All news with #exploit detected tag

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.

VS Code Marketplace Flaw Lets Deleted Extensions Be Reused

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

VS Code Marketplace Name Reuse Enables Malware Campaign

🔍 ReversingLabs has exposed a campaign in which malicious Visual Studio Code extensions exploited a name-reuse loophole on the VS Code Marketplace. A downloader extension named ahbanC.shiba executed the command shiba.aowoo to fetch a second payload that encrypted files and demanded one Shiba Inu token, although no wallet address was provided. The vulnerability arises because removed extensions free their names for reuse, contrary to Marketplace guidance that names are unique. Researchers demonstrated the issue by republishing test extensions under previously used names and warned developers to exercise greater caution when installing Marketplace packages.

ShadowSilk Targets 35 Government Entities in APAC Region

🔎 Group-IB attributes a new cluster dubbed ShadowSilk to recent intrusions against 35 government and related organizations across Central Asia and APAC. The operators employ spear-phishing with password-protected archives to deploy a custom loader that conceals command-and-control traffic using Telegram bots and achieves persistence via Windows Registry modifications. Observed tooling includes web shells (ANTSWORD, Behinder, Godzilla, FinalShell), tunneling utilities, Cobalt Strike, and bespoke credential-stealing components used to exfiltrate data.

Sni5Gect: Novel 5G Sniff-and-Inject Downgrade Attack

🔍 A research team at SUTD's ASSET group released Sni5Gect, an open-source over-the-air toolkit that passively sniffs early 5G signaling and injects crafted payloads before NAS security is established. The framework can crash UE modems, fingerprint devices, bypass some authentication flows, and force downgrades from 5G to 4G without deploying a rogue gNB, with reported injection success rates of 70–90% at up to 20 m. GSMA recorded the issue as CVD-2024-0096.

Applying AI Analysis to Detect Fraud and Exploits in PDFs

🛡️ VirusTotal has extended Code Insights to analyze PDF files by correlating the document’s visible content with its internal object structure. The AI inspects object trees, streams, actions, and the human-facing layer (text/images) to surface both technical exploits and pure social-engineering lures. In early testing it flagged numerous real-world scams—fake debt notices, QR-based credential traps, vishing alerts, and fraudulent tax-refund notices—that traditional engines missed when files contained no executable logic.

CISA Adds Three New Vulnerabilities to KEV Catalog

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025: CVE-2024-8069 and CVE-2024-8068 affecting Citrix Session Recording, and CVE-2025-48384, a Git link following vulnerability. CISA states these defects are supported by evidence of active exploitation and represent frequent attack vectors that pose significant risk to the federal enterprise. While BOD 22-01 binds Federal Civilian Executive Branch agencies to remediate listed CVEs by the required due dates, CISA urges all organizations to prioritize timely remediation and incorporate these entries into vulnerability management workflows.

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.

Microsoft restricts Chinese firms' early MAPP exploit access

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

Smashing Security Podcast 431: Cloud Bill Fraud & EDR Risks

🛡️ In episode 431 of the Smashing Security podcast, Graham Cluley and guest Allan Liska examine a high-profile cloud-billing fraud in which a crypto influencer calling himself CP3O racked up millions in unpaid cloud costs through cryptomining schemes. They also highlight the growing threat of EDR‑killer tools that can silently disable endpoint protection to aid attackers. The show includes lighter segments on the Internet Archive’s Wayforward Machine and a visit to Mary Shelley’s grave, and carries a content warning for mature language and themes.

Warlock Ransomware: Emerging Threat Targeting Services

⚠️ Warlock is a ransomware operation that emerged in 2025 and uses double extortion — encrypting systems and threatening to publish stolen data to coerce payment. The group has targeted government agencies and critical service providers across Europe, and on August 12 a cyber incident disrupted UK telecom Colt Technology Services, with an alleged auction of one million stolen documents. Security analysts link recent intrusions to exploitation of the SharePoint vulnerability CVE-2025-53770, which Microsoft says is actively exploited; Microsoft has published analysis and urges immediate patching. Recommended mitigations include enforcing multi‑factor authentication, keeping security tools and software patched, maintaining secure off‑site backups, reducing attack surface, encrypting sensitive data, and educating staff on phishing and social engineering.

Falcon Stops COOKIE SPIDER's SHAMOS macOS Delivery

🔒 Between June and August 2025, the CrowdStrike Falcon platform blocked a widespread malware campaign that attempted to compromise more than 300 customer environments. The campaign, operated by COOKIE SPIDER and renting the SHAMOS stealer (an AMOS variant), used malvertising and malicious one-line install commands to bypass Gatekeeper and drop a Mach-O executable. Falcon detections—machine learning, IOA behavior rules and threat prevention—prevented SHAMOS at download, execution and exfiltration stages. CrowdStrike published hunting queries, mitigation guidance and IOCs including domains, a spoofed GitHub repo and multiple script and Mach-O hashes.

WinRAR zero-day (CVE-2025-8088) used in RomCom attacks

🔒 ESET researchers uncovered a previously unknown WinRAR vulnerability, tracked as CVE-2025-8088, that is being actively exploited by the Russia-aligned actor RomCom in targeted spearphishing campaigns. The Windows path traversal flaw enables execution of arbitrary code when victims open crafted archives. Users should update to WinRAR 7.13 immediately and consult ESET's video and blogpost for indicators and mitigation.

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.

Customer Guidance for SharePoint CVE-2025-53770 Patch

🔒 Microsoft warns of active attacks against on-premises SharePoint Server and has issued security updates that fully remediate CVE-2025-53770 and CVE-2025-53771 for supported versions. Customers should apply the published updates immediately, enable AMSI with HTTP request body scanning where available, and deploy endpoint protections such as Microsoft Defender for Endpoint. After patching, rotate ASP.NET machine keys and restart IIS to complete mitigation; SharePoint Online is not affected.

Mass-Scale Vulnerability in Hikvision Surveillance Cameras

🔓 Over 80,000 Hikvision surveillance cameras remain vulnerable to an 11-month-old command injection flaw tracked as CVE-2021-36260, which NIST rated 9.8/10. Researchers report evidence of criminal activity in Russian dark-web forums where leaked credentials are being sold and exploitation collaborations are solicited. The persistent exposure underscores systemic IoT weaknesses, widespread use of default credentials, and uneven patching practices that leave organizations and critical infrastructure at risk.

CISA Alerts: Palo Alto PAN-OS Vulnerability Under Attack

🔔 CISA has warned that firewalls running Palo Alto Networks PAN-OS are under active attack and require immediate patching. The issue, tracked as CVE-2022-0028, can be abused without authentication to perform reflected and amplified TCP denial-of-service attacks using PA-Series, VM-Series and CN-Series devices. Palo Alto has released patches for multiple PAN-OS branches and CISA added the flaw to its Known Exploited Vulnerabilities Catalog, urging federal agencies to remediate by September 9. Administrators should review URL filtering profiles with blocked categories on externally facing interfaces and apply vendor fixes promptly.