Tag Sophos

Zerobot Botnet Surges as a Rising Threat with Enhanced Exploits and Features

The Zerobot DDoS botnet has undergone significant updates, enhancing its capacity to target a broader range of internet-connected devices and expand its network. Microsoft Threat Intelligence Center (MSTIC) is closely monitoring this evolving threat, referring to it as DEV-1061, which encompasses unidentified, emerging, or developing activity clusters. First reported by…

Read MoreZerobot Botnet Surges as a Rising Threat with Enhanced Exploits and Features

Researchers Connect CACTUS Ransomware Strategies to Ex-Black Basta Members

Recent cybersecurity investigations have revealed a convergence between two notorious ransomware groups: Black Basta and CACTUS. Both factions have been exploiting a shared BackConnect (BC) module, facilitating persistent control over compromised systems. This development hints at a potential shift, suggesting that affiliates of Black Basta may now be operating under…

Read MoreResearchers Connect CACTUS Ransomware Strategies to Ex-Black Basta Members

Microsoft Addresses 125 Vulnerabilities, Including Exploited Windows CLFS Flaw

In recent developments, Microsoft has unveiled critical security patches addressing a staggering array of 125 vulnerabilities across its software platforms. Among these, one vulnerability has been identified as under active exploitation in the wild, raising significant alarms within the cybersecurity community. Of the reported vulnerabilities, 11 are designated as Critical,…

Read MoreMicrosoft Addresses 125 Vulnerabilities, Including Exploited Windows CLFS Flaw

Gootkit Malware Implements New Strategies Targeting Healthcare and Financial Institutions

Recent investigations by Cybereason have revealed that the Gootkit malware, also known as Gootloader, is primarily targeting healthcare and financial entities across the United States, United Kingdom, and Australia. These findings shed light on the evolving threat landscape, emphasizing the need for heightened vigilance in these sectors. In a December…

Read MoreGootkit Malware Implements New Strategies Targeting Healthcare and Financial Institutions

VanHelsing RaaS Launch: 3 Targets, $5K Entry Fee, Multi-Platform Support, and Double Extortion Strategies

The cybersecurity landscape has recently been shaken by the launch of a ransomware-as-a-service (RaaS) operation named VanHelsing, which has already targeted three victims since its inception on March 7, 2025. The ransoms demanded by VanHelsing have reached staggering amounts, totaling as high as $500,000. This model facilitates participation from a…

Read MoreVanHelsing RaaS Launch: 3 Targets, $5K Entry Fee, Multi-Platform Support, and Double Extortion Strategies

China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

China-Linked Hackers Exploit Vulnerabilities in SAP and SQL Server Across Asia and Brazil May 30, 2025 In a concerning development for global cybersecurity, a China-linked threat actor has been identified as the driving force behind a significant exploitation of a critical vulnerability in SAP NetWeaver. This incident is part of…

Read More

China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities, Targeting Utility Billing Software Clients On June 13, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported a growing threat posed by ransomware actors leveraging unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise victims associated with an unnamed utility…

Read More

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.

New GootLoader Campaign Targets Those Searching for Bengal Cat Regulations in Australia

Date: Nov 11, 2024
Category: Malware / SEO Poisoning

In a uniquely targeted effort, individuals looking for information on the legality of Bengal Cats in Australia are falling victim to the GootLoader malware. “We discovered GootLoader operators utilizing search inquiries regarding a specific cat breed and region to deliver malware: ‘Are Bengal Cats legal in Australia?'” noted Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher in a report released last week. GootLoader, as its name suggests, is a malware loader typically spread through search engine optimization (SEO) poisoning techniques for initial entry. The malware is triggered when users search for terms related to legal documents and agreements; this leads to compromised links that direct them to infected websites hosting a ZIP file containing a JavaScript payload. Once executed, it paves the way for further malicious software installation.

New GootLoader Campaign Targets Searches for Bengal Cat Laws in Australia In a targeted cybersecurity threat, attackers are leveraging interest in the legality of Bengal cats in Australia to distribute GootLoader malware. This specific campaign highlights the methodical approach employed by cybercriminals, as reports from Sophos researchers suggest that individuals…

Read More

New GootLoader Campaign Targets Those Searching for Bengal Cat Regulations in Australia

Date: Nov 11, 2024
Category: Malware / SEO Poisoning

In a uniquely targeted effort, individuals looking for information on the legality of Bengal Cats in Australia are falling victim to the GootLoader malware. “We discovered GootLoader operators utilizing search inquiries regarding a specific cat breed and region to deliver malware: ‘Are Bengal Cats legal in Australia?'” noted Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher in a report released last week. GootLoader, as its name suggests, is a malware loader typically spread through search engine optimization (SEO) poisoning techniques for initial entry. The malware is triggered when users search for terms related to legal documents and agreements; this leads to compromised links that direct them to infected websites hosting a ZIP file containing a JavaScript payload. Once executed, it paves the way for further malicious software installation.

Critical RCE Vulnerabilities Identified in Sophos Firewall and SMA 100 Devices: Urgent Patches Released by Sophos and SonicWall

July 24, 2025
Network Security / Vulnerability

Sophos and SonicWall have issued a warning regarding serious security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances, which could be exploited for remote code execution. The two critical vulnerabilities affecting Sophos Firewall are as follows:

  • CVE-2025-6704 (CVSS score: 9.8): An arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can enable pre-auth remote code execution if specific SPX configurations are used alongside firewall operation in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8): An SQL injection vulnerability in the legacy (transparent) SMTP proxy that can result in remote code execution, contingent on an active quarantining policy for Email and if SFOS has been upgraded from a version prior to 21.0 GA.

Sophos reports that CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts up to 0.73% of devices. Both vulnerabilities have been addressed in a recent update, along with a high-severity command injection vulnerability.

Sophos and SonicWall Address Critical RCE Vulnerabilities in Firewalls and SMA 100 Devices On July 24, 2025, cybersecurity firms Sophos and SonicWall issued urgent security warnings regarding significant vulnerabilities discovered in the Sophos Firewall and Secure Mobile Access (SMA) 100 Series devices. The flaws present a critical risk, allowing potential…

Read More

Critical RCE Vulnerabilities Identified in Sophos Firewall and SMA 100 Devices: Urgent Patches Released by Sophos and SonicWall

July 24, 2025
Network Security / Vulnerability

Sophos and SonicWall have issued a warning regarding serious security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances, which could be exploited for remote code execution. The two critical vulnerabilities affecting Sophos Firewall are as follows:

  • CVE-2025-6704 (CVSS score: 9.8): An arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can enable pre-auth remote code execution if specific SPX configurations are used alongside firewall operation in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8): An SQL injection vulnerability in the legacy (transparent) SMTP proxy that can result in remote code execution, contingent on an active quarantining policy for Email and if SFOS has been upgraded from a version prior to 21.0 GA.

Sophos reports that CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts up to 0.73% of devices. Both vulnerabilities have been addressed in a recent update, along with a high-severity command injection vulnerability.