company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Info Stealer

loading..
loading..
loading..

Discord Malware Hijacks Expired Invite Links to Steal Crypto Wallets in 2025

Hackers exploit Discord invite links to spread advanced malware, targeting crypto wallets and users globally. Learn how to stay protected in 2025.

14-Jun-2025
10 min read

No content available.

Related Articles

loading..

Hack

Washington Post journalists’ emails were hacked in a suspected state-backed cybe...

The Washington Post, one of America’s most influential newspapers, is investigating a cyberattack that compromised the email accounts of several of its journalists. The breach, discovered late Thursday, is believed to have been the work of a foreign government, according to internal communications and sources familiar with the incident. ## Discovery and Immediate Response The intrusion was identified on Thursday evening, prompting The Washington Post to initiate a comprehensive internal investigation. By Friday night, the publication had enforced a mandatory reset of login credentials for all employees to secure its digital infrastructure. On Sunday, June 15, Executive Editor Matt Murray sent an internal memo alerting staff to a _“possible targeted unauthorized intrusion into their email system.”_ The memo specified that a limited number of Microsoft email accounts belonging to journalists were affected. ## Targeted Journalists and Attack Scope Sources indicate that the cyberattack specifically targeted journalists covering national security, economic policy, and China-related topics. The Wall Street Journal first reported the incident, noting that the attackers may have gained access to both sent and received work emails of the affected reporters. While the full extent of the breach remains under investigation, The Washington Post has reassured staff that there is no evidence that other systems or customer data were impacted. ## Ongoing Investigation and Security Measures A forensic team has been brought in to assess the damage and trace the attack's origin. The Washington Post has also advised affected employees to avoid discussing the incident publicly and has implemented additional cybersecurity measures, including enhanced monitoring and organization-wide credential resets. ## Pattern of Advanced Persistent Threats This breach fits a broader pattern of advanced persistent threats (APTs) targeting media organizations and government agencies. State-sponsored actors, particularly from China, have a history of exploiting vulnerabilities in Microsoft Exchange and other email systems[1][6][5]. In recent years, Chinese hacking groups have orchestrated highly organized campaigns against U.S. government agencies, NATO members, and major news outlets, often leveraging zero-day vulnerabilities and privilege escalation bugs[1][6][5]. ## Industry Context and Previous Incidents Journalists are frequent targets for cyberespionage, given their access to sensitive information and sources[6][5]. The Wall Street Journal itself was subjected to a similar campaign in 2022, with hackers believed to be linked to Chinese interests[6]. The Washington Post has faced cyber threats dating back to 2011, some previously attributed to Chinese groups[5]. ## Official Statements and Next Steps Neither The Washington Post nor Microsoft has publicly commented on the specifics of the attack as of this report[4][5][7]. The investigation is ongoing, and law enforcement agencies are expected to assist in determining the perpetrators and mitigating any potential fallout. ## Conclusion The cyberattack on The Washington Post underscores the persistent vulnerabilities of news organizations to sophisticated, state-backed cyber threats. As the investigation unfolds, the incident serves as a stark reminder of the critical importance of robust cybersecurity measures in protecting journalistic integrity and sensitive communications[1][6][5]. --- *For more updates on this developing story and other cybersecurity news, stay tuned to our latest coverage.* [1] https://www.bleepingcomputer.com/news/security/washington-posts-email-system-hacked-journalists-accounts-compromised/ [2] https://www.cnn.com/2025/06/15/media/washington-post-cyberback-emails [3] https://www.reuters.com/world/us/washington-post-investigating-cyberattack-journalists-wsj-reports-2025-06-15/ [4] https://www.bloomberg.com/news/articles/2025-06-16/washington-post-probes-hack-of-journalist-email-accounts [5] https://www.insurancejournal.com/news/national/2025/06/16/827938.htm [6] https://nypost.com/2025/06/16/media/washington-post-journalists-who-cover-china-had-their-email-hacked/ [7] https://www.insurancebusinessmag.com/us/news/breaking-news/washington-post-investigates-email-breach-after-cyberattack-539234.aspx [8] https://www.moneycontrol.com/technology/the-washington-post-targeted-by-cyberattack-email-of-select-journalists-hacked-article-13124970.html [9] https://www.bankinfosecurity.com/suspected-chinese-hackers-targeted-washington-post-a-28715 [10] https://techstory.in/washington-post-probes-cyberattack-targeting-journalists-email-accounts/

loading..   16-Jun-2025
loading..   4 min read
loading..

RCE

APEX ONE

Critical pre-auth RCE & auth bypass flaws in Trend Micro Apex Central & PolicySe...

Trend Micro recently patched multiple critical-severity vulnerabilities (CVE-2025-49212 to CVE-2025-49220) in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. All flaws enable pre-authentication remote code execution (RCE) or authentication bypass, fundamentally compromising the security posture of these enterprise management platforms. The root cause analysis reveals a pervasive pattern of insecure deserialization practices and broken authentication mechanisms, granting attackers SYSTEM (PolicyServer) or NETWORK SERVICE (Apex Central) privileges. With no evidence of active exploitation but lacking viable workarounds, immediate patching to PolicyServer v6.0.0.4013 and Apex Central Patch B7007 is operationally imperative. ### **Target Environment & Criticality** Trend Micro Endpoint Encryption (TMEE) PolicyServer and Apex Central serve as central nervous systems for enterprise security operations: * **TMEE PolicyServer:** Manages full-disk and removable media encryption for Windows endpoints in regulated industries (finance, healthcare, government). It is a high-value target because it enforces data protection compliance (e.g., HIPAA, GDPR, PCI-DSS). * **Apex Central:** Provides centralized monitoring and management for Trend Micro security products across large networks. A compromise offers attackers extensive lateral movement potential. The discovery of **eight critical/high vulnerabilities** (four critical in PolicyServer, two critical in Apex Central, plus four high in PolicyServer) represents a systemic failure in core security controls within these essential components of infrastructure. ### **TMEE PolicyServer Vulnerabilities (CVE-2025-49212, -49213, -49216, -49217)** * **Core Vulnerability Pattern: Insecure Deserialization** Three of the four critical flaws stem from the unsafe deserialization of untrusted data without adequate validation or type checking. This anti-pattern allows attackers to craft malicious serialized objects that, when processed, trigger unintended code execution paths. * **[CVE-2025-49212](https://success.trendmicro.com/en-US/solution/KA-0019928)(Critical):** Exploits insecure deserialization in the `PolicyValueTableSerializationBinder` class. Attackers send a specially crafted serialized object pre-authentication, resulting in **arbitrary code execution as the SYSTEM user**. * **[CVE-2025-49213](https://success.trendmicro.com/en-US/solution/KA-0019928) (Critical):** Targets deserialization within the `PolicyServerWindowsService` class. Similar to CVE-49212, unauthenticated attackers achieve **SYSTEM-level RCE** via malicious serialized payloads. * **[CVE-2025-49217](https://nvd.nist.gov/vuln/detail/CVE-2025-4217) (Critical/High\*):** Resides in the `ValidateToken` method. While exploitation complexity is marginally higher (potentially requiring specific object chaining or gadget discovery), successful attack still yields **pre-auth SYSTEM-level RCE**. (\*Note: ZDI assessed as High severity). * **Exploitation Impact:** SYSTEM privileges grant attackers complete control over the PolicyServer host, enabling decryption key theft, policy manipulation disabling encryption, installation of persistent malware, and lateral movement into managed endpoints. #### **Core Vulnerability Pattern: Broken Authentication** * **[CVE-2025-49216](https://nvd.nist.gov/vuln/detail/CVE-2022-49216) (Critical):** A fundamental flaw in the `DbAppDomain` service authentication mechanism allows **complete authentication bypass**. Remote attackers can forge requests appearing as authenticated administrators, enabling full administrative control over the PolicyServer without valid credentials. This flaw facilitates stealthy persistence, policy alteration, and credential harvesting. ### **Apex Central Vulnerabilities (CVE-2025-49219, -49220)** * **Core Vulnerability Pattern: Insecure Deserialization (Revisited)** Both critical RCE flaws in Apex Central echo the deserialization failures seen in PolicyServer, impacting different entry points: * **[CVE-2025-49219](https://nvd.nist.gov/vuln/detail/CVE-2025-49219) (Critical, CVSS 9.8):** Exploits insecure deserialization within the `GetReportDetailView` method. Unauthenticated attackers achieve **RCE in the context of the NETWORK SERVICE account**. * **[CVE-2025-49220](https://nvd.nist.gov/vuln/detail/CVE-2025-49220) (Critical, CVSS 9.8):** Leverages improper input validation during deserialization in the `ConvertFromJson` method. Pre-authentication exploitation leads to **arbitrary code execution as NETWORK SERVICE**. * **Exploitation Impact:** While NETWORK SERVICE has fewer inherent privileges than SYSTEM, compromise provides a potent beachhead within the security management infrastructure. Attackers gain access to sensitive monitoring data, agent configurations, and the ability to push malicious updates or commands to all managed security products (AV, EDR, etc.). ### **Additional Risks & Patch Scope** * **PolicyServer High-Severity Flaws:** The update also addresses four high-severity vulnerabilities, including SQL injection and privilege escalation paths. While not enabling direct pre-auth RCE, these flaws significantly lower the barrier for post-compromise persistence and data exfiltration. * **Universal Impact & Mitigation Absence:** All documented vulnerabilities impact **all prior versions** of the respective products up to the immediate predecessor of the patched release. Critically, Trend Micro confirms **no viable workarounds or mitigations exist** besides patching. * **Trend Micro Endpoint Encryption PolicyServer:** Install version **6.0.0.4013 (Patch 1 Update 6)**. * **Trend Micro Apex Central:** * **On-Premise (2019):** Apply **Patch B7007**. * **Apex Central as a Service:** Patches are applied automatically on the backend; no customer action required (verification recommended). While Trend Micro reports no active exploitation in the wild (as of June 2025), the nature of these vulnerabilities creates a desirable target for advanced threat actors: * **Pre-Authentication Exploitation:** Eliminates the need for credential theft or phishing. * **High Privileges:** SYSTEM (PolicyServer) provides maximum control; NETWORK SERVICE (Apex Central) offers broad access. * **Critical Product Function:** Compromise grants control over encryption enforcement (PolicyServer) or enterprise-wide security management (Apex Central). * **POC Availability:** Vulnerabilities of this nature (insecure deserialization) often see rapid Proof-of-Concept (PoC) development once details are public. The ZDI disclosure (noting the severity difference for CVE-49217) signals researcher attention. The cluster of vulnerabilities in Trend Micro's Apex Central and TMEE PolicyServer represents a severe systemic risk to organizations relying on these products for critical security and compliance functions. The recurring theme of **insecure deserialization** highlights a fundamental weakness in input validation and object processing pipelines, while the **authentication bypass** (CVE-49216) indicates critical flaws in access control implementation. **Immediate Actions:** 1. **Patch Urgently:** Apply PolicyServer v6.0.0.4013 and Apex Central Patch B7007 (On-Prem) immediately. Verify automatic patching for Apex Central SaaS. 2. **Inventory & Scan:** Identify all instances of Apex Central and TMEE PolicyServer within the enterprise. Conduct vulnerability scans confirming patch levels. 3. **Monitor Logs:** Aggressively monitor authentication logs, service execution logs, and network traffic to/from these servers for anomalous activity (especially pre-auth RCE attempts or unexpected administrative actions). 4. **Defense-in-Depth:** Enforce strict network segmentation, limiting access to management interfaces only to absolutely necessary administrative networks/hosts. Implement robust EDR/NDR solutions to detect post-exploitation activities. The absence of workarounds underscores the criticality of patching. Organizations in regulated sectors face not only operational disruption but also significant compliance and reputational risks if these central security management platforms are compromised. These vulnerabilities transform the very tools designed to protect the enterprise into potent vectors for its compromise.

loading..   13-Jun-2025
loading..   6 min read
loading..

Hack

Erie Insurance cyberattack (June 7) causes portal outages & claims disruption. I...

**ERIE, PA – June 12, 2025** – Erie Insurance Group and its management company, Erie Indemnity Company (Nasdaq: ERIE), have formally confirmed that a **cyberattack detected over the weekend** is the root cause of significant, ongoing business disruptions and platform outages affecting millions of policyholders. The incident, impacting critical customer-facing systems since Saturday, June 7th, continues to hinder access to online accounts and claims processing. ### Key Points: * **Cyberattack Confirmed:** Erie Indemnity disclosed the "unusual network activity" in a mandatory **Form 8-K filing** with the U.S. Securities and Exchange Commission (SEC). * **Widespread Disruption:** Customers nationwide report inability to log into the **Erie Insurance customer portal**, file claims electronically, or receive essential paperwork. * **Immediate Response Activated:** The company states it took "immediate action" upon detection, activating its **incident response protocol** to safeguard systems and data. * **Forensic Investigation Underway:** Leading **cybersecurity experts** are assisting Erie Insurance in a "comprehensive forensic analysis." Law enforcement has also been notified. * **Critical Warning Issued:** Erie Insurance explicitly states it **WILL NOT call or email customers to request payments** during this outage, urging vigilance against potential scams. ### The Incident Unfolds: From Detection to Disclosure The troubles for Erie Insurance, a major **property and casualty insurer** boasting over **6 million active policies** across auto, home, life, and business lines, began abruptly on **Saturday, June 7, 2025**. Customers attempting to access their online accounts or conduct business via the company's website encountered widespread errors and outages. Initially, the cause was unclear, leaving policyholders and independent agents who sell Erie products frustrated. The company maintained limited public communication until today's crucial disclosure. In its **SEC filing** and a corresponding notice on the **Erie Insurance website**, Erie Indemnity confirmed the origin: "On Saturday, June 7, Erie Insurance's Information Security team identified **unusual network activity**." The company emphasized its swift reaction: "We took immediate action to respond to the situation to safeguard our systems and data... Since Saturday, we have continued to take protective action for the security of our systems." This immediate action is standard protocol during cyberattacks – often involving **isolating affected systems or taking networks offline** – to contain the threat and prevent further spread. However, this necessary defense mechanism inherently causes significant **business disruption**, impacting applications and websites essential for daily operations, customer service, and agent functions. ### Ongoing Impact on Policyholders The repercussions for Erie Insurance customers are tangible and widespread: * **Portal Inaccessibility:** The primary **customer login portal** remains largely unavailable, preventing policyholders from viewing documents, making payments online, or managing their accounts digitally. * **Claims Processing Delays:** Customers report significant difficulties **filing new claims** or receiving updates on existing ones electronically. Obtaining necessary claim paperwork has also been hampered. * **Communication Challenges:** While alternative contact methods are provided (see below), the outage disrupts normal digital communication channels between the company, its agents, and its customers. ### Company Response and Critical Customer Guidance Erie Insurance acknowledges the severity and ongoing nature of the incident. "The full scope, nature, and impact of the incident are still being determined," the company stated. Its response focuses on three key areas: 1. **Investigation:** Collaborating with **law enforcement agencies** and engaging **leading cybersecurity forensics firms** to determine the attack's origin, methods, and full impact. 2. **Restoration:** Working to safely restore affected systems and services, though full recovery after major cyber incidents can often take **days or weeks**. 3. **Customer Support:** Providing alternative pathways for urgent needs: * **Claims Initiation:** Policyholders needing to file a claim are directed to contact their **local Erie Insurance agent** or call ERIE's **First Notice of Loss team directly at (800) 367-3743**. * **General Customer Care:** For other urgent issues, customers can call **(800) 458-0811**. **Crucially, Erie Insurance issued a stark warning against potential scams exploiting the chaos:** A prominent alert on their website states, "**During this outage, Erie Insurance will not call or email customers to request payments.**" The company strongly advises customers: "As is best practice, **do not click on any links from unknown sources or provide your personal information by phone or email.**" ### Unanswered Questions: Ransomware and Data Theft The **Form 8-K filing** and website notice stop short of confirming critical details that policyholders and regulators are keenly awaiting: * **Ransomware Involvement?** It remains unconfirmed whether this was a **ransomware attack**, where hackers encrypt systems and demand payment for decryption keys. * **Data Breach Confirmed?** Most critically, Erie Insurance has **not yet disclosed whether sensitive customer or corporate data was accessed or exfiltrated** during the breach. This will be a primary focus of the ongoing forensic investigation and future regulatory disclosures. ### Looking Ahead The **Erie Insurance cyberattack** underscores the persistent threat facing the insurance sector, a high-value target due to the vast amounts of sensitive personal and financial data it holds. As the forensic investigation progresses, Erie Insurance faces the dual challenge of securely restoring critical services for its **6 million policyholders** while meticulously determining the extent of any potential data compromise. Customers are advised to utilize the provided phone numbers for urgent needs, remain vigilant for phishing attempts, and monitor official Erie Insurance channels for further updates. The resolution timeline remains uncertain, reflecting the complex nature of modern cyber incident recovery.

loading..   12-Jun-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.