Tag Sophos

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities, Targeting Utility Billing Software Clients On June 13, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported a growing threat posed by ransomware actors leveraging unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise victims associated with an unnamed utility…

Read More

Ransomware Groups Exploit Unpatched SimpleHelp Vulnerabilities for Double Extortion Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported on Thursday that ransomware criminals are taking advantage of unpatched SimpleHelp Remote Monitoring and Management (RMM) systems to compromise clients of an unnamed utility billing software provider. “This incident highlights a growing trend of ransomware groups exploiting unpatched versions of SimpleHelp RMM since January 2025,” the agency stated in an advisory. Earlier this year, SimpleHelp identified several vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could lead to information disclosure, privilege escalation, and remote code execution. These vulnerabilities have been actively exploited, including by ransomware groups like DragonForce, to breach specific targets. In a recent report, Sophos revealed that a Managed Service Provider’s SimpleHelp system was compromised by threat actors using these flaws.

New GootLoader Campaign Targets Those Searching for Bengal Cat Regulations in Australia

Date: Nov 11, 2024
Category: Malware / SEO Poisoning

In a uniquely targeted effort, individuals looking for information on the legality of Bengal Cats in Australia are falling victim to the GootLoader malware. “We discovered GootLoader operators utilizing search inquiries regarding a specific cat breed and region to deliver malware: ‘Are Bengal Cats legal in Australia?'” noted Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher in a report released last week. GootLoader, as its name suggests, is a malware loader typically spread through search engine optimization (SEO) poisoning techniques for initial entry. The malware is triggered when users search for terms related to legal documents and agreements; this leads to compromised links that direct them to infected websites hosting a ZIP file containing a JavaScript payload. Once executed, it paves the way for further malicious software installation.

New GootLoader Campaign Targets Searches for Bengal Cat Laws in Australia In a targeted cybersecurity threat, attackers are leveraging interest in the legality of Bengal cats in Australia to distribute GootLoader malware. This specific campaign highlights the methodical approach employed by cybercriminals, as reports from Sophos researchers suggest that individuals…

Read More

New GootLoader Campaign Targets Those Searching for Bengal Cat Regulations in Australia

Date: Nov 11, 2024
Category: Malware / SEO Poisoning

In a uniquely targeted effort, individuals looking for information on the legality of Bengal Cats in Australia are falling victim to the GootLoader malware. “We discovered GootLoader operators utilizing search inquiries regarding a specific cat breed and region to deliver malware: ‘Are Bengal Cats legal in Australia?'” noted Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher in a report released last week. GootLoader, as its name suggests, is a malware loader typically spread through search engine optimization (SEO) poisoning techniques for initial entry. The malware is triggered when users search for terms related to legal documents and agreements; this leads to compromised links that direct them to infected websites hosting a ZIP file containing a JavaScript payload. Once executed, it paves the way for further malicious software installation.

Critical RCE Vulnerabilities Identified in Sophos Firewall and SMA 100 Devices: Urgent Patches Released by Sophos and SonicWall

July 24, 2025
Network Security / Vulnerability

Sophos and SonicWall have issued a warning regarding serious security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances, which could be exploited for remote code execution. The two critical vulnerabilities affecting Sophos Firewall are as follows:

  • CVE-2025-6704 (CVSS score: 9.8): An arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can enable pre-auth remote code execution if specific SPX configurations are used alongside firewall operation in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8): An SQL injection vulnerability in the legacy (transparent) SMTP proxy that can result in remote code execution, contingent on an active quarantining policy for Email and if SFOS has been upgraded from a version prior to 21.0 GA.

Sophos reports that CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts up to 0.73% of devices. Both vulnerabilities have been addressed in a recent update, along with a high-severity command injection vulnerability.

Sophos and SonicWall Address Critical RCE Vulnerabilities in Firewalls and SMA 100 Devices On July 24, 2025, cybersecurity firms Sophos and SonicWall issued urgent security warnings regarding significant vulnerabilities discovered in the Sophos Firewall and Secure Mobile Access (SMA) 100 Series devices. The flaws present a critical risk, allowing potential…

Read More

Critical RCE Vulnerabilities Identified in Sophos Firewall and SMA 100 Devices: Urgent Patches Released by Sophos and SonicWall

July 24, 2025
Network Security / Vulnerability

Sophos and SonicWall have issued a warning regarding serious security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances, which could be exploited for remote code execution. The two critical vulnerabilities affecting Sophos Firewall are as follows:

  • CVE-2025-6704 (CVSS score: 9.8): An arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature that can enable pre-auth remote code execution if specific SPX configurations are used alongside firewall operation in High Availability (HA) mode.
  • CVE-2025-7624 (CVSS score: 9.8): An SQL injection vulnerability in the legacy (transparent) SMTP proxy that can result in remote code execution, contingent on an active quarantining policy for Email and if SFOS has been upgraded from a version prior to 21.0 GA.

Sophos reports that CVE-2025-6704 affects approximately 0.05% of devices, while CVE-2025-7624 impacts up to 0.73% of devices. Both vulnerabilities have been addressed in a recent update, along with a high-severity command injection vulnerability.

Scattered Spider Takes Advantage of VMware vSphere

Fraud Management & Cybercrime, Social Engineering Hacking Tactics Linked to Retail and Airline Breaches Akshaya Asokan (asokan_akshaya) • July 25, 2025 Image: Shutterstock A group of adolescent cybercriminals known as Scattered Spider has recently targeted VMware hypervisors, successfully infiltrating corporate environments through Active Directory. This emerging threat landscape has led…

Read MoreScattered Spider Takes Advantage of VMware vSphere

Cybercrime Alert: Internet Users Urged to Update Passwords Following Exposure of 16 Billion Logins

Recent cybersecurity research has raised alarms in the online community, urging users to update their passwords and enhance digital security measures. Analysts at Cybernews have identified an alarming 16 billion login records that may be accessible to cybercriminals, stemming from vulnerabilities associated with infostealing malware and various data leaks. The…

Read MoreCybercrime Alert: Internet Users Urged to Update Passwords Following Exposure of 16 Billion Logins

Chinese-Linked Hackers Attack Over 70 Global Organizations, Says SentinelLABS

A recent report from SentinelLABS reveals extensive cyber espionage operations linked to China, affecting more than 70 global organizations and cybersecurity firms from July 2024 to March 2025. The findings highlight the “PurpleHaze (also known as Vixen Panda)” and “ShadowPad” operations, underscoring the ongoing threat landscape. According to the cybersecurity…

Read MoreChinese-Linked Hackers Attack Over 70 Global Organizations, Says SentinelLABS

Ransomware Leader “Stern” Believed to Be Identified by German Authorities

Prominent Ransomware Figure Identified by German Authorities Recent investigations by the German Federal Criminal Police Office (BKA) have brought to light the activities of a significant player in the realm of cybercrime known as Stern. Widely recognized in the cybersecurity community, Stern’s operations are particularly tied to high-revenue ransomware schemes.…

Read MoreRansomware Leader “Stern” Believed to Be Identified by German Authorities

German Police Claim to Have Identified the Elusive Trickbot Ransomware Kingpin

Recent developments regarding the notorious Trickbot malware have shed light on the identity of one of its alleged key figures, Andrey Kovalev. Multiple cybersecurity researchers who have monitored Trickbot closely reported they were unaware of an announcement related to his identity. An anonymous account on the platform X recently claimed…

Read MoreGerman Police Claim to Have Identified the Elusive Trickbot Ransomware Kingpin