All news with #active exploitation tag

Microsoft November 2025 Patch Tuesday: 63 Vulnerabilities

🔒 Microsoft released its November 2025 Patch Tuesday addressing 63 vulnerabilities across Windows, Office, Visual Studio and other components, including five labeled Critical. One important kernel elevation flaw, CVE-2025-62215, has been observed exploited in the wild. Critical issues include RCE in GDI+, Office, and Visual Studio, plus a DirectX elevation-of-privilege; Microsoft rates several as less likely to be exploited. Cisco Talos published Snort and Snort 3 rules and advises customers to apply updates and rule packs promptly.

KONNI APT Abuses Google Find Hub to Wipe Android Devices

🔐 Genians Security Center (GSC) has attributed a recent destructive campaign to the KONNI APT, which abused Google’s Find Hub service to remotely wipe Android phones and tablets. Threat actors distributed a signed MSI via compromised KakaoTalk accounts, installed an AutoIt loader, and stole Google credentials to trigger remote resets when victims were away. GSC describes this as the first confirmed state-linked misuse of Find Hub and recommends stronger authentication, verification for remote wipes, and enhanced EDR and behavioral monitoring.

Qilin Ransomware Activity Surges, Targeting SMEs in 2025

🔐 Researchers at S-RM report a surge in activity by the Qilin ransomware-as-a-service operation, which leverages unpatched VPNs, single-factor remote access and exposed management interfaces to gain initial access. While some high-profile incidents hit healthcare, most victims are small-to-medium businesses in construction, healthcare and finance. S-RM also observed affiliates from Scattered Spider using Qilin’s platform, and noted new extortion channels including Telegram and public leak sites. The firm urges routine patching, widespread MFA adoption, network segmentation and proactive monitoring.

Attackers Exploit Critical Triofox Flaw for Code Execution

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.

North Korean Hackers Abuse Google's Find Hub for Wipes

🔒 Genians Security Center (GSC) reports that North Korea–linked KONNI actors abused Google's Android device‑tracing and management service Find Hub to remotely track and wipe victims' phones. Attackers compromised legitimate Google accounts—often via spear‑phishing impersonating South Korea’s National Tax Service—and used Find Hub to confirm location and issue reset commands that silenced alerts. The campaign also spread malware through compromised KakaoTalk contacts sending apps disguised as 'stress-relief' programs.

Authentication Coercion: Abusing Rare Windows RPC Interfaces

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

Triofox Authentication Bypass Leads to Remote Access

🔒 Google's Mandiant reported active n‑day exploitation of a critical authentication bypass in Gladinet's Triofox (CVE-2025-12480, CVSS 9.1) that lets attackers access configuration pages and execute arbitrary payloads. Adversaries abused the product's antivirus executable path to run a malicious batch, installing Zoho UEMS and remote‑access tools such as Zoho Assist and AnyDesk. Operators created admin accounts, escalated privileges, and established SSH tunnels for inbound RDP. Triofox customers should apply the vendor patch, remove unauthorized admins, and verify antivirus executable paths cannot run untrusted scripts.

CISA Orders Federal Patch for Samsung Zero‑Day Spyware

🔒 CISA has ordered U.S. federal agencies to patch a critical Samsung vulnerability, CVE-2025-21042, which has been exploited to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The flaw is an out-of-bounds write in libimagecodec.quram.so affecting devices on Android 13 and later; Samsung issued a patch in April after reports from Meta and WhatsApp security teams. CISA added the bug to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by December 1 under BOD 22-01. The spyware can exfiltrate data, record audio, and track location.

China-aligned UTA0388 leverages AI in GOVERSHELL attacks

📧 Volexity has linked a series of spear-phishing campaigns from June to August 2025 to a China-aligned actor tracked as UTA0388. The group used tailored, rapport-building messages impersonating senior researchers and delivered archive files that contained a benign-looking executable alongside a hidden malicious DLL loaded via search order hijacking. The distributed malware family, labeled GOVERSHELL, evolved through five variants capable of remote command execution, data collection and persistence, shifting communications from simple shells to encrypted WebSocket and HTTPS channels. Linguistic oddities, mixed-language messages and bizarre file inclusions led researchers to conclude LLMs likely assisted in crafting emails and possibly code.

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.

Weekly Recap: Hidden VMs, AI Leaks, and Mobile Spyware

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.

CISA Adds Samsung Mobile CVE to KEV Catalog for Remediation

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-21042, an out-of-bounds write in Samsung mobile devices that CISA reports is being actively exploited. This class of flaw can enable code execution or device compromise and poses a significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate listed KEVs by required due dates. CISA strongly urges all organizations to prioritize timely remediation and to apply vendor updates and mitigations without delay.

Cyberattack Halts Dutch Broadcaster, Forces Vinyl Use

🎧 RTV Noord, a regional Dutch TV and radio broadcaster, reported a cyber incident on November 6, 2025, that blocked staff access to critical systems. Presenters on the "De Ochtendploeg" breakfast show resorted to playing CDs and LPs to stay on air. The attackers left a message on the network, prompting suspicion of ransomware, and the newsroom confirmed internal channels were limited to WhatsApp while services were restored.

LandFall Spyware Abused Samsung DNG Zero-Day via WhatsApp

🔒 A threat actor exploited a Samsung Android image-processing zero-day, CVE-2025-21042, to deliver a previously unknown spyware called LandFall using malicious DNG images sent over WhatsApp. Researchers link activity back to at least July 23, 2024, and say the campaign targeted select Galaxy models in the Middle East. Unit 42 found a loader and a SELinux policy manipulator in the DNG files that enabled privilege escalation, persistence, and data exfiltration. Users are advised to apply patches promptly, disable automatic media downloads, and enable platform protection features.

Samsung Zero-Click Flaw Exploited to Deploy LANDFALL Spyware

🔒 A now-patched out-of-bounds write in libimagecodec.quram.so (CVE-2025-21042, CVSS 8.8) was used as a zero-click vector to deliver commercial-grade Android spyware known as LANDFALL. The campaign appears to have used malicious DNG images sent via WhatsApp to extract and load a shared library that installs the spyware. Unit 42 links activity to targets in Iraq, Iran, Turkey, and Morocco and notes samples dating back to July 2024. The exploit also deployed a secondary module to modify SELinux policy for persistence and elevated privileges.

China-linked Hackers Reuse Legacy Flaws to Backdoor Targets

🔍 Symantec and Carbon Black attributed a mid‑April 2025 intrusion to a China-linked threat cluster that targeted a U.S. nonprofit engaged in influencing policy, using mass scanning and multiple legacy exploits (including CVE-2021-44228, CVE-2017-9805, and Atlassian flaws) to gain initial access. The intruders established stealthy persistence via scheduled tasks that invoked legitimate binaries (msbuild.exe, csc.exe), injected code to reach a C2 at 38.180.83[.]166, and sideloaded a DLL through a Vipre component to run an in-memory RAT. Researchers linked the loader to China-aligned clusters such as Salt Typhoon and warned of broader reuse of legacy vulnerabilities and IIS/ASP.NET misconfigurations for long-term backdoors.

Cisco Firewall Zero-Days Now Triggering DoS Reboots

⚠️ Cisco warned that two recently patched firewall vulnerabilities (CVE-2025-20362 and CVE-2025-20333) — previously leveraged in zero-day intrusions — are now being abused to force ASA and FTD devices into unexpected reboot loops, causing denial-of-service. The vendor issued updates on September 25 and strongly urged customers to apply fixes immediately. CISA issued an emergency 24-hour directive for U.S. federal agencies and ordered EoS ASA devices to be disconnected. Shadowserver still reports tens of thousands of internet-exposed, unpatched devices.

Sandworm Deploys New Wiper Malware in Ukraine Q2–Q3 2025

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.

LANDFALL: Commercial Android Spyware Exploits DNG Files

🔍 Unit 42 disclosed LANDFALL, a previously unknown commercial-grade Android spyware family that abused a Samsung DNG parsing zero-day (CVE-2025-21042) to run native payloads embedded in malformed DNG files. The campaign targeted Samsung Galaxy models and enabled microphone and call recording, location tracking, and exfiltration of photos, contacts and databases via native loaders and SELinux manipulation. Apply vendor firmware updates and contact Unit 42 for incident response.

Sandworm Deploys Data Wipers Against Ukraine's Grain Sector

🔒Russian state-backed Sandworm (aka APT44) deployed multiple data-wiping malware families in June and September 2025, targeting Ukrainian education, government, and grain-production organizations. ESET says these wipers — distinct from ransomware — corrupt files, partitions, and boot records to prevent recovery and cause long outages. Some intrusions began with access by UAC-0099, which then handed access to APT44 for destructive payloads.