The Breach News

GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module

Sep 04, 2025
Data Breach / Malware

Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.

“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”

GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module In a recent cybersecurity investigation, researchers from the Slovak firm ESET have uncovered a sophisticated threat cluster known as GhostRedirector, responsible for breaching at least 65 Windows servers, predominantly situated in Brazil, Thailand, and Vietnam. According to ESET,…

Read More

GhostRedirector Compromises 65 Windows Servers Through Rungan Backdoor and Gamshen IIS Module

Sep 04, 2025
Data Breach / Malware

Cybersecurity experts have uncovered a new threat cluster known as GhostRedirector, which has infiltrated at least 65 Windows servers predominantly located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity firm ESET, the attacks have resulted in the installation of a passive C++ backdoor named Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is thought to have been active since at least August 2024.

“While Rungan can execute commands on an infected server, Gamshen is designed to facilitate SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a specified target website,” stated ESET researcher Fernando Tavella in a report shared with The Hacker News. “Notably, Gamshen only alters responses when requests come from Googlebot, ensuring that regular visitors are not impacted.”

Microsoft Alerts Users to Cross-Account Takeover Vulnerability in Azure Container Instances

On September 10, 2021, Microsoft announced that it had fixed a security flaw in its Azure Container Instances (ACI) service that could be exploited by malicious actors to gain unauthorized access to information from other customers. Researchers referred to this vulnerability as the “first cross-account container takeover in the public cloud.” An attacker could use this weakness to execute harmful commands on other users’ containers, potentially stealing customer secrets and deployed images. Microsoft did not provide further details about the flaw but advised affected customers to “revoke any privileged credentials that were deployed to the platform before August 31, 2021.” Azure Container Instances enables users to run Docker containers directly in a serverless cloud environment without the need for virtual machines, clusters, or orchestration tools. Palo Alto Networks’ Unit 42 threat intelligence team identified the vulnerability…

Microsoft Identifies Vulnerability in Azure Container Instances Leading to Potential Cross-Account Breach On September 8, 2021, Microsoft announced the mitigation of a critical vulnerability in its Azure Container Instances (ACI) service that posed a significant threat to the security of multiple customers. This flaw, noted by researchers as the “first…

Read More

Microsoft Alerts Users to Cross-Account Takeover Vulnerability in Azure Container Instances

On September 10, 2021, Microsoft announced that it had fixed a security flaw in its Azure Container Instances (ACI) service that could be exploited by malicious actors to gain unauthorized access to information from other customers. Researchers referred to this vulnerability as the “first cross-account container takeover in the public cloud.” An attacker could use this weakness to execute harmful commands on other users’ containers, potentially stealing customer secrets and deployed images. Microsoft did not provide further details about the flaw but advised affected customers to “revoke any privileged credentials that were deployed to the platform before August 31, 2021.” Azure Container Instances enables users to run Docker containers directly in a serverless cloud environment without the need for virtual machines, clusters, or orchestration tools. Palo Alto Networks’ Unit 42 threat intelligence team identified the vulnerability…

The Significance of Logs and Log Management in IT Security

In today’s digital landscape, IT security is paramount for organizations of all sizes. Effective security measures begin with vigilant monitoring of your network to identify vulnerabilities that could expose sensitive information to threats. This often includes employing firewalls as the first line of defense, alongside vulnerability management, intrusion detection and prevention systems, and careful configuration of network settings.

The importance of these measures cannot be overstated:

  • Routers may be easily compromised without proper configuration and restrictions.
  • An improperly configured firewall can leave open ports, enabling hackers to infiltrate the network.
  • Threats like rogue access points, botnet malware, and social engineering can transform your wireless network into a gateway for unauthorized access.

Why Are Logs Essential?

The primary goal of IT security is to…

The Crucial Role of Log Management in IT Security In today’s digital landscape, safeguarding IT infrastructure is non-negotiable for organizations of all sizes. Proactive measures to protect networks from vulnerabilities are imperative, as these weak points may serve as entryways for cyber attackers seeking access to sensitive data. Effective cybersecurity…

Read More

The Significance of Logs and Log Management in IT Security

In today’s digital landscape, IT security is paramount for organizations of all sizes. Effective security measures begin with vigilant monitoring of your network to identify vulnerabilities that could expose sensitive information to threats. This often includes employing firewalls as the first line of defense, alongside vulnerability management, intrusion detection and prevention systems, and careful configuration of network settings.

The importance of these measures cannot be overstated:

  • Routers may be easily compromised without proper configuration and restrictions.
  • An improperly configured firewall can leave open ports, enabling hackers to infiltrate the network.
  • Threats like rogue access points, botnet malware, and social engineering can transform your wireless network into a gateway for unauthorized access.

Why Are Logs Essential?

The primary goal of IT security is to…

Hacker Exploits Claude Code and GPT-4.1 to Steal Hundreds of Millions of Mexican Records

A recent cybersecurity breach has raised significant concerns across the tech community, involving a single hacker who managed to infiltrate nine different Mexican government agencies. This breach was enabled by the exploitation of two widely used AI platforms: Claude Code, an AI-driven coding assistant, and OpenAI’s GPT-4.1. The attack occurred…

Read MoreHacker Exploits Claude Code and GPT-4.1 to Steal Hundreds of Millions of Mexican Records

SAP S/4HANA Suffers Active Exploitation of Critical Vulnerability CVE-2025-42957

Sep 05, 2025
Vulnerability / Enterprise Security

A serious security flaw in SAP S/4HANA, a popular Enterprise Resource Planning (ERP) system, is currently being exploited in the wild. This command injection vulnerability, designated as CVE-2025-42957 and given a CVSS score of 9.9, was recently addressed by SAP in its monthly updates. According to the NIST National Vulnerability Database (NVD), “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC.” This flaw allows for the injection of arbitrary ABAP code into the system, bypassing critical authorization checks. A successful attack could compromise the entire SAP environment, threatening the confidentiality, integrity, and availability of the system. Attackers could manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and disrupt business processes.

Active Exploitation of Critical SAP S/4HANA Vulnerability CVE-2025-42957 On September 5, 2025, a severe security vulnerability affecting SAP S/4HANA, a widely utilized Enterprise Resource Planning (ERP) software, has been confirmed as being exploited in the wild. This critical command injection vulnerability, identified as CVE-2025-42957, carries a CVSS score of 9.9,…

Read More

SAP S/4HANA Suffers Active Exploitation of Critical Vulnerability CVE-2025-42957

Sep 05, 2025
Vulnerability / Enterprise Security

A serious security flaw in SAP S/4HANA, a popular Enterprise Resource Planning (ERP) system, is currently being exploited in the wild. This command injection vulnerability, designated as CVE-2025-42957 and given a CVSS score of 9.9, was recently addressed by SAP in its monthly updates. According to the NIST National Vulnerability Database (NVD), “SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC.” This flaw allows for the injection of arbitrary ABAP code into the system, bypassing critical authorization checks. A successful attack could compromise the entire SAP environment, threatening the confidentiality, integrity, and availability of the system. Attackers could manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and disrupt business processes.

Microsoft Issues Update for Actively Exploited Windows Zero-Day Vulnerability

On September 15, 2021, Microsoft released crucial software updates as part of its monthly Patch Tuesday cycle to address 66 security vulnerabilities across Windows and other platforms, including Azure, Office, BitLocker, and Visual Studio. Among these was an actively exploited zero-day flaw in the MSHTML Platform that surfaced last week. Of the 66 vulnerabilities, three are categorized as Critical, 62 as Important, and one as Moderate. Additionally, the company has resolved 20 vulnerabilities in the Chromium-based Microsoft Edge browser earlier this month. Notably, the most critical update targets CVE-2021-40444 (CVSS score: 8.8), a remote code execution vulnerability in MSHTML that can be exploited through malicious Microsoft Office documents, with experts noting that the exploit takes advantage of logical flaws for effective exploitation.

Microsoft Issues Critical Patch for Windows Zero-Day Vulnerability On September 15, 2021, Microsoft announced a series of crucial software updates designed to address 66 security vulnerabilities across Windows and various applications, such as Azure, Office, BitLocker, and Visual Studio. This action follows recent urgent security patches released by Apple and…

Read More

Microsoft Issues Update for Actively Exploited Windows Zero-Day Vulnerability

On September 15, 2021, Microsoft released crucial software updates as part of its monthly Patch Tuesday cycle to address 66 security vulnerabilities across Windows and other platforms, including Azure, Office, BitLocker, and Visual Studio. Among these was an actively exploited zero-day flaw in the MSHTML Platform that surfaced last week. Of the 66 vulnerabilities, three are categorized as Critical, 62 as Important, and one as Moderate. Additionally, the company has resolved 20 vulnerabilities in the Chromium-based Microsoft Edge browser earlier this month. Notably, the most critical update targets CVE-2021-40444 (CVSS score: 8.8), a remote code execution vulnerability in MSHTML that can be exploited through malicious Microsoft Office documents, with experts noting that the exploit takes advantage of logical flaws for effective exploitation.

World War C Report: Understanding the Motivations Behind State-Sponsored Cyber Attacks

October 3, 2013

Nation-state driven cyber attacks are increasingly prevalent worldwide, aimed at safeguarding national sovereignty and exerting global influence. In today’s cyber era, conflicts extend into cyberspace, marking it as the fifth domain of warfare. Governments are intensifying their efforts to develop robust cyber capabilities, establishing dedicated cyber units.

In this context, security firm FireEye has published the report “World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks.” This document provides an in-depth analysis of the various strategies employed by countries in executing state-sponsored cyber attacks. Experts are particularly concerned about the rise in these attacks, which are directed at both cyber espionage and sabotage, with notable campaigns like Moonlight Maze and Titan Rain exemplifying this trend.

State-Sponsored Cyber Attacks: An Evolving Battlefield October 3, 2013 In an age governed by rapid technological advancements, nation-state cyber attacks have become a common strategy employed globally to uphold national sovereignty and exert power. The proliferation of digital warfare signifies a shift where human conflict now unfolds across cyberspace, recognized…

Read More

World War C Report: Understanding the Motivations Behind State-Sponsored Cyber Attacks

October 3, 2013

Nation-state driven cyber attacks are increasingly prevalent worldwide, aimed at safeguarding national sovereignty and exerting global influence. In today’s cyber era, conflicts extend into cyberspace, marking it as the fifth domain of warfare. Governments are intensifying their efforts to develop robust cyber capabilities, establishing dedicated cyber units.

In this context, security firm FireEye has published the report “World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks.” This document provides an in-depth analysis of the various strategies employed by countries in executing state-sponsored cyber attacks. Experts are particularly concerned about the rise in these attacks, which are directed at both cyber espionage and sabotage, with notable campaigns like Moonlight Maze and Titan Rain exemplifying this trend.

TAG-150 Develops CastleRAT in Python and C, Enhancing CastleLoader Malware Operations

September 05, 2025
Botnet / Malware

The threat actor behind the malware-as-a-service (MaaS) framework and loader known as CastleLoader has introduced a remote access trojan, CastleRAT. Available in both Python and C versions, CastleRAT primarily functions to collect system information, download and execute additional payloads, and run commands via CMD and PowerShell, according to Recorded Future’s Insikt Group. The cybersecurity firm is monitoring the malicious activities attributed to TAG-150, which is believed to have been operational since at least March 2025. CastleLoader and its variants serve as initial access points for various secondary payloads, including other remote access trojans, information stealers, and additional loaders. CastleLoader (also referred to as CastleBot) was first reported by Swiss cybersecurity firm PRODAFT in July 2025, highlighting its use in campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis…

TAG-150 Expands CastleLoader Operations with New CastleRAT in Python and C September 5, 2025 In a recent development within the cybersecurity landscape, the threat group identified as TAG-150 has introduced a remote access trojan (RAT) named CastleRAT, complementing its existing malware-as-a-service (MaaS) framework known as CastleLoader. This new trojan is…

Read More

TAG-150 Develops CastleRAT in Python and C, Enhancing CastleLoader Malware Operations

September 05, 2025
Botnet / Malware

The threat actor behind the malware-as-a-service (MaaS) framework and loader known as CastleLoader has introduced a remote access trojan, CastleRAT. Available in both Python and C versions, CastleRAT primarily functions to collect system information, download and execute additional payloads, and run commands via CMD and PowerShell, according to Recorded Future’s Insikt Group. The cybersecurity firm is monitoring the malicious activities attributed to TAG-150, which is believed to have been operational since at least March 2025. CastleLoader and its variants serve as initial access points for various secondary payloads, including other remote access trojans, information stealers, and additional loaders. CastleLoader (also referred to as CastleBot) was first reported by Swiss cybersecurity firm PRODAFT in July 2025, highlighting its use in campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. Further analysis…

VMware Issues Urgent Warning About Critical File Upload Vulnerability in vCenter Server

On September 22, 2021, VMware released a bulletin detailing up to 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that could be exploited by remote attackers to gain control of affected systems. The most pressing concern is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005), which affects vCenter Server versions 6.7 and 7.0. According to VMware, “A malicious actor with network access to port 443 on vCenter Server could exploit this issue to execute code by uploading a specially crafted file.” The company emphasized that this vulnerability is accessible to anyone who can reach vCenter Server over the network, irrespective of its configuration settings. While VMware has provided temporary workarounds for this issue, they caution that these measures are intended only as a stopgap until proper updates can be deployed.

VMware Issues Urgent Advisory on Critical File Upload Vulnerability in vCenter Server On September 22, 2021, VMware issued a critical alert highlighting the discovery of 19 vulnerabilities within its vCenter Server and Cloud Foundation appliances. These vulnerabilities pose significant risks, allowing remote attackers the potential to gain control over affected…

Read More

VMware Issues Urgent Warning About Critical File Upload Vulnerability in vCenter Server

On September 22, 2021, VMware released a bulletin detailing up to 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that could be exploited by remote attackers to gain control of affected systems. The most pressing concern is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005), which affects vCenter Server versions 6.7 and 7.0. According to VMware, “A malicious actor with network access to port 443 on vCenter Server could exploit this issue to execute code by uploading a specially crafted file.” The company emphasized that this vulnerability is accessible to anyone who can reach vCenter Server over the network, irrespective of its configuration settings. While VMware has provided temporary workarounds for this issue, they caution that these measures are intended only as a stopgap until proper updates can be deployed.