The botnet packs over 50 exploits targeting unpatched routers, DVRs, NVRs, CCTV systems, servers, and other network devices.
The post RondoDox Botnet Takes ‘Exploit Shotgun’ Approach appeared first on SecurityWeek.
SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
“A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.
Researchers from multiple security companies confirmed attackers have intruded and compromised customer networks, even in environments with multi-factor authentication enabled.
Attackers are moving swiftly, pivoting directly to domain controllers within hours and deploying ransomware after short dwell times, Huntress said in a threat advisory Monday. The company said it has observed about 20 attacks, occurring in almost daily bursts, starting July 25.
Huntress said post-compromise techniques span a mix of automated scripts and hands-on keyboard activities prior to Akira ransomware deployment. This includes the abuse of privileged accounts for administrative access, backdoor implants, lateral movements to steal credentials from multiple databases and a methodical disablement of security tools and firewalls.
Multiple attackers have gained access to internal networks via SonicWall devices. While there are some similarities across the various attacks, Huntress also noted some differences, suggesting multiple threat groups might be involved or attackers are adapting to situations upon gaining access.
The active mass exploitation targeting SonicWall firewalls underscores the persistent risk the vendor’s customers have confronted for years. SonicWall has 14 entries on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021.
The more recent and ongoing attacks are targeting a next-generation firewall, unlike last month’s series of financially motivated attacks targeting organizations using fully patched, but outdated SonicWall Secure Mobile Access 100 series appliances. Half of the exploited vulnerabilities on CISA’s catalog affect SonicWall SMA 100 appliances, including three of the four defects actively exploited this year.
SonicWall’s recommendation to disable SSLVPN on Gen 7 firewalls, which allows users to establish encrypted connections to the corporate network, serves as an acknowledgment that the critical service can’t be trusted to serve its primary purpose. Many organizations require employees to access their corporate network via VPN.
SonicWall’s SSLVPN was the root of the problem in at least three actively exploited vulnerabilities on CISA’s known exploited vulnerabilities catalog, including CVE-2024-53704, CVE-2023-44221 and CVE-2021-20016.
Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year. Officials said Akira operators steal data and encrypt systems before threatening to publish data. Some Akira affiliates have also called victimized companies to apply further pressure, according to the FBI.
An investigation into the root cause of the attacks and origins of those responsible is ongoing.
The post SonicWall firewalls hit by active mass exploitation of suspected zero-day appeared first on CyberScoop.
The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.
Microsoft said it observed Storm-2603 modifying policy settings to distribute Warlock ransomware in compromised environments. The attacker is also attempting to steal cryptographic keys from compromised SharePoint servers, which could allow attackers to maintain persistent access to victim environments after the patch has been applied. Microsoft did not say how many organizations have been hit with ransomware.
The zero-days under active exploit — CVE-2025-53770 and CVE-2025-53771 — are variants of a pair of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — Microsoft addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all affected versions of SharePoint by late Monday.
The exploit dubbed “ToolShell,” which allows attackers to bypass multi-factor authentication and single sign-on, contains the newly discovered defects: CVE-2025-53770, a critical remote-code execution vulnerability, and CVE-2025-53771, a security-bypass vulnerability.
The “ToolShell” exploit chain allows attackers to fully access SharePoint content and execute code over the network, the Cybersecurity and Infrastructure Security Agency said. ESET Labs researchers said threat groups often chain all four vulnerabilities to intrude organizations.
CISA added CVE-2025-53770 to its known exploited vulnerabilities catalog Sunday, and added CVE-2025-47904 and CVE-2025-47906 to the database Tuesday. CISA said CVE-2025-53770 is a patch bypass for CVE-2025-49704 and CVE-2025-53771 is a patch bypass for CVE-2025-49706.
Officials declined to describe the level of compromise sustained across the federal government.
“Once the Microsoft SharePoint vulnerability was identified on Friday, CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates,” a Department of Homeland Security spokesperson said in a statement. “CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks.”
The spokesperson said an investigation to identify potential exposure remains ongoing, adding “there is no evidence of data exfiltration at DHS or any of its components at this time.”
The Energy Department, which was impacted along with the National Nuclear Security Administration, is also unaware of any compromise of sensitive or classified information.
Exploitation of the Microsoft SharePoint zero-day vulnerability began affecting the Energy Department and the NNSA on Friday. “The department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems,” an agency spokesperson said in a statement.
“A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate,” the spokesperson added.
The Department of Health and Human Services said it is monitoring, identifying and mitigating all risks to its IT systems posed by the Microsoft SharePoint vulnerability. “This vulnerability is not unique to HHS and has been observed in other federal agencies and the private sector,” a spokesperson for the agency said in a statement. “At present, we have no indication that any information was breached as a result of this vulnerability.”
Jayme Ackemann, director of communications at the California Independent System Operator, said the nonprofit, which manages long-distance power lines across 80% of California’s grid, became aware of potential exploitation Sunday. “There has been no impact to market operations or grid reliability due to this incident,” Ackemann said. “All systems remain stable and fully operational.”
Microsoft SharePoint is prevalent across enterprise and government and deeply integrated with Microsoft’s platform. Researchers warn that attackers could use intrusions to burrow deeper into victim networks.
Attacks have spread globally but U.S.-based organizations are the most heavily targeted to date, accounting for more than 13% of attacks, according to ESET’s telemetry data. Scans from the Shadowserver Foundation showed nearly 11,000 SharePoint instances were still exposed to the internet as of Wednesday.
The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.
A pair of maximum-severity vulnerabilities affecting Cisco’s network access security platform are under active exploitation, the enterprise networking and IT vendor warned in a security advisory Monday.
The software defects in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector — CVE-2025-20281 and CVE-2025-20337 — were disclosed and addressed by Cisco on June 25, followed by the disclosure of a third critical vulnerability in the same software, CVE-2025-20282, on July 16. Cisco said it became aware of reported attempted exploitation of CVE-2025-20281 and CVE-2025-20337 on July 21.
“Based on these reports, we have updated our security advisory to reflect the attempted exploitation,” a Cisco spokesperson said in a statement. “At this time, we are not aware of any attempted exploitation or malicious use of CVE-2025-20282, and we continue to strongly recommend that customers upgrade to fixed software releases that remediate these vulnerabilities.”
All three of the vulnerabilities have a CVSS rating of 10 and there are no workarounds for the software defects. Cisco warned that all three vulnerabilities can be exploited by an unauthenticated, remote attacker, allowing arbitrary code execution on the underlying system as root.
Cisco did not say how many customers are currently impacted.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said researchers detected active exploitation of CVE-2025-20281 on July 17. “Since CVE-2025-20281 and CVE-2025-20337 are very similar, we believe both are under active attack. Proof of concept exploit code was first made public on June 27,” Childs said.
“Right now, those attacks appear to be limited and targeted. Cisco ISE is used by thousands of enterprises, so the potential impact is large,” he added.
The origins and motivations of the threat group or attacker behind the exploits remains unknown, but the potential interest is broad.
“Threat actors would be interested in these vulnerabilities because a Cisco ISE has a high degree of network visibility through logging, which gives threat actors insight for further attacks in the network,” Childs said. “An ISE also is a repository for potentially all of the users in an organization.”
The post Cisco network access security platform vulnerabilities under active exploitation appeared first on CyberScoop.
Microsoft said two China nation-state threat groups and a separate attacker based in China are exploiting the zero-day vulnerabilities that first caused havoc to SharePoint servers over the weekend.
Linen Typhoon and Violet Typhoon — the Chinese government-affiliated threat groups — and an attacker Microsoft tracks as Storm-2603 are exploiting the pair of zero-day vulnerabilities affecting on-premises SharePoint servers, Microsoft Threat Intelligence said in a blog post Tuesday.
The zero-days — CVE-2025-53770 and CVE-2025-53771 — have been exploited en masse to intrude hundreds of organizations globally, spanning multiple sectors, including government agencies, according to researchers.
Both defects are variants of previously disclosed vulnerabilities that Microsoft had already addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all versions of SharePoint by late Monday.
The attack spree is ongoing and spreading.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft Threat Intelligence researchers said in the blog post.
Underscoring the widespread alarm caused by the attacks, the Cybersecurity and Infrastructure Security Agency issued a rare weekend alert about active attacks and added the defect to its known exploited vulnerabilities catalog Sunday.
Microsoft’s initial attribution assessment tracks with other incident responders and researchers who are swarming to combat the threat the attacks pose to critical infrastructure. The motivations and origins of threat groups behind the attacks have also spread beyond China and its government.
Charles Carmakal, chief technology officer at Mandiant Consulting, said the early zero-day exploitation was broad and opportunistic.
“At least one of the actors responsible for this early exploitation is a China-nexus threat actor,” he said in an email. “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
Microsoft researchers said Linen Typhoon, Violet Typhoon and Storm-2603 attempted to exploit the previously disclosed SharePoint vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — as early as July 7. Typhoon is the family name Microsoft applies to nation-state threat groups originating from China, and Storm is a moniker the company uses for threat groups in development.
Linen Typhoon, which has been active since 2012, has focused on stealing intellectual property from organizations in government, defense, strategic planning and human rights, according to Microsoft.
Violet Typhoon, which emerged in 2015, is an espionage threat group targeting former government and military personnel, non-governmental organizations, think tanks, higher education, media, finance and health-related industries in the United States, Europe and East Asia. “This group persistently scans for vulnerabilities in the exposed web infrastructure of targeting organizations, exploiting discovered weaknesses to install web shells,” Microsoft researchers said.
Storm-2603 is the China-based attacker that’s attempting to steal MachineKeys from compromised SharePoint servers, according to Microsoft. Researchers have warned that the theft of cryptographic keys could allow attackers to maintain persistent access to victim environments after the patch has been applied.
The post Microsoft SharePoint zero-day attacks pinned on China-linked ‘Typhoon’ threat groups appeared first on CyberScoop.
Authorities and researchers are intensifying warnings about active exploitation and pervasive scanning of a critical vulnerability affecting multiple versions of Citrix NetScaler products.
There is now widespread agreement among security professionals that the critical vulnerability, CVE-2025-5777, which Citrix disclosed June 17, is serious and harkens back to a 2023 defect in the same products: “CitrixBleed,” or CVE-2023-4966. Naturally, threat hunters are scrambling to assess and stop the strikingly similar challenges summoned by exploits of the newest CVE.
For some Citrix customers, the warnings are too late. Vulnerability scans confirm active exploits occurred within a week of disclosure, and attackers have been swarming, hunting for exposed instances of the impacted devices since exploit details were publicly released earlier this month.
“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as CitrixBleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” Chris Butera, acting executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a statement. CISA added the exploit to its known exploited vulnerabilities catalog on July 10.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera added. The agency typically requires agencies to resolve “high risk” vulnerabilities within 30 days and “critical risk” vulnerabilities within 15 days.
The pre-authentication remote memory disclosure vulnerability, which has a CVSS score of 9.3, has been increasingly targeted for attacks globally. Imperva researchers on Friday said they’ve observed more than 11.5 million attack attempts targeting thousands of sites since the exploit was disclosed.
“Attackers appear to be scanning extensively for exposed instances and attempting to exploit the memory-leak vulnerability to harvest sensitive data,” Imperva researchers said in a blog post.
Nearly 2 in 5 attack attempts have targeted sites in the financial services industry and 3 in 5 of those targeted sites are based in the United States, according to Imperva.
GreyNoise scans have observed 22 unique malicious IPs attempting to exploit CVE-2025-5777 thus far. The first malicious IP was observed June 23 and a spike of 11 unique malicious IPs was observed Friday.
“I haven’t seen any attrition yet. This could be as bad or even worse than CitrixBleed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.”
The number of Citrix customers already impacted remains unknown and victims have yet to come forward.
“A lot of the attacks seem opportunistic, so there are likely multiple threat actors using the bug,” Childs said.
Citrix maintains there was no evidence of active exploitation when it disclosed the vulnerability. The vendor hasn’t shared much publicly in almost three weeks, other than an update in a June 26 blog post noting that CISA was aware of evidence of active exploitation. The company did not respond to a request for comment.
In the June blog post, Anil Shetty, senior vice president of engineering at NetScaler, disputed comparisons between CVE-2025-5777 and CVE-2023-4966. “While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related,” Shetty wrote. Cloud Software Group is the parent company of Citrix.
Researchers are also leveling criticism at Citrix for the relative ease by which an attacker can compromise a vulnerable instance of Citrix NetScaler with just a few requests.
‘“The term “CitrixBleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively bleeding sensitive information,” Akamai Security Intelligence Group said in a blog post.
Akamai researchers described the root cause of the vulnerability as “an uninitialized login variable, combined with improper memory handling, lack of input validation and missing error handling in Citrix NetScaler’s authentication logic.”
Zach Edwards, an independent cybersecurity researcher, told CyberScoop that CVE-2025-5777 and CVE-2023-4966 are “extremely similar,” aside from subtle differences in the versions of NetScaler impacted.
“The fact that these pre-authentication vulnerabilities keep coming up, which can facilitate complete compromises, is disappointing to see,” Edwards said. “It’s unclear how these significant vulnerabilities keep making their way through development processes, but Citrix clients, especially in the government and enterprise sectors, should be demanding more and requiring additional public context about the steps Citrix takes to test its software prior to a release.”
The post CitrixBleed 2 beckons sweeping alarm as exploits spread across the globe appeared first on CyberScoop.
| Alyssa Snow In PART ONE and PART TWO of this blog series, we discussed common misconfigurations of Active Directory certificate templates. In this post, we will walk through exploitation […]
The post Abusing Active Directory Certificate Services (Part 3) appeared first on Black Hills Information Security, Inc..
Misconfigurations in Active Directory Certificate Services (ADCS) can introduce critical vulnerabilities into an Enterprise Active Directory environment, such as paths of escalation from low privileged accounts to domain administrator.
The post Abusing Active Directory Certificate Services (Part 2) appeared first on Black Hills Information Security, Inc..
Active Directory Certificate Services (ADCS) is used for public key infrastructure in an Active Directory environment. ADCS is widely used in enterprise Active Directory environments for managing certificates for systems, users, applications, and more.
The post Abusing Active Directory Certificate Services (Part 1) appeared first on Black Hills Information Security, Inc..
Jordan Drysdale// This is basically a slight update and rip off of Marcello’s work out here: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html /tl;dr – Zero to DA on an environment through an exposed Outlook Web […]
The post An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit appeared first on Black Hills Information Security, Inc..
Carrie Roberts // My current favorite exploit is creating malicious outlook rules as described here. The rule is configured to download an executable file with an EXE extension (.exe) when an […]
The post Malicious Outlook Rule without an EXE appeared first on Black Hills Information Security, Inc..
Login