The Breach News

Charon Ransomware Targets Middle East Industries with Advanced Evasion Techniques

Aug 13, 2025
Endpoint Security / Cybercrime

Cybersecurity researchers have unveiled a new campaign featuring an undocumented ransomware variant named Charon, targeting the public sector and aviation industry in the Middle East. According to Trend Micro, the attackers employed tactics reminiscent of advanced persistent threat (APT) groups, including DLL side-loading and process injection, successfully evading endpoint detection and response (EDR) systems. The use of DLL side-loading parallels techniques associated with the China-linked hacking group Earth Baxia, which has previously targeted government entities in Taiwan and the Asia-Pacific region to deploy a backdoor known as EAGLEDOOR, following the exploitation of a now-patched vulnerability in OSGeo GeoServer GeoTools. “The attack chain utilized a legitimate browser-related file, Edge.exe (originally cookie_exporter.exe), to sideload a…”

Charon Ransomware Targets Middle East Sectors with Advanced Evasion Techniques August 13, 2025 Endpoint Security / Cybercrime Recent investigations by cybersecurity experts have unveiled a new wave of malicious activity involving a previously unknown ransomware variant named Charon. This campaign has specifically targeted the public sector and aviation industry across…

Read More

Charon Ransomware Targets Middle East Industries with Advanced Evasion Techniques

Aug 13, 2025
Endpoint Security / Cybercrime

Cybersecurity researchers have unveiled a new campaign featuring an undocumented ransomware variant named Charon, targeting the public sector and aviation industry in the Middle East. According to Trend Micro, the attackers employed tactics reminiscent of advanced persistent threat (APT) groups, including DLL side-loading and process injection, successfully evading endpoint detection and response (EDR) systems. The use of DLL side-loading parallels techniques associated with the China-linked hacking group Earth Baxia, which has previously targeted government entities in Taiwan and the Asia-Pacific region to deploy a backdoor known as EAGLEDOOR, following the exploitation of a now-patched vulnerability in OSGeo GeoServer GeoTools. “The attack chain utilized a legitimate browser-related file, Edge.exe (originally cookie_exporter.exe), to sideload a…”

Warning: Publicly Available Exploit for SAP Solution Manager Vulnerability Discovered

Cybersecurity experts have issued a warning regarding a fully-functional exploit now circulating online, which targets SAP enterprise software. This exploit takes advantage of a vulnerability, identified as CVE-2020-6207, resulting from a lack of authentication checks in SAP Solution Manager (SolMan) version 7.2. SAP SolMan is a comprehensive application management solution that facilitates end-to-end application lifecycle management across distributed environments, serving as a central hub for managing SAP systems, including ERP, CRM, HCM, SCM, BI, and more. Researchers at Onapsis stated that successful exploitation could enable a remote, unauthenticated attacker to perform highly privileged administrative tasks within connected SAP SMD Agents, utilized for analyzing and monitoring SAP systems. This vulnerability has a critical CVSS base score of 10.0 and was addressed by SAP in a recent update.

Warning Issued for Fully-Functional Exploit Targeting SAP Solution Manager Vulnerability January 23, 2021 Cybersecurity experts have issued a cautionary alert regarding a newly released, publicly accessible exploit that poses significant risks to SAP enterprise software. This exploit takes advantage of a vulnerability, identified as CVE-2020-6207, which arises from a lack…

Read More

Warning: Publicly Available Exploit for SAP Solution Manager Vulnerability Discovered

Cybersecurity experts have issued a warning regarding a fully-functional exploit now circulating online, which targets SAP enterprise software. This exploit takes advantage of a vulnerability, identified as CVE-2020-6207, resulting from a lack of authentication checks in SAP Solution Manager (SolMan) version 7.2. SAP SolMan is a comprehensive application management solution that facilitates end-to-end application lifecycle management across distributed environments, serving as a central hub for managing SAP systems, including ERP, CRM, HCM, SCM, BI, and more. Researchers at Onapsis stated that successful exploitation could enable a remote, unauthenticated attacker to perform highly privileged administrative tasks within connected SAP SMD Agents, utilized for analyzing and monitoring SAP systems. This vulnerability has a critical CVSS base score of 10.0 and was addressed by SAP in a recent update.

Surge in Brute-Force Attacks on Fortinet SSL VPNs Precedes Focus on FortiManager

August 12, 2025
Threat Intelligence / Enterprise Security

Cybersecurity experts are reporting a significant increase in brute-force traffic directed at Fortinet SSL VPN devices. A coordinated effort, noted by threat intelligence firm GreyNoise, was detected on August 3, 2025, involving over 780 unique IP addresses participating in the attack. In the last 24 hours alone, 56 unique malicious IP addresses have been identified, originating from countries including the United States, Canada, Russia, and the Netherlands.

Targets of this brute-force activity span across the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise emphasized that the attacks were specifically aimed at their FortiOS profile, indicating a deliberate targeting strategy rather than opportunistic behavior. The firm also reported observing two distinct waves of assaults before and after August 5, with one being a prolonged brute-force attack.

Fortinet SSL VPNs Targeted by Surge in Brute-Force Attacks as Threat Actors Shift Focus to FortiManager August 12, 2025 Threat Intelligence / Enterprise Security Cybersecurity experts have identified a notable increase in brute-force attack traffic directed at Fortinet SSL VPN devices, raising alarms in the cybersecurity community. According to the…

Read More

Surge in Brute-Force Attacks on Fortinet SSL VPNs Precedes Focus on FortiManager

August 12, 2025
Threat Intelligence / Enterprise Security

Cybersecurity experts are reporting a significant increase in brute-force traffic directed at Fortinet SSL VPN devices. A coordinated effort, noted by threat intelligence firm GreyNoise, was detected on August 3, 2025, involving over 780 unique IP addresses participating in the attack. In the last 24 hours alone, 56 unique malicious IP addresses have been identified, originating from countries including the United States, Canada, Russia, and the Netherlands.

Targets of this brute-force activity span across the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise emphasized that the attacks were specifically aimed at their FortiOS profile, indicating a deliberate targeting strategy rather than opportunistic behavior. The firm also reported observing two distinct waves of assaults before and after August 5, with one being a prolonged brute-force attack.

Why a Recent Supply Chain Attack Targeted Security Companies Checkmarx and Bitwarden

Checkmarx has reported that a recent data breach appears to have stemmed from its GitHub repositories, with access facilitated by a supply chain attack that occurred on March 23, 2023. While the exact types of data that were compromised remain undisclosed, this incident highlights the vulnerabilities inherent in software development…

Read MoreWhy a Recent Supply Chain Attack Targeted Security Companies Checkmarx and Bitwarden

Top 5 Bug Bounty Platforms to Watch in 2021

February 8, 2021

While Gartner has yet to establish a dedicated Magic Quadrant for Bug Bounty or Crowd Security Testing, its Peer Insights platform currently lists 24 vendors in the “Application Crowdtesting Services” category. We’ve identified the top 5 most promising bug bounty platforms for those looking to enhance their software testing strategies with insights and expertise from global security researchers:

  1. HackerOne
    As a leading name in the bug bounty space, backed by notable venture capitalists, HackerOne is widely recognized worldwide. According to their latest annual report, over 1,700 companies rely on HackerOne to strengthen their in-house application security testing. The report highlights that their security researchers earned around $40 million in bounties in 2019 alone, contributing to a cumulative total of $82 million. HackerOne is also known for coordinating bug bounty programs for the US government, among others.

Emerging Bug Bounty Platforms to Spotlight in 2021 As of February 8, 2021, while there is currently no dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing from Gartner, Gartner Peer Insights recognizes 24 vendors in the category of “Application Crowdtesting Services.” This evolving landscape warrants attention from business…

Read More

Top 5 Bug Bounty Platforms to Watch in 2021

February 8, 2021

While Gartner has yet to establish a dedicated Magic Quadrant for Bug Bounty or Crowd Security Testing, its Peer Insights platform currently lists 24 vendors in the “Application Crowdtesting Services” category. We’ve identified the top 5 most promising bug bounty platforms for those looking to enhance their software testing strategies with insights and expertise from global security researchers:

  1. HackerOne
    As a leading name in the bug bounty space, backed by notable venture capitalists, HackerOne is widely recognized worldwide. According to their latest annual report, over 1,700 companies rely on HackerOne to strengthen their in-house application security testing. The report highlights that their security researchers earned around $40 million in bounties in 2019 alone, contributing to a cumulative total of $82 million. HackerOne is also known for coordinating bug bounty programs for the US government, among others.

From HealthKick to GOVERSHELL: Tracing the Development of UTA0388’s Espionage Malware

Oct 09, 2025
Cyber Espionage / Artificial Intelligence

A China-aligned threat group referred to as UTA0388 has been linked to a series of spear-phishing campaigns targeting North America, Asia, and Europe, with the intent of deploying a Go-based implant known as GOVERSHELL. According to a report from Volexity, “The initial campaigns were meticulously crafted for specific targets, using messages that appeared to come from senior researchers and analysts at convincingly fake organizations.” The aim of these spear-phishing efforts was to manipulate targets into clicking links leading to a remotely hosted archive containing a malicious payload. Over time, the threat actor has employed various lures and invented identities, utilizing multiple languages, including English, Chinese, Japanese, French, and German. Early versions of these campaigns often included links to phishing content hosted on either cloud services or their own infrastructure.

From HealthKick to GOVERSHELL: The Rise of UTA0388’s Espionage Malware On October 9, 2025, a significant cybersecurity threat emerged from a China-aligned group known as UTA0388, which has been linked to a series of spear-phishing campaigns targeting entities in North America, Asia, and Europe. These operations are primarily aimed at…

Read More

From HealthKick to GOVERSHELL: Tracing the Development of UTA0388’s Espionage Malware

Oct 09, 2025
Cyber Espionage / Artificial Intelligence

A China-aligned threat group referred to as UTA0388 has been linked to a series of spear-phishing campaigns targeting North America, Asia, and Europe, with the intent of deploying a Go-based implant known as GOVERSHELL. According to a report from Volexity, “The initial campaigns were meticulously crafted for specific targets, using messages that appeared to come from senior researchers and analysts at convincingly fake organizations.” The aim of these spear-phishing efforts was to manipulate targets into clicking links leading to a remotely hosted archive containing a malicious payload. Over time, the threat actor has employed various lures and invented identities, utilizing multiple languages, including English, Chinese, Japanese, French, and German. Early versions of these campaigns often included links to phishing content hosted on either cloud services or their own infrastructure.

Zoom and Xerox Release Urgent Security Updates to Address Privilege Escalation and RCE Vulnerabilities

Aug 13, 2025
Vulnerability / Software Security

Zoom and Xerox have released critical security updates for Zoom Clients on Windows and FreeFlow Core, addressing significant vulnerabilities that could enable privilege escalation and remote code execution (RCE). The flaw in Zoom Clients for Windows, designated as CVE-2025-49457 (CVSS score: 9.6), involves an untrusted search path that may allow an unauthenticated user to escalate privileges via network access.

According to a security bulletin issued by Zoom, the issue was identified by its Offensive Security team and affects the following products:

  • Zoom Workplace for Windows versions prior to 6.3.10
  • Zoom Workplace VDI for Windows versions prior to 6.3.10 (excluding 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows versions prior to 6.3.10
  • Zoom Rooms Controller for Windows versions prior to 6.3.10
  • Zoom Meeting SDK for Windows versions prior to 6.3.10

This disclosure follows the identification of multiple vulnerabilities in critical software platforms.

Zoom and Xerox Patch Serious Security Vulnerabilities On August 13, 2025, both Zoom and Xerox announced critical updates aimed at mitigating two significant security vulnerabilities found in their respective products. The flaws, affecting Zoom Clients for Windows and Xerox’s FreeFlow Core, present risks of privilege escalation and remote code execution.…

Read More

Zoom and Xerox Release Urgent Security Updates to Address Privilege Escalation and RCE Vulnerabilities

Aug 13, 2025
Vulnerability / Software Security

Zoom and Xerox have released critical security updates for Zoom Clients on Windows and FreeFlow Core, addressing significant vulnerabilities that could enable privilege escalation and remote code execution (RCE). The flaw in Zoom Clients for Windows, designated as CVE-2025-49457 (CVSS score: 9.6), involves an untrusted search path that may allow an unauthenticated user to escalate privileges via network access.

According to a security bulletin issued by Zoom, the issue was identified by its Offensive Security team and affects the following products:

  • Zoom Workplace for Windows versions prior to 6.3.10
  • Zoom Workplace VDI for Windows versions prior to 6.3.10 (excluding 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows versions prior to 6.3.10
  • Zoom Rooms Controller for Windows versions prior to 6.3.10
  • Zoom Meeting SDK for Windows versions prior to 6.3.10

This disclosure follows the identification of multiple vulnerabilities in critical software platforms.

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.

Microsoft Releases Security Updates Addressing 0-Day Vulnerability and 55 Additional Windows Flaws On February 10, 2021, Microsoft rolled out critical updates targeting 56 vulnerabilities, among which is a severe exploit that is currently being actively utilized in cyber-attacks. The updates categorize 11 vulnerabilities as Critical, 43 as Important, and 2…

Read More

Microsoft Releases Patches for Active 0-Day Vulnerability and 55 Other Windows Flaws

On February 10, 2021, Microsoft addressed a total of 56 vulnerabilities, including a critical 0-day exploit that is currently being targeted in the wild. Among these, 11 vulnerabilities are classified as Critical, 43 as Important, and 2 as Moderate in severity, with six being previously disclosed. The updates enhance security across various platforms, including .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and key system components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).

The most critical vulnerability addressed is a Windows Win32k privilege escalation issue (CVE-2021-1732, CVSS score 7.8), which could allow attackers with access to a system to execute malicious code with elevated privileges. Microsoft acknowledges the contributions of JinQuan, MaDongZe, TuXiaoYi, and LiHao from DBAPPSecurity in identifying this vulnerability.

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.

Google Uncovers Three New Malware Families Linked to COLDRIVER Hackers October 21, 2025 Cyber Espionage / Threat Intelligence In a recent revelation, Google’s Threat Intelligence Group (GTIG) has identified three new malware families attributed to the Russian hacking group COLDRIVER. This discovery, made public on October 21, highlights a concerted…

Read More

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.