All news with #active exploitation tag

Cox Enterprises Discloses Oracle E-Business Suite Breach

🔒 Cox Enterprises says hackers accessed its network after exploiting a zero-day in Oracle E‑Business Suite, with activity occurring between Aug. 9–14 and detected on Sept. 29, 2025. The company notified 9,479 impacted individuals and is offering 12 months of credit monitoring and identity protection through IDX. The Cl0p ransomware gang has claimed responsibility and posted stolen files after Oracle issued a patch on Oct. 5. Cox did not specify the types of data exposed in the notice.

CISA Warns: Oracle Identity Manager RCE Actively Exploited

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.

Browser Push Notifications Exploited by Matrix Push C2

🔔 BlackFrog has identified a new command-and-control platform, Matrix Push C2, that abuses browser push notifications to deliver phishing and malware. The campaign social-engineers users into allowing notifications and then issues realistic system-style alerts that redirect victims to malicious sites. Described as fileless, the technique leverages the browser notification channel rather than an initial executable. The platform includes a web dashboard with real-time client visibility, analytics and templates impersonating services like MetaMask, Netflix and PayPal.

Music Store's Google Ads Account Hijacked, €4M Loss

🔒 The Google Ads account for Cologne-based retailer Music Store was reportedly taken over by attackers on 19 October 2025. Criminals have linked more than 2,500 foreign advertising accounts to the company’s payment profile and are running persistent campaigns promoting online casinos and crypto exchanges that administrators cannot remove. The assigned Google account manager has reportedly been unable to stop the activity, and formal attempts to get intervention via official channels have so far failed. Police cybercrime investigators and consumer protection authorities have been notified, and reported losses exceed €4 million.

Fortinet Criticized for Silent Patching of Two Zero-Days

⚠️Fortinet has faced criticism for quietly patching two zero-day vulnerabilities in its FortiWeb WAFs before publicly disclosing them. The first, CVE-2025-64446, is rated critical (CVSS 9.4) and involves a GUI path-traversal plus an authentication-bypass flaw; the second, CVE-2025-58034 (CVSS 6.7), is an OS command injection that may allow authenticated code execution. Both fixes were included in the 8.0.2 update on October 28 and have been observed exploited in the wild, prompting calls for greater transparency and urgent patching.

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.

Massive Scan Campaign Targets GlobalProtect VPN Portals

🔎 GreyNoise reports a roughly 40x surge in malicious scans against Palo Alto Networks GlobalProtect VPN login portals beginning November 14, with about 2.3 million sessions hitting the /global-protect/login.esp endpoint between Nov 14–19. Activity focused on the United States, Mexico, and Pakistan and is linked to recurring TCP/JA4t fingerprints and ASN reuse, notably AS200373 and AS208885. GreyNoise recommends treating these probes as active reconnaissance — block and monitor attempts rather than dismissing them.

UNC2891 Money Mule Network Exposes ATM Fraud Scope

🔍 Group-IB researchers reveal a multi-year ATM fraud campaign by UNC2891 that targeted two Indonesian banks and extended well beyond a Raspberry Pi infiltration. The campaign combined sophisticated malware — including the CAKETAP rootkit — with an extensive money-mule operation that recruited via Google ads and Telegram. Cloned card equipment was shipped to mules, who withdrew cash with real-time TeamViewer support or phone coordination. Group-IB warns banks to reassess ATM security and monitoring.

PlushDaemon uses EdgeStepper to hijack DNS and updates

🔒 PlushDaemon, a China-linked APT, has deployed a network implant called EdgeStepper to hijack DNS on compromised routers and redirect update traffic to attacker-controlled servers, according to ESET. The MIPS32 Go-built implant modifies iptables to forward UDP port 53 to a local proxy that substitutes legitimate update IPs with malicious ones. Using the hijacked channel, a downloader chain (LittleDaemon, DaemonicLogistics) delivers the espionage backdoor SlowStepper, enabling credential theft, document exfiltration and audio/video capture.

Iran-Linked Hackers Mapped Ship AIS, Aided Kinetic Strikes

🔎 An Amazon Integrated Security report describes Iran-linked actors conducting digital reconnaissance to enable real-world attacks, a phenomenon the company terms cyber-enabled kinetic targeting. Researchers attribute AIS and CCTV intrusions to Imperial Kitten (aka Tortoiseshell) between December 2021 and January 2024 that preceded a missile attempt on a commercial vessel. Amazon also links MuddyWater activity in mid-2025 to live camera access in Jerusalem and notes the use of anonymizing VPNs to complicate attribution and refine target selection.

Iranian APTs Used Cyber Espionage to Guide Missile Strikes

🎯 Amazon’s threat intelligence linked Iran-associated APT activity to missile strikes in the Red Sea and Israel, concluding cyber espionage provided direct targeting intelligence. The group known as Imperial Kitten queried AIS ship-tracking data days before a Houthi missile attempt, while MuddyWater gained access to compromised CCTV streams ahead of strikes on Jerusalem. Amazon terms this trend cyber-enabled kinetic targeting and urges maritime, surveillance, and critical infrastructure operators to expand threat models and harden systems that could be repurposed for physical attacks.

Active Exploitation of 7-Zip Symbolic Link Flaw Now

⚠️A high-severity vulnerability (CVE-2025-11001, CVSS 7.0) in 7-Zip that mishandles symbolic links in ZIP archives is being actively exploited in the wild, NHS England Digital warns. The flaw can trigger directory traversal and enable remote code execution and was addressed in 7-Zip 25.00 released in July 2025. A related issue, CVE-2025-11002, was also fixed in that release. Proof-of-concept exploits are public, and exploitation requires an elevated Windows user or service account or developer mode enabled, so users should apply the update immediately.

Eternidade Stealer: WhatsApp Worm Targets Brazil's Ecosystem

🔒 Trustwave SpiderLabs has identified Eternidade Stealer, a multi-component banking Trojan that combines a Python-based WhatsApp-propagating worm, a Delphi stealer and an MSI dropper to harvest financial credentials and spread laterally. The campaign uses an obfuscated VBScript to deliver two payloads, dynamically retrieves command-and-control via IMAP and activates only on systems using Brazilian Portuguese. Defenders should watch for unexpected MSI or script executions, suspicious WhatsApp messages and indicators linked to the campaign.

Operation WrtHug Hijacks Thousands of ASUS WRT Routers

🔒 Security researchers have uncovered Operation WrtHug, a global campaign that has hijacked thousands of largely end-of-life ASUS WRT routers by chaining at least six known vulnerabilities. Over roughly six months analysts identified about 50,000 unique infected IPs, predominantly in Taiwan, using a distinctive malicious self-signed AiCloud certificate with a 100-year lifetime as an indicator of compromise. Owners are urged to apply ASUS firmware updates or replace unsupported models and disable remote-access features to mitigate risk.

CISA Orders Rapid Patching for New FortiWeb Flaw Directive

🔒 CISA has ordered U.S. federal agencies to remediate a FortiWeb OS command injection vulnerability (CVE-2025-58034) within seven days after reports of active exploitation. Fortinet warns the flaw can allow an authenticated attacker to execute unauthorized code via crafted HTTP requests or CLI commands. The agency added the issue to its Known Exploited Vulnerabilities Catalog and set a November 25 deadline under BOD 22-01. CISA cited related zero-day activity (CVE-2025-64446) and recommended expedited fixes.

PlushDaemon Deploys EdgeStepper AitM Malware Globally

🛡️ A China-aligned group known as PlushDaemon has been observed deploying a previously undocumented network implant, codenamed EdgeStepper, to perform adversary-in-the-middle DNS attacks. ESET researchers found an ELF sample (internally called dns_cheat_v2) that forwards DNS traffic to attacker-controlled nodes, enabling update hijacking. Operators then deploy downloaders LittleDaemon and DaemonLogistics to install espionage backdoors.

China-linked WrtHug operation hits thousands of ASUS WRT

🔒 SecurityScorecard's STRIKE team warns that Operation “WrtHug” has already compromised thousands of ASUS WRT routers worldwide by chaining six primarily legacy vulnerabilities to gain elevated privileges and persistence. The campaign abuses the ASUS AiCloud service and OS injection flaws, deploying a common self-signed TLS certificate with a 100-year expiry. SecurityScorecard notes geographic clustering, with up to 50% of victims in Taiwan, and assesses a likely China-affiliated ORB-style operation.

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

🔒 PlushDaemon operators are hijacking software-update traffic using a new network implant named EdgeStepper, ESET researchers report. Attackers compromise routers via known vulnerabilities or weak credentials, intercept DNS queries, and redirect update requests to malicious infrastructure. Trojanized updates deliver a DLL downloader (LittleDaemon), which stages DaemonicLogistics and ultimately loads the SlowStepper backdoor on Windows systems, targeting manufacturers, universities, and industrial sites across multiple countries.

Fortinet Warns: FortiWeb Command Injection CVE-2025-58034

🔔 Fortinet has issued an advisory about a newly discovered FortiWeb vulnerability, CVE-2025-58034, rated CVSS 6.7 and reported as being exploited in the wild. The flaw is an OS command injection that allows an authenticated attacker, who has gained access by other means, to execute arbitrary commands via crafted HTTP requests or CLI input. Fortinet provides version-based upgrade guidance to remediate the issue and credited a Trend Micro researcher for reporting the bug.

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.