Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Zero-day Flaw. Show all posts
Zero-day Flaw
Chinese Hacker Cyber Attacks French Infrastructure UNC5174 Zero-day Flaw

Chinese Attackers Target France Infrastructure in Ivanti Zero-Day Exploit Campaign

 

The French cybersecurity agency stated in a study released Tuesday that three zero-day flaws impacting Ivanti Cloud Services Appliance devices triggered an attack spree in France last year that affected several critical infrastructure sectors.

The French National Agency for the Security of Information Systems reports that from early September to late November 2024, widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 affected government agencies and organisations in the media, finance, transportation, and telecommunications sectors.

According to Mandiant, the attacks were carried out by UNC5174, a former member of Chinese hacktivist collectives who was probably working as a contractor for China's Ministry of State Security. The attacker, known as "Uteus," has previously targeted edge device flaws in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and the Zyxel firewall. 

Authorities in France discovered that UNC5174 employed a unique intrusion set known as "Houken," which included zero-day vulnerabilities, a sophisticated rootkit, numerous open-source tools, commercial VPNs, and dedicated servers. Officials believe Houken and UNC5174 are operated by the same threat actor, an initial access broker who steals credentials and implements methods to gain persistent access to target networks. 

“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency noted in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”

Earlier this year in January, the Cybersecurity and Infrastructure Security Agency said that threat actors used the three Ivanti zero-days in a chain to get credentials, execute remote code, establish initial access, and install webshells on victim networks. In April, Sysdig researchers said that they had observed the China state-sponsored hacker organisation UNC5174 use open-source offensive security techniques like WebSockets and VShell to blend in with more common cybercriminal activities. 

Numerous attackers have frequently taken advantage of long-standing flaws in Ivanti products, including espionage outfits with ties to China. Since 2021, Ivanti has shipped software with a high number of vulnerabilities across at least ten different product lines, more than any other vendor in this market since the start of last year. According to cyber authorities, cybercriminals have exploited seven flaws in Ivanti products so far this year, and 30 Ivanti faults have been discovered over the past four years in CISA's known exploited vulnerabilities catalogue. 

“We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti noted in a statement. “Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”
Read more »
Zero-day Flaw
Microsoft Play ransomware Storm-2460 Vulnerabilities and Exploits Zero-day Flaw

Windows CLFS Zero-Day Flaw Exploited in Play Ransomware Attacks

 

In zero-day attacks, the Play ransomware gang exploited a critical Windows Common Log File System flaw to gain SYSTEM access and install malware on infected PCs. The vulnerability, known as CVE-2025-29824, was identified by Microsoft as being exploited in a small number of attacks and addressed during last month's patch.

"The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," Microsoft noted in April. 

Microsoft attributed these assaults to the RansomEXX ransomware outfit, claiming that the perpetrators installed the PipeMagic backdoor malware, which was employed to deliver the CVE-2025-29824 exploit, ransomware payloads, and ransom letters after encrypting files. 

Since then, Symantec's Threat Hunter Team has discovered evidence linking them to the Play ransomware-as-a-service operation, claiming that the hackers used a CVE-2025-29824 zero-day privilege escalation exploit after breaching a US organization's network. 

"Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation," Symantec added. "Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.” 

The Grixba custom network-scanning and information-stealing program was discovered two years ago, and Play ransomware operators often use it to list users and computers in compromised networks. The Play cybercrime gang first appeared in June 2022, and it is also renowned for double-extortion attacks, in which its affiliates coerce victims into paying ransoms to prevent their stolen data from being exposed online. 

As of October 2023, the Play ransomware gang has compromised the networks of around 300 organisations globally, according to a joint alert released by the FBI, CISA, and the Australian Cyber Security Centre (ACSC) in December 2023. 

The cloud computing company Rackspace, the massive auto retailer Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, the American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme are among the notable victims of the Play ransomware.
Read more »
Zero-day Flaw
Data Breach Data Leak Oracle User Privacy Zero-day Flaw

Oracle Finally Acknowledges Cloud Hack

 

Oracle is reportedly trying to downplay the impact of the attack while quietly acknowledging to clients that some of its cloud services have been compromised. 

A hacker dubbed online as 'rose87168' recently offered to sell millions of lines of data reportedly associated with over 140,000 Oracle Cloud tenants, including encrypted credentials. The hacker initially intended to extort a $20 million ransom from Oracle, but eventually offered to sell the data to anyone or swap it for zero-day vulnerabilities.

The malicious actor has been sharing a variety of materials to support their claims, such as a sample of 10,000 customer data records, a link to a file demonstrating access to Oracle cloud systems, user credentials, and a long video that seems to have been recorded during an internal Oracle meeting.

However, Oracle categorically denied an Oracle Cloud hack after the hacker's claims surfaced, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

However, multiple independent reports suggest Oracle privately notified concerned customers and confirmed a data incident. On the other hand, specifics remain unclear, and there appears to be some conflicting information. 

Bloomberg has learned from people familiar with the matter that Oracle has started privately informing users of a data leak involving usernames, passkeys and encrypted passwords. The FBI and CrowdStrike are reportedly investigating the incident.

Security firm CyberAngel learned from an unknown source that ‘Gen 1’ cloud servers were attacked — newer ‘Gen 2’ servers were not — that the exposed material is at least 16 months old and does not include full private details. 

“Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025,” Cyber Angel said. “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a webshell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data.” 

“Oracle allegedly became aware of a potential breach in late February and investigated this issue internally,” it added. “Within days, Oracle reportedly was able to remove the actor when the first demand for ransom was made in early March.” 

Following the story, cybersecurity expert Kevin Beaumont discovered from Oracle cloud users that the tech firm has simply verbally notified them; no written notifications have been sent. According to Beaumont, "Gen 1" servers might be a reference to Oracle Classic, the moniker for earlier Oracle Cloud services. Oracle is able to deny that Oracle Cloud was compromised thanks to this "wordplay," as Beaumont refers to it.
Read more »
Zero-day Flaw
Malicious Files nation-state hackers Threat Landscape Vulnerabilities and Exploits Zero-day Flaw

Windows Shortcut Vulnerability Exploited by 11 State-Sponsored Outfits

 

Since 2017, at least 11 state-sponsored threat groups have actively exploited a Microsoft zero-day issue that allows for abuse of Windows shortcut files to steal data and commit cyber espionage against organisations across multiple industries. 

Threat analysts from Trend Micro's Trend Zero Day Initiative (ZDI) discovered roughly 1,000 malicious.lnk files that exploited the flaw, known as ZDI-CAN-25373, which allowed cyber criminals to execute concealed malicious commands on a victim's PC via customised shortcut files.

“By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” researchers at Trend Micro noted. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”

The malicious files delivered by cybercriminals include a variety of payloads, including the Lumma infostealer and the Remcos remote access Trojan (RAT), which expose organisations to data theft and cyber espionage. 

State-sponsored outfits from North Korea, Iran, Russia, and China, as well as non-state actors, are among those behind the flaw attacks, which have affected organisations in the government, financial, telecommunications, military, and energy sectors across North America, Europe, Asia, South America, and Australia. 

Additionally, 45% of attacks were carried out by North Korean players, with Iran, Russia, and China each accounting for approximately 18%. Some of the groups listed as attackers are Evil Corp, Kimsuky, Bitter, and Mustang Panda, among others.

According to Trend Micro, Microsoft has not fixed the flaw despite receiving a proof-of-concept exploit through Trend ZDI's bug bounty program. Trend Micro did not react to a follow-up request for comment on their flaw detection and submission timeline.

Microsoft's position remains that it will not be fixing the vulnerability described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release," according to an email from a Microsoft spokesperson.

Meanwhile, Microsoft Defender can detect and block threat behaviour, as detailed by Trend Micro, and Microsoft's Windows Smart App Control prevents malicious files from being downloaded from the internet. Furthermore, Windows recognises shortcut (.lnk) files as potentially malicious file types, and the system will automatically display a warning if a user attempts to download one.
Read more »
Zero-day Flaw
Android Spyware cyber espionage Cyber Security Israeli Firm NoviSpy Spyware Zero-day Flaw

Novel Android NoviSpy Spyware Linked to Qualcomm Zero-Day Flaws

 

Amnesty International researchers discovered an Android zero-day bug that was exploited to silently disseminate custom surveillance spyware targeting Serbian journalists. The probe has traced the technology to Cellebrite, an Israeli forensics vendor.

In a technical report published earlier this week, the human rights group outlined how Serbia's Security Information Agency (BIA) and police employed Cellebrite's forensic extraction tools and a newly uncovered spyware dubbed 'NoviSpy' to infect journalists' and activists' devices. In one instance, a journalist's phone was allegedly hacked during a police traffic check, with the Cellebrite tool facilitating the infection. 

Amnesty International warned that Serbia's legal restrictions on the use of mobile forensic tools are inadequate and that "the ability to download, in effect, an individual's entire digital life using Cellebrite UFED and similar mobile forensic tools, poses enormous human rights risks, if such tools are not subject to strict control and oversight.” 

The report details the example of journalist SlaviÅ¡a Milanov, whose Xiaomi Redmi Note 10S smartphone was hacked after a police confrontation in Serbia. Forensic investigation suggested the usage of a zero-day Android exploit to overcome encryption and unlock the device, allowing NoviSpy to be installed. 

According to the group, the privilege escalation zero-day, which was patched in the Qualcomm October security update, affected Android devices with popular Qualcomm chipsets and millions of Android smartphones globally. 

In another case, Amnesty International discovered an Android smartphone belonging to an environmental activist logging a series of missed calls including invalid, seemingly random numbers that are not acceptable in Serbia.

"After these calls, [the activist said] that the battery on his device drained quickly.” The researchers inspected the device and discovered no trace of manipulation, but they warned that there is a substantial "knowledge gap" regarding zero-click assaults on Android smartphones. 

Amnesty International acknowledged Cellebrite's claim that it has strict protocols to prevent product misuse, but cautioned that this revelation "provides clear evidence of a journalist's phone being targeted without any form of due process." 

Unfortunately, Amnesty International discovered signs of the previously undisclosed NoviSpy spyware, which allows for the capture of sensitive personal data from a target's phone after infection and the ability to remotely activate the phone's microphone or camera. 

“Forensic evidence indicates that the spyware was installed while the Serbian police were in possession of SlaviÅ¡a’s device, and the infection was dependent on the use of Cellebrite to unlock the device. Two forms of highly invasive technologies were used in combination to target the device of an independent journalist, leaving almost his entire digital life open to the Serbian authorities,” the human rights group stated.
Read more »
Zero-day Flaw
Chinese Hacker FortiClient Vulnerabilities and Exploits Windows VPN Zero-day Flaw

Chinese Hackers Exploit Unpatched Fortinet Zero-Day Vulnerability

 

A Chinese state-sponsored actor abused an unpatched, unreported Fortinet vulnerability, despite the fact that the flaw was reported to the security firm in July. 

Volexity, a threat intelligence vendor, published research earlier this week referencing a new zero-day flaw -- one without a current CVE designation -- that allowed a Chinese state-sponsored actor known as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient.

Perhaps most notably, Volexity stated that it disclosed the issue to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in the blog post. 

Volexity's report lacks a description of the flaw itself. The researchers of the study identified a "zero-day credential disclosure flaw in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also provides YARA rules, indicators of compromise, and an in-depth look at BrazenBamboo's "Deepdata" post-exploitation tool, which was employed in threat activity targeting the vulnerability. 

Roxan, Gardner, and Rascagneres said that their investigation began with the identification of an archive file associated with BrazenBamboo, which could be linked to a known Chinese advanced persistent threat (APT) group. The researchers uncovered files in the package related to Windows malware families known as "Deepdata" and "Deeppost," as well as a Windows form of LightSpy malware.

Deepdata, according to Volexity researchers, is a modular utility for Windows that "facilitates the collection of private data from a compromised system," and requires the perpetrator to have command-line access to the target device. It features both a loader and a virtual file system. Deeppost is a post-exploitation data exfiltration program that transfers files to a remote system. The researchers discovered the Fortinet zero day after uncovering a FortiClient plugin in Deepdata. 

"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers explained. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process.”

The researchers further stated that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory." Meanwhile, LightSpy is a command-and-control spyware that has previously been linked to campaigns targeting Hong Kong citizens. The malware is generally employed in attacks on Android, iOS, and macOS devices, so it's noteworthy that Volexity received files of a Windows edition.
Read more »
Zero-day Flaw
Hash Password Security flaw Security Patch Vulnerabilities and Exploits Zero-day Flaw

Unofficial Patches Published for New Windows Themes Zero-Day Exploit

 

Free unofficial fixes are now available for a new zero-day flaw in Windows Themes that allows hackers to remotely harvest a target's NTLM credentials.

NTLM has been extensively exploited in NTLM relay attacks, in which threat actors force susceptible network devices to authenticate against servers under their control, and in pass-the-hash attacks, in which attackers exploit system vulnerabilities or deploy malicious software to steal NTLM hashes (hash passwords) from target systems. 

Once they acquire the hash, the attackers can impersonate the affected user, gaining access to sensitive data and expanding laterally throughout the now-compromised network. Microsoft indicated a year ago that it will drop the NTLM authentication technology in Windows 11. 

ACROS security experts uncovered the new Windows Themes zero-day (which has yet to be assigned a CVE ID) while working on a micropatch for a flaw tracked as CVE-2024-38030 that might reveal a user's credentials (reported by Akamai's Tomer Peled), which was itself a workaround for another Windows Themes spoofing vulnerability (CVE-2024-21320) fixed by Microsoft in January. 

According to Peled, "when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such a theme file would be viewed in Windows Explorer.”

"This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action," ACROS Security CEO Mitja Kolsek stated. 

Even though Microsoft fixed CVE-2024-38030 in July, ACROS Security discovered another vulnerability that attackers may use to steal a target's NTLM credentials on all fully updated Windows versions, from Windows 7 to Windows 11 24H2. 

"So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file," Kolsek added. 

The firm is now offering free and unofficial security updates for this zero-day flaw via its 0patch micropatching service for all affected Windows versions until official patches from Microsoft are available, which have already been applied to all online Windows systems running the company's 0patch agent.

To install the micropatch on your Windows device, first create a 0patch account and then install the 0patch Agent. If no specific patching policy prevents it, the micropatch will be applied immediately without the need for a system restart once the agent is activated. 

However, it is crucial to remember that in this case, 0patch only delivers micropatches for Windows Workstation, as Windows Themes does not work on Windows Server until the Desktop Experience feature is deployed.
Read more »
Zero-day Flaw
Chrome Attack Chain Crypto Hack Cyber Attacks North Korea Hackers Zero-day Flaw

Lazarus Group Exploits Chrome Zero-Day Flaw Via Fake NFT Game

 

The notorious North Korean hacking outfit dubbed Lazarus has launched a sophisticated attack campaign targeting cryptocurrency investors. This campaign, discovered by Kaspersky researchers, consists of a multi-layered assault chain that includes social engineering, a fake game website, and a zero-day flaw in Google Chrome. 

The report claims that in May 2024, Kaspersky Total Security identified a new attack chain that used the Manuscrypt backdoor to target the personal computer of an unidentified Russian citizen. 

Kaspersky researchers Boris Larin and Vasily Berdnikov believe the campaign began in February 2024. After investigating the attack further, analysts discovered that the attackers had developed a website called "detankzonecom" that seemed to be a genuine platform for the game "DeFiTankZone." 

This game reportedly combines Decentralised Finance (DeFi) elements with Non-Fungible Tokens (NFTs) in a Multiplayer Online Battle Arena (MOBA) situation. The website even offers a downloadable trial edition, adding to the look of trustworthiness. However, beneath the surface is a malicious trap. 

“Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC,” researchers noted. 

The exploit contains code for two vulnerabilities: one that enables hackers to access the whole address space of the Chrome process using JavaScript (CVE-2024-4947), and the other that allows attackers to circumvent the V8 sandbox and access memory outside the confines of the register array. 

Google addressed CVE-2024-4947, a type confusion flaw in the V8 JavaScript and WebAssembly engine, in March 2024, although it's unknown if attackers discovered it first and weaponised it as a zero-day or exploited it as an N-day flaw.

In this campaign, Lazarus has used social media sites like LinkedIn and X (previously Twitter) to target prominent players in the cryptocurrency field. With several accounts on X, they created a social media presence and actively promoted the fake game. They also hired graphic designers and generative AI to create amazing advertising material for the DeTankZone game. The group also sent carefully designed messages to interested parties pretending to be blockchain startups or game developers looking for funding.

This campaign highlights how the Lazarus Group's strategies have changed. It is crucial to be wary of unsolicited investment opportunities, particularly when they involve dubious social media promotions or downloadable game clients. In order to mitigate the risk of zero-day attacks, it is also crucial to maintain browser software, such as Chrome, updated with the most recent security fixes.
Read more »
Subscribe to: Comments (Atom)