The Download A critical PHP remote code execution (RCE) vulnerability, identified as CVE-2024-4577, is currently being widely exploited, posing significant risks to Windows systems running PHP in CGI mode. Despite a patch released in June 2024, many systems remain unpatched, leaving them vulnerable. Threat actors can exploit this flaw to execute arbitrary code, potentially leading to full system compromise. Notably, attackers have targeted organizations since early January 2025, with activities including credential theft, establishing persistence, privilege escalation, and deploying adversarial tools like the "TaoWu" Cobalt Strike kit. What You Can Do To mitigate this threat, IT administrators should promptly apply the security patch released in June 2024 to all affected PHP installations. It's crucial to verify that PHP is not running in CGI mode unless absolutely necessary. Implementing continuous monitoring for unusual activities, conducting regular security assessments, and employing intrusion detection systems can further enhance defenses against such exploits. Additionally, reviewing system logs for indicators of compromise, such as unauthorized access attempts or deployment of known adversarial tools, is essential for early detection and response. Use the ThreatMate platform to continuously monitor websites for vulnerabilities. To Learn More: https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/

The Download In a recent cybersecurity incident, the Akira ransomware group demonstrated advanced tactics to infiltrate networks and evade security measures. Initially, they gained access to a victim's network through an exposed remote access solution and deployed AnyDesk.exe to maintain persistent access. They attempted to deploy their ransomware payload on a Windows server via a password-protected zip file ('win.zip') containing the malicious executable ('win.exe'). However, the organization's Endpoint Detection and Response (EDR) system successfully identified and quarantined the threat, thwarting the initial attack. ​ Undeterred, Akira conducted a network scan and discovered unsecured Internet of Things (IoT) devices, including webcams and fingerprint scanners. Exploiting critical vulnerabilities in a Linux-based webcam—such as remote shell capabilities and lack of EDR protection—they compromised the device to bypass traditional security controls. Using the compromised webcam, they generated malicious Server Message Block (SMB) traffic directed at the targeted Windows server, successfully encrypting files across the victim's network without detection.  What You Can Do To mitigate such sophisticated attack vectors, IT administrators should implement several key security measures:​ Network Segmentation:  Isolate IoT devices from critical systems and servers to limit lateral movement opportunities for attackers.​ Regular Audits:  Conduct comprehensive internal network audits to identify and address vulnerabilities in connected devices.​ Patch Management:  Maintain strict patch management practices, ensuring all devices, including IoT equipment, are updated with the latest security patches.​ Secure Configurations:  Change default passwords on IoT devices and disable unnecessary services to reduce potential attack surfaces.​ Monitoring and Detection:  Implement robust monitoring solutions capable of detecting unusual traffic patterns, even from devices not typically covered by EDR systems.​ Device Management:  Power off or disconnect IoT devices when not in use to minimize exposure.​ By proactively addressing these areas, organizations can enhance their defenses against evolving ransomware tactics that exploit unconventional entry points. ThreatMate will both inventory all IoT devices on your network as well as scan them for vulnerabilities and pen test. Sign up for a demo today!

The Download Recent research indicates that approximately 28% of the vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog were actively leveraged by ransomware criminals in 2024. The KEV catalog, designed to highlight vulnerabilities with known exploits to aid organizations in prioritizing patching efforts, has inadvertently become a resource for threat actors to identify and target unpatched systems. Attackers monitor these publicly disclosed vulnerabilities, swiftly developing exploits to infiltrate systems lacking timely updates. Once exploited, these vulnerabilities can grant unauthorized access, allowing attackers to deploy ransomware, exfiltrate sensitive data, or disrupt critical services. What You Can Do To mitigate these risks, IT administrators must adopt a proactive vulnerability management strategy. Regularly monitoring and promptly addressing vulnerabilities listed in the KEV catalog is essential. Implementing automated patch management systems can expedite the remediation process, reducing the window of exposure. Additionally, conducting continuous security assessments and penetration testing can identify potential weaknesses before adversaries exploit them. Employing multi-factor authentication (MFA) and network segmentation further enhances defense mechanisms, limiting the impact of potential breaches. By staying vigilant and prioritizing the remediation of known exploited vulnerabilities, organizations can strengthen their resilience against ransomware attacks. ThreatMate scans networks daily for vulnerabilities listed in the KEV catalog and alerts you to any present on the network. We know the adversaries monitor the KEV catalog, you should monitor networks for these vulnerabilities. ThreatMate automates this process for you. Sign up for a demo today! To Learn More: https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/

The Download In a significant security initiative, nearly 1,000 WordPress plugins and themes were temporarily closed in October due to unresolved vulnerabilities. This action resulted from a special event organized by Patchstack during Cyber Security Month, which led to the discovery of 1,571 valid security vulnerability reports affecting approximately 7.14 million active installations. The vulnerabilities ranged in severity, with some scoring as high as 10.0 on the CVSS scale, indicating critical risks that could allow attackers to execute arbitrary code, escalate privileges, or inject malicious scripts. Exploiting these vulnerabilities could enable attackers to gain unauthorized access, deface websites, steal sensitive data, or even take full control of affected sites. What You Can Do To safeguard their websites, IT administrators should promptly review their installed plugins and themes, ensuring they are up-to-date and sourced from reputable developers. Regular security audits, continuous monitoring for unusual activities, and the use of security plugins can further enhance the protection of WordPress sites.  ThreatMate's pen testing as a service (PTaaS) allows you to test your website's WordPress plug-ins among other attack surfaces for vulnerabilities actively exploited by adversaries. Sign up for a demo today! To Learn More: https://patchstack.com/articles/nearly-1000-plugins-closed-during-wordpress-security-cleanup/

The Download A massive botnet comprising over 130,000 compromised devices is executing large-scale password-spraying attacks targeting Microsoft 365 accounts. These attacks exploit the noninteractive sign-in feature—a basic authentication method often overlooked by security teams. Noninteractive sign-ins are performed by client applications or operating system components on behalf of users, utilizing previously established credentials without requiring user intervention. Attackers leverage this feature to conduct high-volume password-spraying attempts, aiming to gain unauthorized access to accounts while remaining undetected. What You Can Do To defend against these stealthy attacks, IT administrators should disable basic authentication protocols like noninteractive sign-ins, replacing them with modern, secure authentication methods such as OAuth or token-based authentication. Implementing multi-factor authentication (MFA) adds an additional layer of security, significantly reducing the risk of unauthorized access. Regularly monitoring sign-in logs, including noninteractive sign-ins, is crucial for detecting unusual activities. Enforcing strong password policies and educating users about the importance of unique, complex passwords can further enhance account security. ThreatMate analyses M365 tenants for security risks. Sign up for a demo today! To Learn More: https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet

The Download In response to escalating cyber threats, the U.S. Department of Homeland Security (DHS) has introduced the concept of "vulnrichment," aiming to bolster the nation's cybersecurity posture. This initiative focuses on enriching vulnerability data with contextual information to prioritize and address security flaws more effectively. By integrating threat intelligence, exploit availability, and potential impact assessments, vulnrichment enables organizations to allocate resources efficiently, mitigating risks before adversaries can exploit them. Attackers often scan for unpatched vulnerabilities, leveraging automated tools to identify and exploit weaknesses rapidly. Once a vulnerability is exploited, attackers can deploy malware, exfiltrate sensitive data, or disrupt critical services, underscoring the importance of proactive vulnerability management. What You Can Do To safeguard their networks, IT administrators should adopt vulnrichment strategies by incorporating comprehensive threat intelligence feeds into their vulnerability management processes. This approach allows for a nuanced understanding of which vulnerabilities pose the most significant threats based on real-world exploitation trends. Implementing automated patch management systems ensures timely remediation of critical flaws, reducing the window of opportunity for attackers. Regularly conducting security assessments and penetration testing can identify potential weaknesses, enabling organizations to fortify their defenses proactively. By embracing these practices, IT administrators can enhance their organization's resilience against evolving cyber threats. ThreatMate automatically enriches discovered vulnerabilities with threat intelligence risk assessment and presents the vulnerabilities that pose material risk to your networks. Sign up for a demo today! To Learn More: https://www.forbes.com/sites/daveywinder/2025/02/24/us-government-supercharges-security-vulnerabilities/

The Download A critical vulnerability, designated as CVE-2024-53704, has been identified in SonicWall's SonicOS SSLVPN authentication mechanism. This flaw allows remote attackers to bypass authentication and hijack active SSLVPN sessions without valid credentials. Exploitation of this vulnerability grants unauthorized access to the victim's network, enabling malicious activities such as data exfiltration, deployment of malware, and lateral movement within the compromised environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of this vulnerability in the wild, underscoring the urgency for immediate remediation. What You Can Do To protect against this threat, IT administrators should promptly update their SonicOS firmware to the latest versions provided by SonicWall, which address this vulnerability. If immediate patching is not feasible, it is advisable to disable the SSLVPN feature temporarily to prevent potential exploitation. Additionally, restricting management access to trusted IP addresses, enforcing strong authentication mechanisms, and monitoring network traffic for unusual activities can further enhance security posture. Regularly reviewing and updating security configurations will help mitigate risks associated with such vulnerabilities. Scan your network attack surfaces proactively with ThreatMate to find vulnerabilities before adversaries exploit them. To Learn More: https://www.bleepingcomputer.com/news/security/sonicwall-firewall-exploit-lets-hackers-hijack-vpn-sessions-patch-now/ https://www.theregister.com/2025/02/14/sonicwall_firewalls_under_attack_patch/

The Download Chinese hacking group Salt Typhoon has been actively targeting U.S. telecommunications providers by exploiting unpatched vulnerabilities in Cisco IOS XE devices. Notably, they have leveraged the CVE-2023-20198 privilege escalation and CVE-2023-20273 Web UI command injection flaws to gain unauthorized access to network infrastructure. Once these vulnerabilities are exploited, attackers can establish persistent access through reconfigured devices, often using generic routing encapsulation (GRE) tunnels to communicate with command-and-control servers. This method allows them to intercept communications, exfiltrate sensitive data, and potentially disrupt critical services. The campaign has affected multiple U.S. ISPs and telecom affiliates, as well as providers in South Africa, Italy, and Thailand. What You Can Do To mitigate these threats, IT administrators should immediately assess their network devices for exposure to the identified vulnerabilities. Ensuring that all Cisco devices are updated with the latest firmware and security patches is paramount. Additionally, administrators should disable unnecessary services, restrict web UI access to trusted IP addresses, and implement robust monitoring to detect unusual activity. Regular security audits and network segmentation can further reduce the attack surface, limiting the potential impact of any breaches. Proactive measures and adherence to security best practices are essential to protect against such sophisticated cyber-espionage campaigns. Use ThreatMate to proactively scan all your network attack surfaces for vulnerabilities adversaries exploit. Sign up for a demo today! To Learn More: https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-more-us-telecoms-via-unpatched-cisco-routers/

The Download Threat actors, suspected to be Russian, are leveraging Microsoft's Device Code Authentication mechanism to gain unauthorized access to Microsoft 365 (M365) accounts. This method involves social engineering tactics where attackers impersonate officials or researchers and engage targets via platforms like Signal. They send fake invitations containing links to Microsoft's legitimate device login page. When targets enter the provided code along with their credentials, attackers intercept the resulting access and refresh tokens, enabling persistent access to the victim's M365 account. This approach is particularly insidious as it exploits a legitimate authentication feature, making detection challenging. What You Can Do To defend against this threat, IT administrators should consider disabling Device Code Authentication if it's not essential for operations. If disabling isn't feasible, implementing conditional access policies to restrict its use to trusted devices or locations is advisable. Regular monitoring of sign-in logs for unusual authentication patterns, especially those involving device code flow, can aid in early detection. Educating users about this specific phishing technique is crucial, emphasizing the importance of verifying unexpected authentication requests and being cautious with unsolicited communications. Use ThreatMate to monitor your M365 tenants' attack surface. Sign up for a demo today. To Learn More: https://www.helpnetsecurity.com/2025/02/14/microsoft-device-code-authentication-phishing-m365-account-compromise/

The Download A critical vulnerability, identified as CVE-2025-0108, has been discovered in Palo Alto Networks' PAN-OS, the operating system powering their firewalls. This flaw allows unauthenticated attackers with network access to the management web interface to bypass authentication and execute specific PHP scripts. While this does not permit remote code execution, it significantly compromises the system's integrity and confidentiality. Exploiting this vulnerability, especially when combined with others like CVE-2024-9474, enables attackers to gain unauthorized access to unpatched and unsecured firewalls, potentially leading to data breaches and network infiltration. What You Can Do To safeguard against this threat, IT administrators should promptly update their PAN-OS to the latest versions: 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, or 10.1.14-h9. It's crucial to restrict access to the management web interface, ensuring only trusted internal IP addresses can connect, thereby minimizing exposure to potential attacks. Regularly monitoring network traffic for unusual activities and adhering to Palo Alto Networks' best practice security guidelines will further enhance the security posture against such vulnerabilities. ThreatMate helps you identify vulnerabilities in your attack surface. Sign up today to demo ThreatMate. To Learn More: https://www.bleepingcomputer.com/news/security/hackers-exploit-authentication-bypass-in-palo-alto-networks-pan-os/

The Download The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) have issued a warning regarding hardcoded backdoor vulnerabilities in Contec CMS8000 and Epsimed MN-120 patient monitors. These devices, which monitor vital signs such as heart rate and blood oxygen saturation, are susceptible to unauthorized remote access due to insecure design. Attackers can exploit this backdoor to remotely control the monitors, potentially causing them to malfunction, exfiltrate sensitive patient data, and use the compromised devices as entry points to broader healthcare networks. Such exploitation could lead to incorrect patient monitoring, unauthorized disclosure of protected health information, and further network compromises. What You Can Do To mitigate these risks, IT administrators in healthcare settings should immediately assess whether these vulnerable devices are present within their networks. If so, it is crucial to implement network segmentation to isolate the monitors from critical systems and apply available security patches or firmware updates provided by the manufacturers. Additionally, disabling unnecessary internet connectivity for these devices can reduce exposure to potential attacks. Regularly monitoring network traffic for unusual activity and conducting thorough security assessments can further help in identifying and addressing vulnerabilities before they are exploited. ThreatMate will identify vulnerable assets on networked systems including IoT. Sign up for a demo today! To Learn More: https://www.darkreading.com/vulnerabilities-threats/agencies-sound-alarm-patient-monitors-hardcoded-backdoor

The Download In 2024, cyber threat actors exploited 768 Common Vulnerabilities and Exposures (CVEs), marking a 20% rise from the 639 CVEs exploited in 2023. Notably, 23.6% of these vulnerabilities were weaponized on or before their public disclosure date, underscoring the speed at which attackers leverage new weaknesses. A significant example is CVE-2021-44228, known as Log4Shell, associated with 31 different threat actors. Attackers often exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or disrupt services, leading to data breaches, system compromises, and financial losses. What You Can Do To mitigate these risks, IT administrators should implement a robust vulnerability management program that includes continuous monitoring and timely patching of systems. Prioritizing patches for vulnerabilities known to be actively exploited is crucial. Additionally, reducing the exposure of critical systems to the internet can limit potential attack vectors. Employing intrusion detection systems, maintaining up-to-date threat intelligence, and conducting regular security assessments can further strengthen an organization's defense against such exploits. Get started using ThreatMate to protect your client networks from exploitable vulnerabilities. ThreatMate will monitor all your network attack surfaces, prioritize the vulnerabilities based on threat intelligence, and then create simple mission plans to remediate and reduce risk. Schedule your demo today! To Learn More: https://thehackernews.com/2025/02/768-cves-exploited-in-2024-reflecting.html?m=1