company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

WordPress

loading..
loading..
loading..

Mass Exploitation of WordPress Plugin Privilege Escalation Vulnerabilities

Critical analysis of a mass WordPress plugin exploit. Attackers use auth bypass flaws in GutenKit & Hunk Companion to install backdoors and achieve full site co...

25-Oct-2025
7 min read

No content available.

Related Articles

loading..

Lazarus

How Lazarus Group lured European defense engineers with fake job offers, hijacke...

**In a stunning revelation that blurs the line between cybercrime and international espionage, security researchers have uncovered a sprawling North Korean hacking campaign targeting the heart of Europe's defense industry. The mission: steal critical drone technology by offering engineers the one thing they couldn't resist—a perfect career opportunity.** #### **A Tailored Offer You Can't Refuse** The operation, dubbed "Operation DreamJob" by analysts at ESET who discovered it, relied not on a complex digital break-in, but on a timeless con: social engineering. Attackers from the infamous Lazarus Group meticulously posed as recruiters from legitimate, well-known aerospace and defense companies. They sent highly targeted spear-phishing emails to key engineers and technical staff, containing compelling job descriptions. The catch was a malicious file, often disguised as a necessary "PDF reader" or document viewer required to see the full offer. With a single click from an unsuspecting target, the digital heist began. #### **A Ghost in the Machine** Once executed, the attack unfolded with chilling precision. The initial file employed a sophisticated technique known as "DLL side-loading," which essentially tricks a trusted, legitimate application into secretly loading malicious code. This allows the hackers to bypass standard security defenses completely undetected. In a brazen move to appear legitimate, the hackers weaponized trust itself. They hijacked popular open-source software like Notepad++ and WinMerge, embedding their malicious payloads into these benign, everyday tools. They then distributed these trojanized versions through platforms like GitHub, creating a perfect illusion of authenticity for anyone who downloaded them. #### **Silent Theft for Military Gains** The ultimate goal of this multi-stage infiltration was to deploy a powerful, custom-built Remote Access Trojan (RAT) known as "ScoringMathTea." This sophisticated malware provides the attackers with complete, remote control over the compromised computer. From there, Lazarus operatives could move silently through corporate networks for months, identifying and exfiltrating priceless intellectual property: design schematics, proprietary manufacturing processes, and technical know-how directly related to unmanned aerial vehicle (UAV) technology. The intelligence gain for North Korea's military drone program is immeasurable, allowing them to leapfrog years of costly and complex research and development. #### **A New Era of Industrial Espionage** Operation DreamJob is more than a cyberattack; it's a clear signal of how state-sponsored espionage has evolved. By targeting the foundational knowledge of military technology, North Korea is directly augmenting its military capabilities through theft. The campaign serves as a critical warning for defense contractors and technology firms worldwide: the human firewall is the first and most important line of defense. Vigilance against sophisticated social engineering, rigorous verification of software sources, and advanced threat-hunting for these specific stealth techniques are no longer optional—they are essential to safeguarding national security in the digital age.

loading..   24-Oct-2025
loading..   3 min read
loading..

Vulnerability

Cursor and Windsurf IDEs harbor 94 unpatched Chromium vulnerabilities, exposing ...

A critical systemic vulnerability has been identified in the Cursor and Windsurf integrated development environments (IDEs). The core issue is not a novel, "zero-day" flaw but a **proliferation of known, patchable vulnerabilities** stemming from the use of a severely outdated software foundation. This technical debt creates a large, exploitable attack surface, effectively turning these modern AI-powered tools into high-risk assets within a development ecosystem. #### **Inheritance of Risk** The narrative is not one of a single flaw, but of a **cascade of architectural decisions** leading to a compromised security posture. * **Primary Cause:** Dependency on an Outdated Electron Framework. * **Technical Context:** Both Cursor and Windsurf are forks of Visual Studio Code (VS Code). VS Code itself is built on the Electron framework, which bundles the Chromium rendering engine and the V8 JavaScript engine to provide a desktop application using web technologies. * **The Vulnerability:** The forked versions of these IDEs are locked to an Electron version that is **six major releases behind** the current stable branch. Consequently, they package a version of Chromium and V8 that is equally outdated. * **Mechanism of Compromise:** Proliferation of n-day Vulnerabilities. * **Definition:** An "n-day vulnerability" is a flaw for which a patch already exists but has not been applied. The IDEs in question contain **at least 94 documented CVEs** that have been publicly disclosed and patched in upstream Chromium and by extension, in the official VS Code. * **Illustrative Example:** **CVE-2025-7656** is a high-severity integer overflow vulnerability in the V8 JavaScript engine. In the context of these IDEs, this is not a theoretical threat. Security researchers have successfully weaponized this CVE to create a proof-of-concept exploit that crashes the IDE (Denial-of-Service) and demonstrated the feasibility of escalating it to **remote code execution (RCE)**. #### **Attack Vectors** The risk is amplified because the attack surface is integrated directly into the developer's workflow. Potential exploitation vectors include: | Attack Vector | Technical Execution | Impact | | :--- | :--- | :--- | | **Malicious Link Preview** | A developer views a project's `README.md` within the IDE, which fetches and renders a remote image or contains a malicious link that is previewed using the outdated Chromium engine. | Arbitrary Code Execution | | **Compromised Extension** | An installed IDE extension, either malicious by design or hijacked, executes a payload within the IDE's Node.js context via the vulnerable V8 engine. | System Compromise | | **Phishing Campaign** | A targeted developer receives a seemingly legitimate link (e.g., to a code review or issue tracker) and clicks it within the IDE's internal browser. | Credential Theft / RCE | #### **Technical Impact Assessment** * **Confidentiality:** Breached if an attacker can execute code to read sensitive files, such as SSH keys, API tokens, or proprietary source code, from the developer's machine. * **Integrity:** Compromised as an attacker could subtly alter source code, dependencies, or build scripts to introduce persistent backdoors. * **Availability:** Directly impacted via Denial-of-Service attacks that crash the IDE, halting development work. #### **Mitigation Strategy** Given the vendors' current stance (Cursor deeming the report "out of scope," Windsurf not responding), the responsibility for mitigation falls on the end-user and the broader development organization. 1. **Immediate Action (Risk Acceptance & Awareness):** * Formally acknowledge that using these IDEs introduces measurable and significant risk. * Ensure development and security teams are fully briefed on the specific threats. 2. **Short-term Mitigation (Operational Controls):** * **Network Segmentation:** Restrict the IDEs from running in high-privilege network environments. * **Principle of Least Privilege:** Run the IDE with user-level, not administrator-level, permissions to limit the impact of a potential code execution. * **Vigilance:** Prohibit the use of the IDE's internal browser for general web navigation and rigorously audit installed extensions. 3. **Long-term Strategy (Archructural Shift):** * **Vendor Pressure:** The only complete solution is for the IDE vendors to rebase their forks onto a modern, patched version of Electron. This should be a primary point of feedback from the user community. * **Alternative Evaluation:** Consider transitioning development projects to the **official, upstream Visual Studio Code**, which maintains a regular patching cadence and is not affected by these specific vulnerabilities. The security posture of Cursor and Windsurf IDEs is currently untenable due to a foundational reliance on deprecated components. The presence of 94+ n-day vulnerabilities represents a known and patchable risk that has been left unaddressed. While the AI features of these tools offer forward-looking capabilities, their underlying runtime architecture is dangerously antiquated. A strategic shift towards maintained and secure foundational software is not just recommended but essential for operational security.

loading..   22-Oct-2025
loading..   4 min read
loading..

Exploit

Ghost in the machine! Operation Zero Disco hijacks Cisco switches via a critical...

In one of the most significant cybersecurity disclosures of the year, Trend Micro has detailed **"Operation Zero Disco,"** a highly sophisticated attack campaign leveraging a critical vulnerability in Cisco switches. The threat actors use a flaw in the Simple Network Management Protocol (SNMP) to install a stealthy Linux rootkit, granting them permanent, hidden control over the network infrastructure. This represents a fundamental shift in attacker methodology, moving from servers and workstations to the very backbone of the network itself. ## **CVE-2025-20352 Explained** The entire attack chain begins with a single point of failure: **CVE-2025-20352**. This is a critical-rated vulnerability (CVSS score likely 9.8+) within the SNMP subsystem of specific Cisco IOS XE and IOS Software. SNMP, or Simple Network Management Protocol, is a ubiquitous service used for monitoring and managing network devices. The flaw allows an unauthenticated, remote attacker to execute arbitrary code with the highest level of privileges (root) by sending a specially crafted SNMP packet to a vulnerable device. The most alarming aspect is that the exploitation requires no user interaction and leaves no immediate forensic trace, making the initial breach virtually silent. ### **Primary Targets in the Crosshairs** The campaign has shown a deliberate focus on essential Cisco switching hardware, including: * Cisco Catalyst 9400 and 9300 Series Switches * Legacy Cisco Catalyst 3750 Series Switches These devices are not obscure; they are the foundational plumbing of enterprise networks worldwide, handling data for corporations, governments, and critical infrastructure. The attackers are strategically targeting older, unpatched, or internet-facing instances of this equipment. ## **The Anatomy of an Advanced Attack** Operation Zero Disco is not a simple smash-and-grab; it is a methodical, multi-stage operation designed for maximum stealth and persistence. ### **Phase 1: Initial Compromise and Exploitation** The attack initiates with broad scanning to identify vulnerable devices. Once a target is located, the attacker deploys the exploit for CVE-2025-20352. This malicious SNMP packet triggers the vulnerability, allowing the attacker to break out of the protocol's intended constraints and execute their own commands on the underlying operating system with root-level authority. ### **Phase 2: Deployment of the "Zero Disco" Rootkit** With a foothold established, the attacker installs their namesake payload: a custom Linux rootkit. This is where the operation's true sophistication is revealed. Unlike traditional malware that writes files to a disk, this rootkit is largely fileless. It operates by injecting malicious code directly into the memory of the key IOSd process—the core software that runs the switch's operating system. **Key capabilities of the rootkit include:** * **A Universal Backdoor Password:** It sets a secret, hardcoded password that provides backdoor access to the switch's console, completely bypassing all legitimately configured user credentials. * **Memory Residency:** By living primarily in memory, it avoids leaving traces on the filesystem, rendering conventional file-based antivirus and integrity checks useless. * **Persistence Mechanism:** The rootkit is engineered to survive device reboots, ensuring the compromise is long-lasting. ### **Phase 3: Command and Control via the UDP Backdoor** To maintain remote control, the rootkit establishes a covert communication channel. A separate UDP-based backdoor component listens for encrypted commands from the attacker's command-and-control (C2) server. **This backdoor controller grants the attacker god-like control over the device, enabling them to:** * **Disable all system logging,** effectively making the switch "forget" all malicious activity. * **Bypass authentication checks** to grant access to anyone using the secret handshake. * **Hide malicious configurations** from the `show running-config` command. Specific user accounts, EEM (Embedded Event Manager) applets, and Access Control Lists (ACLs) can be active on the device while remaining completely invisible to network administrators. * **Execute "timestomping,"** manipulating file timestamps to avoid detection during forensic audits. ### **Phase 4: Lateral Movement and Espionage** With full, invisible control over a network switch, the attacker gains a strategic vantage point. They can now: * **Bridge separate VLANs,** dismantling critical network segmentation designed to contain breaches. * **Conduct ARP spoofing** to impersonate trusted IP addresses, allowing them to bypass internal firewalls and intercept sensitive data in transit. * **Move laterally** throughout the network to target high-value servers and workstations, all from a trusted network position. ## **Mitigation and Defense: A Strategic Response** Given the severity and stealth of this threat, a layered and immediate defensive strategy is non-negotiable. ### **Immediate Action: Patching and Workarounds** The single most effective action is to apply the official patch. Organizations must immediately upgrade their Cisco switches to a fixed software release. The **Cisco Software Checker** should be used to identify the correct version for specific hardware models. If patching cannot be performed instantly, a temporary mitigation is available. Administrators can disable the specific vulnerable Object ID (OID) using the SNMP view configuration: `snmp-server view NO-DISCO iso excluded` `snmp-server community public view NO-DISCO RO` **Important Note:** This is a temporary workaround, not a permanent solution. Patching remains critical. ### **Strategic Security Hardening** Beyond immediate mitigation, organizations must reinforce their security posture: * **Eliminate Default SNMP Communities:** Immediately change or disable well-known community strings like "public" and "private." * **Restrict SNMP Access:** Use Access Control Lists (ACLs) to ensure the SNMP service is only accessible from a dedicated, trusted management station and is blocked from general network access. * **Conduct Proactive Threat Hunting:** There is no automated tool to reliably detect a compromise. Security teams must hunt for anomalies, such as unexplained device reboots, unexpected EEM scripts, or unusual SNMP traffic patterns. * **Engage Cisco TAC for Forensic Analysis:** If a compromise is suspected, the only reliable course of action is to contact Cisco's Technical Assistance Center for a low-level forensic investigation. It demonstrates that advanced threat actors are now systematically targeting the network infrastructure itself with tools designed to be invisible to conventional security controls. The combination of a potent, remotely exploitable flaw and an advanced, persistent rootkit creates a perfect storm for enterprise security. This campaign serves as a stark reminder that network devices are not just plumbing—they are critical security endpoints that require the same level of scrutiny, patching, and monitoring as any server or desktop.

loading..   16-Oct-2025
loading..   6 min read