company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Video Game

Online Cheating

Chinese Police

loading..
loading..
loading..

Chinese Police catch world’s biggest videogame cheat provider

Chinese police catch the world’s biggest videogame cheat provider worth $750 worth

01-Apr-2021
3 min read

No content available.

Related Articles

loading..

VPN

RCE

SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now...

Security researchers have revealed that SonicWall Secure Mobile Access (SMA) devices have been under active attack since January 2025 through a vulnerability originally patched nearly four years ago. This remote code execution vulnerability (CVE-2021-20035), initially underestimated as a mere denial-of-service issue, has now been confirmed to allow attackers to execute arbitrary code on vulnerable systems. The exploitation campaign highlights how threat actors continue to leverage older vulnerabilities to compromise security infrastructure, particularly when organizations fail to apply available patches. With CISA adding this vulnerability to its Known Exploited Vulnerabilities catalog on April 16, 2025, federal agencies now face a May 7th deadline to remediate the issue. ## Vulnerability Details and Evolution The vulnerability known as CVE-2021-20035 affects SonicWall SMA 100 series appliances, including SMA 200, 210, 400, 410, and 500v devices across physical, virtual, and cloud deployments. Originally discovered and patched in September 2021, this security flaw was initially described by SonicWall as only capable of causing denial-of-service attacks. However, in a significant development on April 15, 2025, SonicWall updated its four-year-old security advisory to indicate that the vulnerability is being actively exploited in the wild and presents a more severe risk than previously thought. The vulnerability’s CVSS score was consequently upgraded from a medium severity rating of 6.5 to a high severity score of 7.2, reflecting its enhanced threat potential. The technical nature of the vulnerability involves "improper neutralization of special elements in the SMA100 management interface," which allows remote authenticated attackers to inject arbitrary operating system commands as a 'nobody’ user. While this originally seemed limited in impact, further analysis has revealed that successful exploitation can lead to remote code execution, significantly elevating the risk to affected organizations. This revelation is particularly concerning as the vulnerability requires relatively low privilege levels and can be exploited through low-complexity attacks, making it an attractive target for threat actors seeking initial access to corporate networks. The update from SonicWall indicates an evolving understanding of how the vulnerability can be weaponized, demonstrating that security flaws can sometimes have impacts beyond their initial assessment. ### Affected Versions and Patching Information The vulnerability impacts several versions of SonicWall SMA 100 series firmware, with specific patches available for each affected version line. Organizations running firmware versions 10.2.1.0-17sv and earlier need to upgrade to at least 10.2.1.1-19sv or higher to remediate the vulnerability. Similarly, those using version 10.2.0.7-34sv and earlier should update to at least 10.2.0.8-37sv or higher, while systems running 9.0.0.10-28sv and earlier require an upgrade to at least 9.0.0.11-31sv or higher. SonicWall's current recommendation goes beyond these minimum fixes, suggesting that all affected customers should update to firmware version 10.2.1.14-75sv for optimal protection. The persistence of vulnerable systems nearly four years after patches were made available highlights a common challenge in cybersecurity: the significant lag between patch availability and deployment across affected organizations. This gap creates extended windows of opportunity for threat actors to exploit known vulnerabilities, even when fixes exist. The situation is complicated by the critical nature of VPN appliances in organizational infrastructure, which often makes them difficult to take offline for maintenance without significant operational disruption, potentially delaying necessary security updates in favor of continued business operations. ## Exploitation Campaign Details According to researchers, an active campaign exploiting CVE-2021-20035 has been targeting SonicWall SMA devices since at least January 2025, continuing through April 2025. This credential access campaign specifically focuses on SMA 100 series appliances with exposed management interfaces, demonstrating the attackers' strategic targeting of vulnerable remote access infrastructure. One particularly concerning aspect of the campaign involves the exploitation of poor password hygiene, with threat actors leveraging a local super admin account (admin@LocalDomain) that was configured with the insecure default password "password". This combination of vulnerability exploitation and weak credential security provides attackers with an effective method to compromise these critical access points. The timing of this campaign is significant, beginning several months before SonicWall's public acknowledgment of active exploitation. Our observation of this activity from January through April 2025 suggests that threat actors identified and weaponized the vulnerability long before it was officially flagged as being exploited in the wild. This delay between initial exploitation and public disclosure created an extended period during which attacks could proceed with reduced detection and response from security teams who may not have prioritized patching what was previously considered a lower-severity vulnerability. The campaign demonstrates how threat actors continually scan for and exploit vulnerabilities in security appliances, particularly those that provide remote access capabilities. ### Exploitation Tactics and Techniques The exploitation of CVE-2021-20035 showcases a sophisticated approach combining credential access with vulnerability exploitation. Attackers first target the VPN appliances for credential access, either using default credentials or employing brute force, password stuffing, or dictionary-based attacks to compromise legitimate accounts[^1_1]. Once authenticated, they leverage the vulnerability to inject arbitrary commands as a "nobody" user, which can lead to code execution despite the limited privileges of this account[^1_6][^1_12]. This two-stage approach allows threat actors to establish persistence and potentially widen the scope of their attacks within the target network. The campaign highlights how even vulnerabilities requiring authentication can be effectively weaponized when combined with common authentication bypass techniquesUsing the default admin account with its default password illustrates how basic security misconfigurations can undermine even patched systems, providing attackers with the initial access needed to exploit the vulnerability. Our researchers continues to track indicators of compromise associated with this campaign, alerting customers when related activity is observed in their environments[^1_1]. ## Regulatory Response and Implications On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming that the vulnerability is being actively exploited in attacks. This addition to the KEV catalog triggers requirements under CISA's Binding Operational Directive (BOD) 22-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies must either patch their SonicWall appliances or discontinue use of the products if mitigations cannot be applied by May 7, 2025. This three-week remediation timeline underscores the urgency with which CISA views this threat to federal infrastructure. The CISA listing for the SonicWall flaw notes that it's currently unknown whether the exploitation activity involves ransomware attacks, though the agency clearly considers the vulnerability a significant threat to federal networks. The explicit timeline for remediation puts pressure on federal agencies to prioritize patching these devices, even if it requires service disruption. While BOD 22-01 only directly applies to U.S. federal agencies, the directive also sets a benchmark for private sector organizations, signaling that this vulnerability requires immediate attention from all SonicWall users regardless of sector. ## Recommended Mitigations To protect against exploitation of CVE-2021-20035, organizations should immediately apply the appropriate firmware updates provided by SonicWall. The vendor recommends updating to firmware version 10.2.1.14-75sv, including patches for this vulnerability and other security improvements. Organizations unable to patch their systems immediately should implement compensating controls to limit potential exposure while preparing for updates. Given the confirmed exploitation in the wild, these updates should be treated as urgent security measures rather than routine maintenance. Beyond patching, several additional security measures have been recommended to reduce the risk of compromise. Organizations should limit VPN access to only the minimum necessary accounts, removing all superfluous access. Any unused or unnecessary accounts should be deactivated entirely to reduce the attack surface. Multi-factor authentication should be enabled for all accounts, providing an additional layer of security even if passwords are compromised. Finally, all local accounts on SonicWall SMA firewalls should have their passwords reset, with particular attention to removing any default credentials like the admin@LocalDomain account’s default "password". ### Additional Security Recommendations Network defenders should also implement a comprehensive monitoring strategy for their VPN appliances, actively auditing access logs to identify signs of unauthorized or anomalous remote access attempts[^1_4]. Implementing network segmentation can help limit the potential impact of a successful breach, ensuring that compromised VPN access doesn’t immediately translate to full network access. Organizations should consider applying web application firewalls (WAF) and additional hardening measures to further reduce the attack surface of their SMA management interfaces. The vulnerability underscores the importance of proper credential management and authentication practices for administrative accounts on security appliances. Even fully patched firewall devices may become compromised if accounts use poor password hygiene, as demonstrated by exploiting the default admin account in this campaign. Organizations should review their password policies, particularly for administrative accounts on network security devices, to ensure they meet current security standards and are regularly rotated. This comprehensive approach to security goes beyond merely patching vulnerabilities to address the broader security posture necessary to protect critical infrastructure devices. ## Broader Context and Related Vulnerabilities The exploitation of [CVE-2021-20035](https://www.sonicwall.com/support/notices/product-notice-arbitrary-command-injection-vulnerability-in-sonicwall-sma-100-series-appliances/250415122607607) is part of a concerning trend of attacks targeting VPN and secure access appliances, which represent critical components of organizational security infrastructure. These edge devices have become popular targets for threat actors as both cybercriminals and nation-state attackers have shifted focus to VPNs and firewalls as entry points into protected networks. This trend is particularly significant as many organizations continue to support remote work arrangements, increasing their reliance on VPN infrastructure and potentially expanding their attack surface. SonicWall products have experienced multiple serious security challenges in recent months. In January 2025, the company urged customers to patch a critical vulnerability [CVE-2025-23006](https://nvd.nist.gov/vuln/detail/CVE-2025-23006) affecting SMA1000 secure access gateways following reports of zero-day exploitation. This vulnerability had a CVSS score of 9.8 out of 10, indicating extremely high severity, and allowed unauthenticated remote attackers to execute arbitrary operating system commands under certain conditions. In February 2025, SonicWall warned of an actively exploited authentication bypass flaw (CVE-2024-53704) in Gen 6 and Gen 7 firewalls that could allow hackers to hijack VPN sessions. This pattern of vulnerabilities suggests ongoing security challenges across SonicWall's product portfolio. Originally underestimated as a denial-of-service issue when patched in 2021, this vulnerability has now been confirmed to enable remote code execution by sophisticated threat actors. The addition of this vulnerability to CISA's Known Exploited Vulnerabilities catalog underscores its significance and creates regulatory pressure for federal agencies to address the issue by May 7, 2025. For all organizations using SonicWall SMA devices, immediate patching to the latest firmware versions is essential, along with implementing additional security measures such as multi-factor authentication, account auditing, and password resets. This incident serves as a powerful reminder that security infrastructure itself can become a vector for attacks when not properly maintained and secured, highlighting the critical importance of comprehensive security practices for edge devices and remote access solutions.

loading..   19-Apr-2025
loading..   10 min read
loading..

ClickFix

Recent cybersecurity investigations reveal that advanced persistent threat (APT)...

Recent cybersecurity investigations reveal that advanced persistent threat (APT) groups from North Korea, Iran, and Russia have adopted the ClickFix social engineering tactic to deploy malware across critical sectors. This technique, initially popularized by cybercriminals, has become a favored tool for nation-state actors due to its effectiveness in bypassing user vigilance. ## Evolution of ClickFix in Cyber Espionage ClickFix operates by convincing targets to execute malicious commands under the guise of resolving technical issues or completing verifications. Unlike traditional phishing, this method leverages user compliance, making it exceptionally effective for initial access[1][6]. ### Mechanics of ClickFix Attacks The attack chain typically begins with a phishing email containing a link to a spoofed website. Users are instructed to copy and run PowerShell or Command Prompt scripts, initiating multi-stage payload deliveries. For example, TA427 (Kimsuky) used fake Japanese Embassy pages to distribute QuasarRAT, while TA450 (MuddyWater) disguised attacks as Microsoft security updates to deploy remote management tools[1][4]. #### Payload Delivery and Persistence Malicious scripts often create scheduled tasks or VBS files to maintain persistence. TA427’s campaign employed a VBS script that ran every 19 minutes, fetching batch files to decode and execute QuasarRAT[1][6]. Similarly, UNK_RemoteRogue used compromised Zimbra servers to redirect victims to pages with embedded Empire C2 framework code[4][6]. ## Sector-Specific Targeting and Global Impact ### North Korean Operations: TA427’s Think Tank Focus Between January and February 2025, TA427 targeted fewer than five organizations analyzing North Korean policy. By impersonating Japanese diplomats, they lured victims to fake embassy sites, where ClickFix commands triggered malware downloads. Dynamic DNS services like FreeDNS hosted these domains, with infrastructure traced to South Korean servers[1][6]. ### TA450 and UNK_RemoteRogue TA450’s November 2024 campaign exploited Microsoft’s Patch Tuesday, distributing emails urging users to run PowerShell commands for “critical updates.” This installed Level RMM software, enabling data exfiltration from Middle Eastern governments and Western enterprises[4][14]. Concurrently, UNK_RemoteRogue targeted defense contractors via compromised Zimbra emails, linking to fake Office documents that prompted PowerShell executions[6][14]. ### Russian Involvement: TA422’s Covert Activities Though less documented, TA422 (APT28) has integrated ClickFix into existing workflows, focusing on European energy and logistics sectors. Their tactics mirror historical patterns of leveraging legitimate tools like PowerShell for stealth[4][6]. ## Mitigation Strategies and Defense Recommendations ### Enhanced User Training and Technical Safeguards Organizations must prioritize security awareness programs highlighting ClickFix’s social engineering hooks. Technical measures like restricting PowerShell execution and monitoring scheduled tasks can disrupt attack chains.

loading..   17-Apr-2025
loading..   3 min read
loading..

Hertz

Clop

Hertz data breach: Cleo zero-day attack exposes customer info. Learn how Clop ra...

Hertz Corporation has confirmed a significant data breach affecting customers of its Hertz, Dollar, and Thrifty car rental brands. The breach, disclosed in April 2025, resulted from zero-day vulnerabilities in the Cleo Communications file transfer platform that the notorious Clop ransomware gang exploited. This comprehensive analysis examines the breach details, affected customer data, Hertz’s response, and the broader implications of the Cleo vulnerability exploitation campaign. ## Hertz Data Breach: Timeline and Scope Hertz Corporation [confirmed](https://www.hertz.com/content/dam/hertz/global/resources/Notice_of_Data_Incident-United_States.pdf) on February 10, 2025, On February 10, 2025, Hertz Corporation confirmed that customer data was _“acquired by an unauthorized third party”_ that exploited zero-day vulnerabilities in Cleo’s file transfer platform during October and December 2024. After completing its data analysis on April 2, 2025, Hertz determined that various types of customer information had been compromised. The compromised data includes names, contact information, dates of birth, credit card details, driver’s license information, and workers’ compensation claims records. More sensitive information may have been exposed for a smaller subset of affected individuals, including Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs, and injury-related information associated with vehicle accident claims. While Hertz has not publicly disclosed the total number of affected customers globally, regulatory filings indicate that the breach impacted at least 3,409 Maine residents. The breach appears to have affected customers internationally, with notifications posted on Hertz websites in the United States, Canada, the European Union, the United Kingdom, Australia, and New Zealand. ### Attribution to Clop Ransomware Gang The attack has been attributed to the [Clop](https://www.secureblink.com/threat-research/clop-ransomware) (also stylized as Cl0p) ransomware group, which has claimed responsibility for exploiting vulnerabilities in Cleo’s managed file transfer products. Following their established pattern, Clop added Hertz to their leak site, making the stolen data available for download. According to [Malwarebytes Labs](https://www.malwarebytes.com/blog/news/2025/04/hertz-data-breach-caused-by-cl0p-ransomware-attack-on-vendor), the number of available archives for download is "tenfold," suggesting a significant amount of stolen data. ## Cleo Vulnerabilities: Technical Details The breach stemmed from two critical vulnerabilities in Cleo's file transfer platform, tracked as CVE-2024-50623 and [CVE-2024-55956](https://nvd.nist.gov/vuln/detail/CVE-2024-55956). These vulnerabilities affected multiple Cleo products, including Cleo Harmony, VLTrader, and LexiCom[7][8]. [CVE-2024-50623](https://nvd.nist.gov/vuln/detail/CVE-2024-50623) involves improper handling of file uploads in the Autorun directory, enabling attackers to upload and execute malicious files on a server[8]. CVE-2024-55956 allows for remote code execution through Autorun, enabling unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using default settings[8]. This second vulnerability also facilitates the deployment of modular Java backdoors to steal data and conduct lateral movement within networks. ### Pattern of Targeting File Transfer Platforms This incident represents the latest in a series of attacks by Clop targeting managed file transfer platforms. In 2023, the group executed a similar campaign exploiting vulnerabilities in Progress Software’s MOVEit Transfer tool, which affected hundreds of organizations worldwide[8][7]. Dray Agha, senior manager of security operations at Huntress, noted that the Hertz breach “reflects a growing trend of cyber criminals targeting secure file transfer platforms, which are integral to many organisations’ operations"[8]. ## Broader Impact of the Cleo Campaign The Cleo vulnerabilities exploitation campaign has had far-reaching effects beyond Hertz. Other confirmed victims include [Western Alliance Bank](https://www.secureblink.com/cyber-security-news/hackers-stole-22-k-social-security-numbers-in-a-80-b-bank-scandal), WK Kellogg Company, and Sam's Club. Security researchers at Comparitech have suggested that “many more breach notifications from this exploit" may be forthcoming, as Clop has added over 350 victims to its data leak site[3]. The impact of the Cleo breach has been significant enough to drive a measurable increase in ransomware activity. According to ReliaQuest, the incident fueled a 23% increase in overall ransomware activity between Q4 2024 and Q1 2025[3]. Paul Bischoff, a consumer privacy advocate at Comparitech, told SecurityWeek in March 2025 that hundreds of organizations were likely affected by the Cleo incident. ## Hertz's Response to the Breach Hertz has emphasized that its own network was not compromised in the attack. "Importantly, to date, our forensic investigation has found no evidence that Hertz's own network was affected by this event," a Hertz spokesperson told SecurityWeek[2][9]. The company has confirmed that Cleo investigated the incident and addressed the identified vulnerabilities. As part of its response, Hertz has: 1. Reported the incident to law enforcement and relevant regulatory authorities. Filed data breach notifications with the Attorney General’s Offices in several states, including Maine, California, and Vermont. Secured Kroll's services to provide two years of free identity monitoring or dark web monitoring services to potentially affected individuals. Established a dedicated phone line for customers seeking additional information about the breach. In its notification, Hertz stated: _"While Hertz is not aware of any misuse of personal information for fraudulent purposes in connection with the event, we encourage potentially impacted individuals, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring free credit reports for any unauthorized activity and reporting any such activity"_. ## The Clop Ransomware Gang: Evolution and Tactics The Clop ransomware gang, also known as TA505 and Cl0p, began operations in March 2019, initially targeting companies with ransomware attacks[9][7]. Since 2020, the group has shifted its focus toward data theft attacks, particularly exploiting zero-day vulnerabilities in secure file transfer platforms. Clop's attack methodology has evolved to become more systematic and scalable. In 2023, the group “broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits in file sharing software like MOVEit Transfer and GoAnywhere MFT”. The group has continued this approach with the Cleo attacks in 2024. ### Operational Pattern Clop's operational pattern typically involves: 1. Identifying and exploiting zero-day vulnerabilities in widely used file transfer platforms 2. Mass-exploiting these vulnerabilities to steal data from multiple organizations simultaneously 3. Adding victim companies to their leak site 4. Demanding ransom payments to prevent the public release of the stolen data. Leaking the data of non-paying victims This evolution from traditional ransomware encryption attacks to data theft and extortion reflects a broader trend in the cybercriminal ecosystem, as noted by security experts[8]. ## Recommendations for Affected Customers Hertz has provided several recommendations for potentially affected individuals to protect themselves against possible fraud or identity theft: 1. Remain vigilant by reviewing account statements and monitoring credit reports for unauthorized activity 2. Consider placing a fraud alert on credit files with the three major credit reporting bureaus (Equifax, Experian, and TransUnion) 3. As an alternative to a fraud alert, consider placing a credit freeze (also known as a security freeze) on credit reports 4. File a police report in the event of identity theft or fraud 5. Report instances of known or suspected identity theft to law enforcement and the relevant state Attorney General Additionally, affected U.S. residents can sign up for the offered identity monitoring services through Kroll at the designated website: http://hufcuwxgqzil.kroll.com/. ## Broader Implications and Future Concerns The Hertz data breach illustrates several concerning trends in the cybersecurity landscape: ### Supply Chain Vulnerabilities The incident highlights the significant risks posed by supply chain vulnerabilities. Even though Hertz’s own network wasn’t directly compromised, the company suffered a major data breach through a third-party vendor. As companies increasingly rely on external partners and services, these interconnections create new attack vectors that can be difficult to secure. ### Targeting of File Transfer Platforms The continued targeting of file transfer platforms by ransomware groups like Clop represents a strategic focus on critical business infrastructure. These platforms often contain valuable data being transferred between organizations and may not receive the same level of security scrutiny as other systems. ### Scale of Modern Attacks The Cleo campaign demonstrates how modern ransomware groups have developed capabilities to simultaneously conduct large-scale, automated attacks affecting hundreds of organizations. This represents a significant evolution from earlier, more targeted approaches. While Hertz has responded with appropriate mitigation measures, including offering identity monitoring services to affected individuals, this breach underscores the growing threat posed by supply chain attacks and the targeting of file transfer platforms. The incident also demonstrates the evolving tactics of ransomware groups, which increasingly focus on data theft and extortion rather than traditional encryption-based attacks. For affected individuals, maintaining vigilance through regular monitoring of financial accounts and credit reports remains the best defense against potential fraud resulting from this breach.

loading..   16-Apr-2025
loading..   8 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958