All news with #active exploitation tag

Senator Wyden Urges FTC Probe into Microsoft's Security

🚨 Senator Ron Wyden has asked the FTC to investigate Microsoft for what he calls "gross cybersecurity negligence," arguing insecure defaults enabled widespread ransomware attacks. He cites the February 2024 Ascension Health breach that exposed 5.6 million patient records and describes how a single click enabled lateral movement via Kerberoasting and lingering RC4 support. Wyden criticizes Microsoft for building a >$20 billion security business of add-on protections while leaving core products vulnerable and says promised fixes and plain-language guidance were inadequate. The letter warns this pattern poses national-security and industry-wide risks.

Akira Exploits SonicWall SSL VPN Flaw and LDAP Settings

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

Largest npm Supply Chain Attack Injects Crypto Malware

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.

Massive NPM Supply-Chain Attack Yielded Little Profit

🚨 A phishing attack against maintainer Josh Junon (qix) led to a widespread compromise of highly popular npm packages, including chalk and debug-js, whose combined footprint exceeds billions of weekly downloads. The attacker pushed malicious updates that attempted to steal cryptocurrency by swapping wallet addresses, but the community discovered and removed the tainted releases within two hours. According to Wiz, the compromised modules reached roughly 10% of cloud environments in that short window, yet the actor ultimately profited only minimally as the injected payload targeted browser crypto-signing and yielded just a few hundred dollars at most.

Jaguar Land Rover Confirms Data Theft After Cyberattack

🔒 Jaguar Land Rover (JLR) confirmed that attackers stole "some data" during a recent cyberattack that forced system shutdowns and instructed staff not to report to work. The company disclosed the disruption on September 2 and says it is working with the U.K. National Cyber Security Centre and third‑party specialists to restart applications in a controlled manner. JLR has notified relevant regulators and said its forensic investigation is ongoing; it will contact individuals if their data is affected. No definitive attribution or confirmed ransomware claim has been announced.

The Gentlemen ransomware targets OT-heavy industries

🔒 A newly observed ransomware group, The Gentlemen, has rapidly expanded operations across Asia Pacific, South America, the US and the Middle East since first being identified in August. Trend Micro reports the group leverages legitimate drivers, GPO abuse and custom tooling to disable endpoint security and move laterally. Victims span manufacturing, construction, healthcare and insurance, and defenders are urged to adopt zero-trust, behavioral EDR/XDR and rigorous segmentation.

SAP Patches Critical NetWeaver Flaws, Urges Updates

🔒 SAP on Tuesday released security updates addressing multiple vulnerabilities, including three critical flaws in SAP NetWeaver that could enable remote code execution and arbitrary file uploads (notably CVE-2025-42944, CVE-2025-42922 and CVE-2025-42958). The company also fixed a high-severity input-validation issue in SAP S/4HANA (CVE-2025-42916). Security researchers recommend immediate patching and temporary mitigations such as P4 port filtering to limit exposure.

Salty2FA Phishing Kit Employs Sophisticated Evasion Tools

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

GPUGate campaign exploits Google Ads and GitHub mimicry

🔒 Arctic Wolf researchers uncovered a targeted campaign, GPUGate, that uses malicious GitHub Desktop installers promoted via Google Ads to distribute evasive malware. The attack leverages commit‑specific links and lookalike domains to mimic legitimate GitHub downloads and trick users, particularly IT personnel, into installing a large MSI payload. A GPU‑gated decryption routine keeps the malware dormant in virtualized or low‑power environments, while PowerShell execution with policy bypasses and scheduled‑task persistence provide elevated privileges and long‑term access.

Chinese Cyber Espionage Impersonates US Congressman via Email

🕵️ The House Select Committee on Strategic Competition between the US and the CCP says Chinese-affiliated actors impersonated Representative John Moolenaar in multiple recent emails to trusted counterparts, delivering malicious files and links designed to compromise systems. The Committee's technical analysis found the attackers abused cloud services and developer tools to hide activity and exfiltrate data, behaviour it calls state-sponsored tradecraft. A Wall Street Journal report linked one bogus Moolenaar email to the Chinese-associated APT41, and the Committee has shared indicators with the FBI and US Capitol Police. Moolenaar condemned the operations and said the Committee will continue investigative and defensive work to protect sensitive deliberations.

Hackers Briefly Compromise Two ARTE YouTube Channels

⚠️ Unknown actors briefly gained control of two YouTube channels belonging to the German-French cultural broadcaster Arte, the broadcaster said. The intrusion affected the main channel and Arte Concert, temporarily replacing documentaries and concert programming with cryptocurrency videos and clips referencing Donald Trump and Elon Musk. Arte said the unauthorized access was blocked and a comprehensive analysis of causes and scope is under way; Medieninsider first reported the incident.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

MostereRAT Targets Windows with Layered Stealth Tactics

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

MostereRAT Campaign Uses EPL, mTLS, and Legitimate RATs

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

Noisy Bear Targets Kazakhstan Energy Firm with Phishing

🚨 Operation BarrelFire, attributed to a group Seqrite Labs calls Noisy Bear, targeted Kazakhstan's national oil company KazMunaiGas in May 2025 using tailored phishing. Attackers sent ZIP attachments containing an .LNK downloader, a decoy document, and a README in Russian and Kazakh instructing use of a fake KazMunayGaz_Viewer. The chain deployed a malicious batch, a PowerShell loader named DOWNSHELL, and a 64-bit DLL implant that executes shellcode to open a reverse shell. Infrastructure was linked to Russia-based bulletproof host Aeza Group, which has been sanctioned.

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.

Critical S/4HANA Code Injection Flaw Actively Exploited

⚠️ SAP released a patch for a critical S/4HANA vulnerability, CVE-2025-42957 (CVSS 9.9), after researchers observed a live exploit that allows low-privilege ABAP code injection and full system takeover. The flaw affects all S/4HANA deployments, including private cloud and on-premises, and can be weaponized easily because ABAP source is publicly viewable. Administrators should apply the update immediately and review account privileges, default credentials, encryption settings, and monitoring to limit risks such as data tampering, account creation with SAP_ALL, and password-hash exfiltration.