admin

admin

  • Joined: September 10, 2024
  • Articles: 5390

251 Amazon-Hosted IP Addresses Target ColdFusion, Struts, and Elasticsearch in Exploit Scanning Campaign

May 28, 2025
Network Security / Vulnerability

Cybersecurity researchers have revealed coordinated cloud-based scanning activities that targeted 75 unique “exposure points” earlier this month. Observed by GreyNoise on May 8, 2025, this activity involved up to 251 malicious IP addresses geolocated in Japan and hosted by Amazon. The threat intelligence firm reported that these IPs exhibited 75 distinct behaviors, including CVE exploits, misconfiguration probes, and reconnaissance activities. Notably, the IPs remained inactive before and after this surge, suggesting they were temporarily rented for a single operation. The scanning efforts targeted various technologies, including Adobe ColdFusion, Apache Struts, Apache Tomcat, Drupal, Elasticsearch, and Oracle WebLogic. This opportunistic operation included attempts to exploit known CVEs and probes for misconfigurations, highlighting the threat actors’ intent to identify weaknesses in web infrastructure.

Coordinated Scanning Activity Targeting ColdFusion, Struts, and Elasticsearch Uncovered May 28, 2025 | Network Security / Vulnerability Recent investigations by cybersecurity experts revealed a coordinated scanning initiative that exploited vulnerabilities across a range of platforms. On May 8, 2025, GreyNoise…

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware

April 17, 2023
Financial Security / Malware

Recent findings by Kaspersky reveal a fresh QBot malware campaign that uses compromised business correspondence to deceive victims into installing the malicious software. This ongoing operation, which began on April 4, 2023, is primarily targeting users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot, also known as Qakbot or Pinkslipbot, has been active since at least 2007. It not only steals passwords and cookies from web browsers but also acts as a backdoor for delivering next-stage payloads like Cobalt Strike or ransomware. Distributed through phishing campaigns, QBot has undergone continuous updates to incorporate techniques that evade detection, such as anti-VM, anti-debugging, and anti-sandbox measures. Notably, it emerged as the most prevalent malware in March 2023, according to Check Point. In its early distribution, it relied on infected websites and other methods.

New QBot Banking Trojan Campaign Exploits Business Emails to Distribute Malware April 17, 2023 Financial Security / Malware Recent research from Kaspersky has unveiled a new initiative utilizing the QBot banking Trojan to compromise business email communications as a method…

Agentic AI Browsers: A New Target for Online Scammers

Artificial Intelligence & Machine Learning , Cybercrime , Fraud Management & Cybercrime AI Agent Deceptively Purchases and Exposes Sensitive Data After Single Prompt Pooja Tikekar (@PoojaTikekar) • August 25, 2025     Image: Shutterstock Research reveals that AI agents designed…

Major Supply Chain Compromise: Backdoor Found in Ripple’s xrpl.js npm Package Targeting Private Keys

April 23, 2025
Blockchain / Cryptocurrency

The JavaScript library xrpl.js, associated with Ripple cryptocurrency, has been compromised in a supply chain attack by unidentified threat actors, aimed at stealing users’ private keys. This vulnerability impacts several versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Versions 4.2.5 and 2.14.3 have since addressed the issue. xrpl.js serves as a widely-used API for interacting with the XRP Ledger blockchain, developed by Ripple Labs since 2012, and has garnered over 2.9 million downloads along with more than 135,000 weekly downloads. “The official xrpl (Ripple) NPM package was compromised by sophisticated attackers who embedded a backdoor specifically designed to steal cryptocurrency private keys and access wallets,” stated Charlie Eriksen of Aikido Security. The malicious code modifications are believed to have been introduced by a…

Ripple’s xrpl.js npm Package Compromised in Significant Supply Chain Attack April 23, 2025 Blockchain / Cryptocurrency In a concerning development within the cryptocurrency sector, the npm JavaScript library for Ripple, known as xrpl.js, has fallen victim to unknown adversaries in…

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptocurrency Miners and Proxyware

Date: May 28, 2025
Categories: Cryptojacking / Vulnerability

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution vulnerability in the Craft Content Management System (CMS). This flaw has been leveraged to deploy multiple payloads, including a cryptocurrency miner, a loader known as Mimo Loader, and residential proxyware. The vulnerability, identified as CVE-2025-32432, is a high-severity issue in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The security defect was first revealed in April 2025 by Orange Cyberdefense SensePost after it was linked to attacks that occurred earlier in February. According to a recent report from Sekoia, the attackers have weaponized CVE-2025-32432 to gain unauthorized access to targeted systems and deploy a web shell for persistent remote control. This web shell is utilized to download and execute a shell script (“4l4md4r.sh”) from a remote server using tools such as curl, wget, or the Python library urllib2.

Mimo Hackers Target Craft CMS Flaw to Deploy Cryptomining and Proxy Services On May 28, 2025, cybersecurity analysts reported an alarming trend in which financially motivated hackers have been exploiting a serious vulnerability in the Craft Content Management System (CMS)—designated…

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Infrastructure

April 19, 2023
Cyber Threat / SCADA

A subgroup of Iranian state-backed hackers, identified as Mint Sandstorm, has been implicated in a series of attacks against critical U.S. infrastructure from late 2021 to mid-2022. According to Microsoft’s Threat Intelligence team, this group demonstrates a high level of technical expertise, with the ability to create custom tools and rapidly exploit known vulnerabilities. Their operational focus aligns closely with Iran’s national interests, targeting seaports, energy firms, transit systems, and a major U.S. utility and gas company. These cyber activities are believed to be retaliatory, stemming from prior attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has alleged that these earlier attacks were orchestrated by Israel and the U.S. to incite domestic unrest.

Iranian State-Sponsored Hackers Target U.S. Energy and Transportation Sectors April 19, 2023 Recent investigations have revealed a troubling pattern of cyberattacks linked to an Iranian government-backed group known as Mint Sandstorm. These attacks, which occurred intermittently from late 2021 to…

Ontic Raises $230M to Expand Connected Security Platform

Artificial Intelligence & Machine Learning, Next-Generation Technologies & Secure Development Physical Security Firm Targets Insider Risks with Federal Growth and AI Automation Michael Novinson (@MichaelNovinson) • August 25, 2025 Manish Mehta, Chief Solutions and Innovation Officer at Ontic (Image: Ontic)…

Severe Vulnerability in Commvault Command Center Allows Remote Code Execution

April 24, 2025
Data Breach / Vulnerability

A significant security vulnerability has been identified in the Commvault Command Center, posing a risk for arbitrary code execution on compromised systems. This flaw, designated CVE-2025-34028, has a high CVSS score of 9.0 out of 10. Commvault indicated in an advisory released on April 17, 2025, that the vulnerability permits remote attackers to run arbitrary code without authentication, potentially leading to full system compromise. It affects the 11.38 Innovation Release, covering versions 11.38.0 to 11.38.19, and has been patched in versions 11.38.20 and 11.38.25. Sonny Macdonald, a researcher at watchTowr Labs who discovered and reported the issue on April 7, 2025, noted that it could be exploited for pre-authenticated remote code execution.

Critical Flaw in Commvault Command Center Exposes Systems to Remote Code Execution On April 17, 2025, Commvault alerted its users to a significant security vulnerability within the Command Center, designated as CVE-2025-34028. This flaw poses a severe risk, allowing remote…