All news with #active exploitation tag

ToolShell SharePoint Zero-Days Exploited in the Wild

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.

Customer Guidance for SharePoint CVE-2025-53770 Patch

🔒 Microsoft warns of active attacks against on-premises SharePoint Server and has issued security updates that fully remediate CVE-2025-53770 and CVE-2025-53771 for supported versions. Customers should apply the published updates immediately, enable AMSI with HTTP request body scanning where available, and deploy endpoint protections such as Microsoft Defender for Endpoint. After patching, rotate ASP.NET machine keys and restart IIS to complete mitigation; SharePoint Online is not affected.

Google Files Lawsuit to Dismantle BadBox 2.0 Botnet

🔒 Google has filed a lawsuit in New York federal court targeting the operators of the BadBox 2.0 botnet, which compromised over 10 million uncertified devices running the Android Open Source Project. In partnership with HUMAN Security and Trend Micro, Google’s Ad Traffic Quality team identified preinstalled malware used for large-scale ad fraud and other illicit activity. Google updated Play Protect to automatically block BadBox-associated apps and is coordinating with the FBI to further disrupt the criminal operation.

ESET APT Activity Report - Q4 2024 to Q1 2025 Overview

🔍 The latest ESET APT Activity report and podcast episode summarize intrusion activity observed across Q4 2024–Q1 2025, highlighting persistent and evolving adversary techniques. ESET researchers spotlight China-aligned actors such as UnsolicitedBooker, which repeatedly targeted the same organization with the MarsSnake backdoor, and tool-sharing trends centered on groups like Worok. The report also covers Russia-aligned operations — Sednit’s expanded Operation RoundPress against webmail platforms, ongoing Gamaredon obfuscation in Ukraine, and Sandworm’s use of the ZEROLOT wiper — plus activity from other regional actors that complicate attribution and detection.

CISA Alerts: Palo Alto PAN-OS Vulnerability Under Attack

🔔 CISA has warned that firewalls running Palo Alto Networks PAN-OS are under active attack and require immediate patching. The issue, tracked as CVE-2022-0028, can be abused without authentication to perform reflected and amplified TCP denial-of-service attacks using PA-Series, VM-Series and CN-Series devices. Palo Alto has released patches for multiple PAN-OS branches and CISA added the flaw to its Known Exploited Vulnerabilities Catalog, urging federal agencies to remediate by September 9. Administrators should review URL filtering profiles with blocked categories on externally facing interfaces and apply vendor fixes promptly.

Fake Reservation Links Target Travel and Hospitality Industry

✈️ A longtime threat group tracked as TA558 has resumed phishing campaigns that spoof hotel or reservation notices to lure travelers into downloading malware. Campaigns increasingly deliver ISO and RAR container files via URLs that, when decompressed, execute batch scripts and PowerShell helpers to fetch RATs such as AsyncRAT. TA558 has shifted from macro-laden Office documents to containerized attachments after Microsoft limited macros. Travel organizations and customers should be wary of unexpected reservation emails and avoid opening unknown archives.