The most severe of these security defects could allow remote attackers to execute arbitrary code.
The post Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server appeared first on SecurityWeek.
A Chinese national allegedly involved in a massive, pandemic-era attack spree that compromised nearly 13,000 U.S. organizations was extradited from Italy to the United States and formally charged in federal court, the Justice Department said Monday.
Xu Zewei and his co-conspirators are accused of exploiting a string of zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatment and testing during the initial wave and subsequent height of the pandemic.
His alleged crimes, directed by China’s intelligence services, were part of a broader espionage campaign known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors and policy think tanks, according to an indictment filed against Xu and Zhang Yu, who remains at large.
The China state-sponsored threat group behind those attacks against Microsoft customers, and many other vendors’ customers since, is now more widely known as Silk Typhoon.
“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.
“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” he added.
Xu allegedly committed the attacks while working for Shanghai Powerock Network, one of many companies that conducted attacks for China’s various intelligence services, according to court records.
Italian authorities arrested Xu at the United States’ request in Milan in July. His capture underscores a window of opportunity U.S. officials and allies can take when nation-state attackers travel to countries that cooperate with the United States.
Italy extradited Xu to the United States Saturday but didn’t release his extradition orders until Monday, Simona Candido, his attorney in Italy, told CyberScoop.
Officials said Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.
“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement.
Xu allegedly worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into U.S. organizations’ networks, steal data and implant webshells for persistent remote access. Officials also accuse Xu of stealing information regarding U.S. policymakers and government agencies from a global law firm with offices in Washington.
Microsoft first warned customers about the HAFNIUM campaign in March 2021. The FBI and Cybersecurity and Infrastructure Security Agency followed soon after with a joint advisory about the widespread compromise of Microsoft Exchange Server.
“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop.
“Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China’s notorious targeting of not just the American people and their businesses, but individuals globally as well,” Shraberg added.
Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft.
The 34-year-old faces up to 62 years in prison for his alleged crimes.
The post Chinese national extradited to US for pandemic-era Silk Typhoon attacks appeared first on CyberScoop.
Things are improving, but a researcher has still identified over 1,500 Perforce P4 instances allowing attackers to read files on the server.
The post Unsecured Perforce Servers Expose Sensitive Data From Major Orgs appeared first on SecurityWeek.
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.
Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.
Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.
“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”
Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.
Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.
Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.
But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.
“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”
Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.
For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.
Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.
The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday.
Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild. The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.
The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted.
Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop.
“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”
Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.
The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild.
Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely.
“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.
CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025.
While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter.
“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”
A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.
“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”
The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.
Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.
Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.
The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.
“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”
SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.
The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.
SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.
The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research.
The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.
“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop.
“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”
Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.
The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.
Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.
Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.
The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.
“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown.
“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added.
The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.
The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.
Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said.
Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added.
Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.
Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro.
Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint.
“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.
“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.
Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.
Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.
The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.
The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.
Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred.
The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday.
The attacks were publicly disclosed as researchers and threat hunters scrambled to assess the fallout and observed consistent waves of attacks linked to the Ivanti defects. As of Monday afternoon, Shadowserver scans identified 86 compromised instances based on artifacts of exploitation, Piotr Kijewski, CEO of the nonprofit, told CyberScoop.
Researchers last week warned that attacks involving the Ivanti zero-days would spread, repeating a common pattern following the vendor’s disclosure and a third party’s release of exploit code. The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti EPMM.
Ivanti said a “very limited number of customers” were exploited before it disclosed the defects in a Jan. 29 security advisory, but has declined multiple requests to provide an updated victim count.
The company released indicators of compromise and a detection script Friday to help customers hunt for potential impact, and thanked The Netherlands’ National Cyber Security Centre for contributing to the script’s development. “We are collaborating closely with our customers as well as trusted government and security partners,” a spokesperson for Ivanti said in a statement.
Attackers of various intents and origins are still compromising additional Ivanti EPMM instances, Kijewski said. Shadowserver is using initial artifacts provided by Saudi Arabia’s National Cybersecurity Authority to scan for webshells and other signs of exploitation, including system commands.
“These artifacts are likely not linked to the initial threat actor targeting the vulnerability. It is likely, however, these instances were compromised by multiple actors by now,” Kijewski said. “More is happening than what we are able to observe.”
Nearly 1,300 instances of Ivanti EPMM are still exposed to the internet, but it’s unknown how many of those are vulnerable or already compromised, according to Shadowserver.
Other researchers that have been tracking the vulnerabilities have also found evidence of heightened malicious activity targeting potential victims.
During a 24-hour period, Rapid7’s Ivanti EPMM honeypot “recorded hundreds of inbound traffic connections from more than 130 unique IP addresses, with 58% directly attempting exploitation of the latest Ivanti EPMM vulnerabilities,” said Christiaan Beek, the company’s senior director of threat intelligence and analytics.
Beek emphasized that the dominant payloads observed by Rapid7’s honeypot were not attributed to researchers, but rather built to gain rapid control via reverse shells, webshell deployment attempts and automated payload droppers.
Ivanti has thus far declined to say when and how it first became aware of the vulnerabilities or when the first known date of exploitation occurred.
Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large.
The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.
The post Fallout from latest Ivanti zero-days spreads to nearly 100 victims appeared first on CyberScoop.
Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls.
The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday.
Ivanti’s post-attack warning marks a frequent occurrence for its customers, involving yet again highly destructive defects in its code that attackers exploited before the vendor caught or fixed the errors.
The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.
The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.
The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025.
Ivanti declined to say how many customers have been impacted by the recent zero-day attacks, but researchers warn a recurring pattern is emerging with mass exploitation observed shortly after public disclosure and the release of exploit code.
“This started as tightly scoped zero-day exploitation,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told CyberScoop. “It has since devolved into global mass exploitation by a wide mix of opportunistic actors. That arc is depressingly predictable.”
Shadowserver said it observed a spike in CVE-2026-1281 exploitation attempts from at least 13 source IPs by Saturday. More than 1,400 instances of Ivanti EPMM are still exposed to the internet, according to Shadowserver scans, but it’s unknown how many of those are vulnerable or already compromised.
“It’s important to remember that exposure does not equal exploitation,” Dewhurst said. “But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes.”
Ivanti advised all on-premises EPMM customers to apply patches, but warned that the script is temporary and will be overridden when customers upgrade software to a new version. The software packages that address the defects “takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers,” a company spokesperson said.
Ivanti said it will issue a permanent fix for the vulnerability in a future update that it plans to release by April.
The new Ivanti zero-days share many similarities to previous EPMM vulnerabilities, said Ryan Emmons, staff security researcher at Rapid7. “The line between attacker input and trusted code is blurred, resulting in the ability to execute malicious payloads.”
Remotely exploitable vulnerabilities in network edge devices are an appealing and effective attack vector for hackers looking to break into targeted networks. Multiple threat groups last year, including some linked to China, exploited another zero-day defect in Ivanti EPMM — CVE-2025-4428 — and a string of vulnerabilities in other Ivanti products.
“State-sponsored adversaries have generally made strong use of remotely exploitable vulnerabilities in Ivanti kit, which isn’t surprising,” said Caitlin Condon, vice president of security research at VulnCheck.
The latest actively exploited defects affecting Ivanti products reflect a continuation of a years-long battle between the vendor and threat groups that poses a consistent risk for customers.
Some security researchers are more inclined to pin the blame for this sustained security problem on Ivanti itself, yet there is broad agreement these vulnerabilities were not easy for the company to discover prior to exploitation.
Emmons described the defects as nuanced with an odd path to code injection. “With these vulnerable code patterns now known, the vendor’s security teams can more effectively hunt for these sorts of bugs in the future,” he added.
Dewhurst concurred the vulnerabilities were not easy to spot, but said that does not excuse the outcome. “Defensive engineering needs to assume attackers will find the non-obvious paths eventually, because they always do,” he said.
Ivanti’s spokesperson said these types of vulnerabilities are difficult to find, and insisted the company’s security and engineering teams acted quickly to address the defects once they were identified.
The post Ivanti’s EPMM is under active attack, thanks to two critical zero-days appeared first on CyberScoop.
Cybersecurity professionals are closing out 2025 confronting yet another information-disclosure vulnerability, drawing widespread concern as threat hunters and researchers race to avoid impacts comparable to previous defects dubbed with a “bleed” suffix.
MongoBleed — CVE-2025-14847 — is a high-severity vulnerability affecting many versions of MongoDB with default configurations that allows unauthenticated attackers to leak server memory, which could contain sensitive data including credentials or tokens. MongoDB disclosed the vulnerability Dec. 19 and worries escalated when a public proof of concept was released Dec. 26.
Multiple cybersecurity firms report the vulnerability is under active exploitation in the wild, and the Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Monday.
MongoDB is a nearly ubiquitous open-source database. Researchers at Wiz said 42% of cloud environments contain at least one instance of a MongoDB version vulnerable to CVE-2025-14847, including publicly exposed and internal resources.
Shadowserver scans found almost 75,000 possibly unpatched versions of MongoDB, out of nearly 79,000 publicly exposed instances Monday. Censys said it observed more than 87,000 potentially vulnerable instances of MongoDB on Saturday.
Countries with the highest concentration of exposed instances potentially at risk of compromise include China, the United States, Germany, France, Hong Kong, India and Singapore.
The defect, which has a CVSS rating of 8.7, is “concerning because of the scale of the install base, ease of exploitation and lack of forensic evidence left behind,” Ben Read, director of strategic threat intelligence at Wiz, told CyberScoop. “Because it’s a memory-leak vulnerability, there isn’t malware left on the disk, or any durable forensic evidence that data was accessed.”
Wiz has observed exploitation attempts and evidence of active exploitation, but hasn’t been able to attribute any of that malicious activity to a specific threat group, Read said. “We expect that it is being exploited by a wide variety of actors, based on past precedent.”
While threat hunters are on high alert, key details about attacks and the potential impact for exploitation at scale is limited.
“Real-world attack details have been oddly lacking so far,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop.
“A lot of the current public info corpus on MongoBleed seems to be assuming that because there’s public proof of concept, exploitation is trivial, but an adversary still has to be able to get useful data out of an attack flow. I’m not sure it’s actually clear yet that that’s trivial,” she added.
Yet, attacker interest in the vulnerability is growing. As of Monday, VulnCheck is tracking more than a dozen public proof of concepts, some of which appear to be valid.
MongoDB urges customers to upgrade to a patched version as soon as possible, noting that the potential impact is expansive with vulnerable versions dating back to 2017.
Downtime around the holidays may also be impacting visibility and delaying efforts to triage and hunt for evidence of compromise.
“Many security teams are likely to have reduced capacity this week, which may contribute to a longer tail on observed exploitation details and threat actor attribution,” Condon said.
The post MongoBleed defect swirls, stamping out hope of year-end respite appeared first on CyberScoop.
Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday. The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.
Evidence to back up widening concern about the defect is abundant, coming from many corners of the threat research community. Attackers of various types are flocking to the opportunity, including nation-state attackers, cybercriminals, botnets, and threat groups seeking to steal cryptocurrency and deploy cryptojacking malware.
Shadowserver scans concluded the scope of potential impact is much greater than previously thought. On Monday, the organization found more than 165,000 IPs and 644,000 domains with vulnerable code placing those instances at risk of exploitation. Nearly two-thirds of those vulnerable instances are based in the United States.
“This is a one click — game over — kind of vulnerability and corresponding exploit,” Kelly Shortridge, chief product officer at Fastly, told CyberScoop. “We see it basically hitting everyone,” she said, with attackers targeting any organization with valuable data, sensitive records or business-critical applications that can be stolen or knocked down for extortion efforts.
“Security teams are, surprisingly, not all taking this seriously. It’s pretty uneven,” and “surprising to see that kind of dismissiveness from security teams,” Shortridge said.
Half of the public resources exposed to CVE-2025-55182 remain unpatched, and in-the-wild exploitation has expanded rapidly since early Tuesday, Alon Schindel, vice president of AI and threat research at Wiz, wrote in a LinkedIn post. Wiz Research has observed more than 15 distinct intrusion clusters to date.
Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, described this as a “patch-now situation” as simultaneous exploitation is coming from across the entire threat landscape.
“Our telemetry shows a surge in attacks, from low-skill opportunistic abuse, like Mirai bot deployments and coin-miners, to nation-state actors adapting this into their attack stack. We’re also seeing indicators linking this vulnerability exploitation to tooling previously used by ransomware groups,” he added.
Unit 42 on Tuesday said it uncovered activity that overlaps with previous attacks attributed to the North Korea threat group it tracks as Contagious Interview, which has deployed malware on the devices of people seeking jobs in the tech industry.
Researchers at the incident response firm found evidence of compromise across many sectors, including financial services, business services, higher education, technology, government, management consulting, media and entertainment, legal services, telecom and retail.
Attempted attacks are also coming from China state-backed threat groups, according to Amazon and Unit 42. Amazon said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.
Attackers are pursuing sweeping potential impact because the vulnerability affects multiple React frameworks and bundlers that depend on React Server Components, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and possibly others.
VulnCheck said it has observed nearly 100 public proof-of-concepts for the vulnerability, adding that most of the current variants target Next.js.
GreyNoise said it has observed more than 360 unique IP addresses attempting to exploit the vulnerability, and roughly two-fifths of those malicious IPs contained active payload data revealing widespread attention from automated botnets to more capable attackers, the company said.
The malware used in these attacks is broad, highlighting the myriad objectives and techniques afoot. Unit 42 said it has observed Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai and Supershell malware.
Some researchers are comparing the React defect to Log4Shell, an exploit in Apache Log4j’s software library that drew widespread concern in 2021 that continues to bear a long-tail impact in the software supply chain.
While React and Next.js aren’t as widely deployed as Log4Shell, according to Shortridge, the potential impact is worse and the React vulnerability is easier to weaponize as well.
“The delivery vector is the command-and-control channel, which means once they’re in, it’s going to be really difficult to spot them, and they’re probably going to be able to blend into your normal traffic, and they’ll be able to do whatever they want,” she said.
“You’re probably not going to know that it’s happened to you,” Shortridge said. “We are seeing some companies that didn’t think they were vulnerable are surprised to discover that, in fact, they are.”
The post Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims appeared first on CyberScoop.
Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10.
Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device.
“These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.”
Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications.
“The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.”
Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane.
Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account.
Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program.
“If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.”
Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update.
The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry.
As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
[Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.]
In a sweeping international crackdown coordinated from Europol’s headquarters, law enforcement agencies from the United States and 10 other countries have disrupted three of the world’s most widely used cybercriminal malware operations. Conducted Nov. 10-13, Operation Endgame focused on neutralizing the Rhadamanthys info-stealing malware, the VenomRAT remote access trojan, and the Elysium botnet — tools authorities say enabled hackers to infect hundreds of thousands of computers and steal millions of sensitive credentials across the globe.
The effort involved law enforcement and judicial agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. According to Europol, the operation led to the arrest of the main VenomRAT suspect in Greece on Nov. 3, searches of 11 locations across Europe, and the seizure or disruption of 1,025 servers and 20 internet domains used by criminals. Coordinated support from over 30 private cybersecurity organizations further assisted the investigation, with companies such as Crowdstrike, Proofpoint, Bitdefender, and the Shadowserver Foundation helping to analyze malicious activity and notify affected network operators.
The law enforcement action is the latest phase of Operation Endgame, an ongoing international initiative to curtail ransomware and malware infrastructure. Previous phases of the operation targeted similar cybercrime enablers over the past two years. Officials said the dismantled infrastructure included hundreds of thousands of computers running malware and several million stolen credentials.
The Shadowserver Foundation, which aggregates global malware infection data, said it sent alerts about Rhadamanthys infections between March and November to national security response teams in 175 countries and more than 10,000 network owners. Europol added that the principal suspect behind the infostealer controlled access to over 100,000 cryptocurrency wallets, with potential losses reaching millions of euros. Many victims whose credentials and devices were compromised continued to operate their systems unaware, authorities said.
VenomRAT, which evolved from earlier remote access trojans, was reportedly marketed for around $150 per month and delivered primarily through malicious email attachments. It allowed users to open backdoors on compromised computers, effectively taking over devices remotely and sometimes exfiltrating sensitive data or launching additional attacks.
Authorities also contacted users of compromised criminal services, appealing for information and exposing some users through an operation-dedicated website and Telegram channel. As these offenders increasingly leverage global infrastructure, authorities suggest that coordinated responses are likely to remain a key feature in future takedowns.
Operation Endgame is ongoing, with officials indicating that additional actions may follow as investigations continue.
The post Operation Endgame targets malware networks in global crackdown appeared first on CyberScoop.
Brian Fehrman// Microsoft Lync servers have been a staple of my external engagements for the past six months or so. I have found a Lync server on all of those […]
The post PSA: It’s 10PM, Do You Know Where Your Lync Servers Are? appeared first on Black Hills Information Security, Inc..
Login