All news with #exploit detected tag

Credential ZIP Lures Use Malicious LNKs to Deploy DLLs

📎 BlackPoint researchers tracked a campaign that distributes credential-themed ZIP archives containing malicious Windows shortcut (.lnk) files. When opened, the shortcuts launch minimized, obfuscated PowerShell that downloads DLL payloads disguised as .ppt files, saves them to the user profile and invokes them via rundll32.exe. The dropper assembles commands from byte arrays, probes for antivirus processes and uses quiet flags to minimize visible indicators. Recommended mitigations include blocking LNKs in archives, enforcing Mark of the Web, denying execution from user-writable locations, and enabling PowerShell script block logging and AMSI.

CISOs Urged to Rethink Vulnerability Management amid Surge

⚠️ Enterprises face an unprecedented surge in disclosed vulnerabilities — over 20,000 in H1 2025 — with roughly 35% (6,992) accompanied by public exploit code, according to Flashpoint. Security leaders are urged to adopt risk-based patching and intelligence-led remediation that prioritizes remotely exploitable and actively exploited flaws while factoring in business context. Relying solely on CVE and the NVD is increasingly impractical due to enrichment delays; experts recommend integrating threat context, exposure management, and CTEM-style operations to concentrate limited resources on what truly matters.

CISA: Critical sudo Linux Vulnerability Actively Exploited

⚠ CISA warns that a critical sudo vulnerability (CVE-2025-32463) is being actively exploited to gain root privileges on Linux systems. The flaw affects sudo versions 1.9.14 through 1.9.17 and can be abused via the -R (--chroot) option to run arbitrary commands as root even for users not listed in sudoers. A proof-of-concept was published in early July and CISA has added the issue to its KEV catalog, requiring federal mitigations by October 20 or discontinuation of sudo.

Surge in SonicWall SSL VPN Attacks by Akira Actors

🔒 Security experts warn of a sharp increase in activity from Akira ransomware operators targeting SonicWall SSL VPN appliances, with intrusions traced to late July. Arctic Wolf links initial access to exploitation of CVE-2024-40766 and describes rapid credential harvesting that can enable access even to patched devices. Observed traces include hosting-provider-origin VPN logins, internal scanning, Impacket SMB activity and Active Directory discovery; organizations are advised to monitor hosting-related ASNs, block VPS/anonymizer logins and watch for SMB session patterns consistent with Impacket to detect and disrupt attacks early.

CISA Incident Response Findings: GeoServer Exploits

🔒 CISA assisted a U.S. federal civilian executive branch agency after endpoint alerts showed threat actors exploiting CVE-2024-36401 in public-facing GeoServer instances to gain initial access. The actors operated undetected for roughly three weeks, deployed web shells and proxy/C2 tools, and moved laterally to a web and SQL server. CISA highlights urgent patching of KEV-listed flaws, exercising incident response plans, and improving EDR coverage and centralized logging.

HybridPetya ransomware bypasses Windows Secure Boot

🔒 Researchers at ESET have identified a new bootkit-style ransomware named HybridPetya that targets the NTFS Master File Table (MFT) and can override UEFI Secure Boot to install a malicious EFI component. The malware abuses a patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file to load an unsigned payload called cloak.dat. The installer replaces the Windows bootloader, triggers a crash and, on reboot, the compromised loader executes a bootkit that encrypts the disk with Salsa20, using a fake CHKDSK message to conceal activity. ESET observed a ransom demand of €850 in Bitcoin but regards the sample as likely a research proof-of-concept.

SonicWall urges credential resets after MySonicWall breach

🔐 SonicWall says firewall configuration backup files in certain MySonicWall accounts were exposed in a security incident and is urging customers to reset credentials immediately. The company reports it cut off attacker access and is working with cybersecurity and law enforcement to investigate. SonicWall published an Essential Credential Reset checklist to help administrators update passwords, API keys, tokens and related secrets and to restrict WAN access before making changes.

Phoenix RowHammer Bypasses DDR5 Protections in 109s

⚠️ Researchers at ETH Zürich and Google disclosed a RowHammer variant named Phoenix (CVE-2025-6202) that reliably induces bit flips on SK Hynix DDR5 devices and bypasses on-die ECC and advanced TRR protections. The team demonstrated an end-to-end privilege escalation on a production desktop with default DDR5 settings in as little as 109 seconds. Phoenix takes advantage of refresh intervals that mitigation logic does not sample, enabling flips across DIMM stacks produced between 2021 and 2024. Because DRAM chips cannot be updated in the field, the researchers recommend increasing the DRAM refresh rate to 3× as an immediate mitigation and urge vendors to pursue firmware and hardware countermeasures.

Phoenix Rowhammer Bypass Targets DDR5 TRR Defenses

🧨 Researchers have developed Phoenix, a new Rowhammer variant that defeats DDR5 TRR protections on SK Hynix modules by synchronizing and self-correcting against missed refresh intervals. After reverse-engineering TRR behavior, the team identified refresh slots that were not sampled and used precise hammering patterns covering 128 and 2,608 refresh intervals to flip bits. In tests they flipped bits across all tested DIMMs and produced a working privilege-escalation exploit, achieving a root shell on commodity DDR5 systems in under two minutes. The authors published an academic paper and an FPGA-based repository with experiments and proof-of-concept code.

Supporting Rowhammer Research to Strengthen DDR5 Mitigations

🔬 Google funded and collaborated on open-source DDR5 Rowhammer test platforms and academic research to evaluate current in-DRAM mitigations. Working with Antmicro and ETH Zurich, the team produced FPGA-based RDIMM and SO‑DIMM testers and used them to discover the Phoenix attack family, which includes a self-correcting refresh synchronization technique that can bypass enhanced TRR on some DDR5 modules. Google also led JEDEC standardization work on PRAC to enable deterministic row-activation counting and continues to share tools and findings to improve defenses.

HybridPetya: Petya-like Ransomware Targets UEFI Secure Boot

🛡️ ESET researchers identified HybridPetya in late July 2025 after suspicious samples were uploaded to VirusTotal. The malware resembles Petya/NotPetya and encrypts the NTFS Master File Table (MFT), while also capable of installing a malicious EFI application on the EFI System Partition to persist on UEFI systems. One analyzed variant exploits CVE-2024-7344 using a crafted cloak.dat to bypass UEFI Secure Boot on outdated systems. ESET telemetry shows no evidence of active, widespread deployments.

Smashing Security #434: Whopper Hackers and AI Failures

🍔 In episode 434 of the award‑winning Smashing Security podcast, Graham Cluley and guest Lianne Potter examine two striking security stories: an ethical hack of Burger King that revealed drive‑thru audio recordings, hard‑coded passwords and an authentication bypass, and an alleged insider theft at xAI where a former engineer, after receiving $7 million, is accused of taking trade secrets. The hosts blend sharp analysis with irreverent commentary on operational security and human risk.

Massive NPM Supply-Chain Attack Yielded Little Profit

🚨 A phishing attack against maintainer Josh Junon (qix) led to a widespread compromise of highly popular npm packages, including chalk and debug-js, whose combined footprint exceeds billions of weekly downloads. The attacker pushed malicious updates that attempted to steal cryptocurrency by swapping wallet addresses, but the community discovered and removed the tainted releases within two hours. According to Wiz, the compromised modules reached roughly 10% of cloud environments in that short window, yet the actor ultimately profited only minimally as the injected payload targeted browser crypto-signing and yielded just a few hundred dollars at most.

VirusTotal Uncovers SVG-based Judicial Portal Phishing

🔍 VirusTotal's AI Code Insight detected a sophisticated phishing campaign that hid malicious JavaScript inside SVG images to impersonate Colombia's judicial system. The SVGs rendered fake portal pages with a bogus download progress bar and displayed a password for a protected ZIP archive that contained malware artifacts. The archive included a renamed Comodo Dragon executable, a malicious DLL, and two encrypted files; when the executable runs the DLL is sideloaded to install further malware. After adding SVG support, VirusTotal found 523 related SVGs that had evaded traditional antivirus detection.

Critical SAP S/4HANA Code Injection Flaw Actively Exploited

⚠️ A critical ABAP code injection flaw, tracked as CVE-2025-42957, in an RFC-exposed function of SAP S/4HANA is being exploited in the wild to breach exposed servers. The bug allows low-privileged authenticated users to inject arbitrary code, bypass authorization checks, and take full control of affected systems. SAP issued a fix on August 11, 2025 (CVSS 9.9), but SecurityBridge reports active, limited exploitation and urges immediate patching.

Critical SAP S/4HANA Code Injection Exploit Active

⚠️ A critical code injection vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild, researchers warn. The flaw allows a low-privileged user to inject ABAP code and gain full system and operating system access across all S/4HANA releases. SecurityBridge confirmed practical abuse and noted the exploit was straightforward to develop because ABAP code is openly viewable. Organizations that have not yet applied the August 11 patch should install it immediately to prevent complete data compromise and unauthorized administrative access.

SVG Malware Campaign Impersonating Colombian Judiciary

🔍 VirusTotal’s Code Insight now parses SWF and SVG formats and quickly uncovered an undetected campaign impersonating the Colombian justice system. The tool differentiated a benign, heuristic-flagged SWF game from a malicious SVG that evaded all AV engines by hiding inline JavaScript which decodes and injects a Base64 phishing page and a ZIP dropper. Code Insight plus VirusTotal Intelligence exposed dozens of polymorphic SVGs and enabled a retrohunt linking hundreds of samples to the same campaign.

SNI5GECT: 5G Downgrade Attack Enables 4G Tracking Now

🔒 Researchers demonstrated SNI5GECT, an over‑the‑air injection attack targeting unencrypted initial exchanges in 5G that can crash device modems or force a fallback to 4G. By observing the plain‑text handshake and injecting a crafted information block at precise timing, an attacker within roughly 20 meters can trigger a reboot or downgrade. The technique enabled 4G‑based tracking and spoofing on multiple handsets across different modem vendors, and arises from protocol characteristics rather than a single vendor implementation.

Agentic Tool Hexstrike-AI Accelerates Exploit Chain

⚠️ Check Point warns that Hexstrike-AI, an agentic AI orchestration platform integrating more than 150 offensive tools, is being abused by threat actors to accelerate vulnerability discovery and exploitation. The system abstracts vague commands into precise, sequenced technical steps, automating reconnaissance, exploit crafting, payload delivery and persistence. Check Point observed dark‑web discussions showing the tool used to weaponize recent Citrix NetScaler zero-days, including CVE-2025-7775, and cautions that tasks which once took weeks can now be completed in minutes. Organizations are urged to patch immediately, harden systems and adopt adaptive, AI-enabled detection and response measures.

GhostRedirector: IIS SEO Fraud and Windows Backdoors

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.