company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Guntrader

British

SQL Vulnerability

loading..
loading..
loading..

Guntrader Ltd forced into liquidation following data breach lawsuits

Guntrader Ltd. underwent a data breach attack and was forced into liquidation due to lawsuits against them. Current tradings are carried through their rebranded...

30-Oct-2021
3 min read

No content available.

Related Articles

loading..

RCE

Firewall

GFI KerioControl vulnerability (CVE-2024-52875) allows 1-click RCE via unauthent...

A critical vulnerability was disclosed in GFI KerioControl, a popular firewall solution used by businesses worldwide. The vulnerability, identified as CVE-2024-52875, affects GFI KerioControl versions 9.2.5 through 9.4.5. This flaw presents a serious security risk, potentially enabling remote code execution (RCE) through a single click by an attacker. The issue has since been actively exploited in the wild, as confirmed by reports of malicious activity associated with the CVE. ### **Overview of CVE-2024-52875** CVE-2024-52875 arises from a failure in properly sanitizing user input in certain URI paths of the KerioControl web interface. These URI paths include: - **/nonauth/addCertException.cs** - **/nonauth/guestConfirm.cs** - **/nonauth/expiration.cs** These endpoints, which are unauthenticated, improperly handle user input passed through the “dest” GET parameter, specifically failing to sanitize linefeed (LF) characters. This vulnerability can be exploited via an **HTTP Response Splitting** attack. This flaw could lead to **reflected cross-site scripting (XSS)**, which in turn could allow attackers to execute a one-click RCE attack. ### **Attack Vector** The vulnerability occurs when input is passed from the user to the web server, specifically in the "dest" parameter. Due to the improper sanitization, attackers can inject malicious linefeed characters into the response headers. This allows the attacker to split the HTTP response and inject arbitrary content, including malicious JavaScript code. A crafted URL, if clicked by an authenticated administrator, can trigger the malicious behavior. The attack works by exploiting KerioControl's firmware upgrade functionality, which allows the attacker to upload a malicious `.img` file. This file, once uploaded, provides the attacker with **root access** to the affected firewall system. Notably, this attack can be carried out using social engineering tactics. By tricking an administrator into clicking a link, an attacker can gain full control of the firewall system without needing to bypass authentication. ### **CVE-2024-52875 Exploitation and Impact** The flaw is especially concerning because it involves unauthenticated endpoints, meaning it can be exploited externally by threat actors. This makes the vulnerability easily accessible to malicious entities, who can leverage this attack vector to compromise the firewall system remotely. Proof-of-concept (PoC) code has already been released by Karma(In)Security, demonstrating the exploitability of the vulnerability. The code shows how an attacker can use the XSS vector to deliver a malicious firmware update, effectively gaining control over the vulnerable system. As of January 5, 2025, there are reports indicating that **CVE-2024-52875** is actively being exploited in the wild, with several malicious IPs linked to the vulnerability observed in the GreyNoise threat intelligence platform. ### **Security Patch and Mitigation** The vulnerability has been addressed by GFI Software in **KerioControl version 9.4.5 Patch 1**, which contains fixes for the issue. Users of vulnerable versions are strongly encouraged to update to this patched version or later to mitigate the risk posed by CVE-2024-52875. ### **Censys Findings: Exposed Devices** At the time of writing, Censys observed over **23,000 exposed instances** of GFI KerioControl, with approximately 17% of these located in Iran. This highlights a significant potential attack surface, as a large number of devices may still be running vulnerable versions of the software. However, it is important to note that not all of these instances are necessarily vulnerable, as specific versions have not been disclosed in Censys' scan results. Censys provided a specific search query that can be used to identify exposed GFI KerioControl instances: ``` services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit} ``` This query can help security teams identify exposed instances of GFI KerioControl that may need immediate attention. ### **Best Practices** The discovery of CVE-2024-52875 underscores the importance of timely patching and proper input sanitization in web-facing applications. The ability for attackers to remotely gain root access to firewall systems via social engineering and a single click emphasizes the need for stringent security measures, especially in high-risk environments like firewalls. Organizations using GFI KerioControl should prioritize updating to the latest patched version (9.4.5 Patch 1) to prevent exploitation of this vulnerability. Additionally, security best practices, such as educating administrators on the risks of phishing and social engineering, are crucial in minimizing the risk of exploitation. As always, proactive monitoring for unusual network activity and maintaining a robust security posture are essential to mitigating the risk posed by emerging vulnerabilities like CVE-2024-52875. **References:** - Censys Search Query: services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit} - GreyNoise threat intelligence platform: Insights into active exploitation attempts

loading..   11-Feb-2025
loading..   4 min read
loading..

APT29

Cozy Bear

HPE confirms Russian hackers stole sensitive employee data in May 2023 breach, i...

**Hewlett Packard Enterprise (HPE)** has confirmed that **Russian state-sponsored hackers** have stolen sensitive employee data in a devastating cyberattack. The breach, which targeted the company’s **Office 365** email environment, transpired in **May 2023** and only recently came to light in official filings and breach notification letters sent to affected individuals. ### **HPE Employees Targeted by Cozy Bear Hackers** The hacking group responsible, **[Cozy Bear](https://www.secureblink.com/cyber-security-news/how-russian-hackers-leveraged-spyware-exploits-from-nso-group-and-intellexa-in-watering-hole-attacks)** (also known as **APT29**, **Midnight Blizzard**, and **Nobelium**), is believed to be linked to Russia’s **Foreign Intelligence Service (SVR)**. This notorious group has previously been involved in **high-profile breaches**, including the infamous **[SolarWinds](https://www.secureblink.com/cyber-security-news/a-second-threat-actor-found-to-attack-solarwinds-system) supply chain attack** in 2020. The breach is a part of a broader campaign by Cozy Bear, which targeted not just **HPE's email environment**, but also its **SharePoint server** in the same timeframe, further compromising confidential data across multiple systems. ### **Sensitive Data Stolen from Employee Mailboxes** According to breach notification letters sent to affected employees, personal data such as **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were stolen. At least **16 employees** were notified of the breach, though the full extent of the breach remains unclear. HPE spokespersons confirmed that it was "a limited group of HPE team member mailboxes that were accessed," and stressed that only the data contained in these mailboxes was impacted. ### **Timeline of Events: The HPE Breach** The breach was first disclosed publicly in an **SEC filing** dated **January 29, 2024**, where **Hewlett Packard Enterprise** revealed that it was notified on **December 12, 2023**, that the **Cozy Bear hackers** had compromised its cloud-based **Office 365 email environment** in May 2023. The hackers exploited a **compromised account**, gaining access to email inboxes of select employees in **cybersecurity**, **go-to-market**, and other critical business sectors. HPE’s official statement confirmed that the hackers began exfiltrating data in **May 2023** and continued until the discovery of the breach. The company stated that the accessed data was **limited to information contained in the mailboxes** of the affected employees. ### **Connection to Other Major Hacks** In the **SEC filing**, HPE indicated that this breach may have been linked to a second breach in **May 2023**, where hackers also targeted the company’s **SharePoint server** and stole files. This came on the heels of Microsoft’s **January 2024** announcement that Cozy Bear hackers had infiltrated their network, accessing both **corporate email accounts** and **source code repositories**. ### **HPE’s History of Security Breaches** This isn’t the first time that **Hewlett Packard Enterprise** has been targeted by cybercriminals. In **2018**, Chinese state-sponsored hackers breached HPE’s network, leading to compromises of its **customer devices**. HPE also reported a significant breach in **2021** when data repositories for its **Aruba Central network** monitoring platform were hacked, exposing sensitive information about monitored devices and their locations. Additionally, in **February 2024** and **January 2025**, HPE launched investigations into potential **new security breaches** after an actor using the **IntelBroker** handle claimed responsibility for stealing **HPE credentials**, **source code**, and other proprietary information. ### **Breach Notification and Employee Impact** Hewlett Packard Enterprise began notifying employees whose personal data had been stolen starting in **January 2025**, following legal requirements to inform affected individuals. The breach notification letters state that the stolen data was "subject to unauthorized access," which HPE is continuing to investigate. In a statement, HPE assured that it was taking steps to strengthen its cybersecurity measures to prevent further attacks. They also emphasized that this breach is being addressed with full compliance to applicable law. ### **What This Means for HPE’s Security Measures** HPE has long been an attractive target for hackers due to its role in providing enterprise-grade IT solutions across sectors. This breach has raised questions about the strength of the company’s internal security measures and its ability to safeguard employee data. The breach also underscores the growing risk of cyberattacks targeting **state-sponsored groups** who possess advanced tools and techniques to infiltrate even the most secure environments. In response, HPE is actively working on bolstering its security framework, with a focus on **enhanced encryption**, better **endpoint protection**, and tighter control over **third-party access** to corporate resources. ### **Conclusion: Cybersecurity Challenges for Enterprises** The HPE breach serves as a stark reminder of the increasing sophistication of cyberattacks targeting major corporations. With **nation-state actors** involved, the risks are far more severe than conventional attacks. The breach highlights the need for all enterprises to continuously update their cybersecurity strategies and adopt **advanced threat detection systems**. **What can we learn from this breach?** The **importance of multi-layered security**, **immediate incident response**, and **employee data protection** cannot be overstated. In the face of evolving threats, companies like HPE must remain vigilant, and more importantly, transparent, in their efforts to protect sensitive data. ### **Key Takeaways:** - **Cozy Bear** (APT29), a **Russian state-sponsored hacker group**, breached **Hewlett Packard Enterprise** in **May 2023**, stealing **personal data** from employee mailboxes. - **16 employees** were notified that **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were among the stolen data. - The breach is connected to a broader campaign, including a **SharePoint server hack** and a larger **cyberattack** on Microsoft. - HPE’s cybersecurity vulnerabilities are under scrutiny, with additional investigations ongoing. - The breach emphasizes the growing threat of **nation-state cyberattacks** and the critical need for companies to enhance their security protocols. This attack should be a wake-up call for all organizations: **cybersecurity is no longer optional**, it’s a necessity. --- **#HPEBreach #CozyBear #APT29 #CyberSecurity #DataBreach #RussianHackers #HewlettPackard #TechSecurity #Office365Breach #DataProtection #SecurityAwareness**

loading..   08-Feb-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958