software installers with malicious ones deploying the SlowStepper malware.
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.

ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.

Recommended read:
References :
  • ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
  • BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
  • : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
  • www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
  • www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
  • discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
  • therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
  • ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
  • go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions

Posts

Blogs

Research Tools