All news with #active exploitation tag

Jaguar Land Rover Confirms Data Theft After Cyberattack

🔒 Jaguar Land Rover (JLR) confirmed that attackers stole "some data" during a recent cyberattack that forced system shutdowns and instructed staff not to report to work. The company disclosed the disruption on September 2 and says it is working with the U.K. National Cyber Security Centre and third‑party specialists to restart applications in a controlled manner. JLR has notified relevant regulators and said its forensic investigation is ongoing; it will contact individuals if their data is affected. No definitive attribution or confirmed ransomware claim has been announced.

The Gentlemen ransomware targets OT-heavy industries

🔒 A newly observed ransomware group, The Gentlemen, has rapidly expanded operations across Asia Pacific, South America, the US and the Middle East since first being identified in August. Trend Micro reports the group leverages legitimate drivers, GPO abuse and custom tooling to disable endpoint security and move laterally. Victims span manufacturing, construction, healthcare and insurance, and defenders are urged to adopt zero-trust, behavioral EDR/XDR and rigorous segmentation.

SAP Patches Critical NetWeaver Flaws, Urges Updates

🔒 SAP on Tuesday released security updates addressing multiple vulnerabilities, including three critical flaws in SAP NetWeaver that could enable remote code execution and arbitrary file uploads (notably CVE-2025-42944, CVE-2025-42922 and CVE-2025-42958). The company also fixed a high-severity input-validation issue in SAP S/4HANA (CVE-2025-42916). Security researchers recommend immediate patching and temporary mitigations such as P4 port filtering to limit exposure.

Salty2FA Phishing Kit Employs Sophisticated Evasion Tools

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

GPUGate campaign exploits Google Ads and GitHub mimicry

🔒 Arctic Wolf researchers uncovered a targeted campaign, GPUGate, that uses malicious GitHub Desktop installers promoted via Google Ads to distribute evasive malware. The attack leverages commit‑specific links and lookalike domains to mimic legitimate GitHub downloads and trick users, particularly IT personnel, into installing a large MSI payload. A GPU‑gated decryption routine keeps the malware dormant in virtualized or low‑power environments, while PowerShell execution with policy bypasses and scheduled‑task persistence provide elevated privileges and long‑term access.

Chinese Cyber Espionage Impersonates US Congressman via Email

🕵️ The House Select Committee on Strategic Competition between the US and the CCP says Chinese-affiliated actors impersonated Representative John Moolenaar in multiple recent emails to trusted counterparts, delivering malicious files and links designed to compromise systems. The Committee's technical analysis found the attackers abused cloud services and developer tools to hide activity and exfiltrate data, behaviour it calls state-sponsored tradecraft. A Wall Street Journal report linked one bogus Moolenaar email to the Chinese-associated APT41, and the Committee has shared indicators with the FBI and US Capitol Police. Moolenaar condemned the operations and said the Committee will continue investigative and defensive work to protect sensitive deliberations.

Hackers Briefly Compromise Two ARTE YouTube Channels

⚠️ Unknown actors briefly gained control of two YouTube channels belonging to the German-French cultural broadcaster Arte, the broadcaster said. The intrusion affected the main channel and Arte Concert, temporarily replacing documentaries and concert programming with cryptocurrency videos and clips referencing Donald Trump and Elon Musk. Arte said the unauthorized access was blocked and a comprehensive analysis of causes and scope is under way; Medieninsider first reported the incident.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

MostereRAT Targets Windows with Layered Stealth Tactics

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

MostereRAT Campaign Uses EPL, mTLS, and Legitimate RATs

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

Noisy Bear Targets Kazakhstan Energy Firm with Phishing

🚨 Operation BarrelFire, attributed to a group Seqrite Labs calls Noisy Bear, targeted Kazakhstan's national oil company KazMunaiGas in May 2025 using tailored phishing. Attackers sent ZIP attachments containing an .LNK downloader, a decoy document, and a README in Russian and Kazakh instructing use of a fake KazMunayGaz_Viewer. The chain deployed a malicious batch, a PowerShell loader named DOWNSHELL, and a 64-bit DLL implant that executes shellcode to open a reverse shell. Infrastructure was linked to Russia-based bulletproof host Aeza Group, which has been sanctioned.

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.

Critical S/4HANA Code Injection Flaw Actively Exploited

⚠️ SAP released a patch for a critical S/4HANA vulnerability, CVE-2025-42957 (CVSS 9.9), after researchers observed a live exploit that allows low-privilege ABAP code injection and full system takeover. The flaw affects all S/4HANA deployments, including private cloud and on-premises, and can be weaponized easily because ABAP source is publicly viewable. Administrators should apply the update immediately and review account privileges, default credentials, encryption settings, and monitoring to limit risks such as data tampering, account creation with SAP_ALL, and password-hash exfiltration.

Critical SAP S/4HANA Code Injection Flaw Actively Exploited

⚠️ A critical ABAP code injection flaw, tracked as CVE-2025-42957, in an RFC-exposed function of SAP S/4HANA is being exploited in the wild to breach exposed servers. The bug allows low-privileged authenticated users to inject arbitrary code, bypass authorization checks, and take full control of affected systems. SAP issued a fix on August 11, 2025 (CVSS 9.9), but SecurityBridge reports active, limited exploitation and urges immediate patching.

macOS AMOS Stealer Uses Cracked Apps to Bypass Gatekeeper

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.

Critical SAP S/4HANA Command Injection (CVE-2025-42957)

⚠️ SAP patched a critical command injection in SAP S/4HANA tracked as CVE-2025-42957 (CVSS 9.9) that allows low-privileged users to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks. SecurityBridge and NVD report active exploitation affecting both on-premise and Private Cloud editions, with potential for full system compromise. Organizations are urged to apply SAP's monthly fixes immediately, monitor for suspicious RFC calls or new admin accounts, implement network segmentation and backups, adopt SAP UCON to restrict RFC usage, and review access to authorization object S_DMIS activity 02.

Critical SAP S/4HANA Code Injection Exploit Active

⚠️ A critical code injection vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild, researchers warn. The flaw allows a low-privileged user to inject ABAP code and gain full system and operating system access across all S/4HANA releases. SecurityBridge confirmed practical abuse and noted the exploit was straightforward to develop because ABAP code is openly viewable. Organizations that have not yet applied the August 11 patch should install it immediately to prevent complete data compromise and unauthorized administrative access.