company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ClickFix

loading..
loading..
loading..

State-Sponsored Hackers Leverage ClickFix Social Engineering in Global Cyber Espionage

Recent cybersecurity investigations reveal that advanced persistent threat (APT) groups from North Korea, Iran, and Russia have adopted the ClickFix social engi...

17-Apr-2025
3 min read

No content available.

Related Articles

loading..

VPN

RCE

SonicWall SMA devices face active attacks via CVE-2021-20035 RCE flaw. Patch now...

Security researchers have revealed that SonicWall Secure Mobile Access (SMA) devices have been under active attack since January 2025 through a vulnerability originally patched nearly four years ago. This remote code execution vulnerability (CVE-2021-20035), initially underestimated as a mere denial-of-service issue, has now been confirmed to allow attackers to execute arbitrary code on vulnerable systems. The exploitation campaign highlights how threat actors continue to leverage older vulnerabilities to compromise security infrastructure, particularly when organizations fail to apply available patches. With CISA adding this vulnerability to its Known Exploited Vulnerabilities catalog on April 16, 2025, federal agencies now face a May 7th deadline to remediate the issue. ## Vulnerability Details and Evolution The vulnerability known as CVE-2021-20035 affects SonicWall SMA 100 series appliances, including SMA 200, 210, 400, 410, and 500v devices across physical, virtual, and cloud deployments. Originally discovered and patched in September 2021, this security flaw was initially described by SonicWall as only capable of causing denial-of-service attacks. However, in a significant development on April 15, 2025, SonicWall updated its four-year-old security advisory to indicate that the vulnerability is being actively exploited in the wild and presents a more severe risk than previously thought. The vulnerability’s CVSS score was consequently upgraded from a medium severity rating of 6.5 to a high severity score of 7.2, reflecting its enhanced threat potential. The technical nature of the vulnerability involves "improper neutralization of special elements in the SMA100 management interface," which allows remote authenticated attackers to inject arbitrary operating system commands as a 'nobody’ user. While this originally seemed limited in impact, further analysis has revealed that successful exploitation can lead to remote code execution, significantly elevating the risk to affected organizations. This revelation is particularly concerning as the vulnerability requires relatively low privilege levels and can be exploited through low-complexity attacks, making it an attractive target for threat actors seeking initial access to corporate networks. The update from SonicWall indicates an evolving understanding of how the vulnerability can be weaponized, demonstrating that security flaws can sometimes have impacts beyond their initial assessment. ### Affected Versions and Patching Information The vulnerability impacts several versions of SonicWall SMA 100 series firmware, with specific patches available for each affected version line. Organizations running firmware versions 10.2.1.0-17sv and earlier need to upgrade to at least 10.2.1.1-19sv or higher to remediate the vulnerability. Similarly, those using version 10.2.0.7-34sv and earlier should update to at least 10.2.0.8-37sv or higher, while systems running 9.0.0.10-28sv and earlier require an upgrade to at least 9.0.0.11-31sv or higher. SonicWall's current recommendation goes beyond these minimum fixes, suggesting that all affected customers should update to firmware version 10.2.1.14-75sv for optimal protection. The persistence of vulnerable systems nearly four years after patches were made available highlights a common challenge in cybersecurity: the significant lag between patch availability and deployment across affected organizations. This gap creates extended windows of opportunity for threat actors to exploit known vulnerabilities, even when fixes exist. The situation is complicated by the critical nature of VPN appliances in organizational infrastructure, which often makes them difficult to take offline for maintenance without significant operational disruption, potentially delaying necessary security updates in favor of continued business operations. ## Exploitation Campaign Details According to researchers, an active campaign exploiting CVE-2021-20035 has been targeting SonicWall SMA devices since at least January 2025, continuing through April 2025. This credential access campaign specifically focuses on SMA 100 series appliances with exposed management interfaces, demonstrating the attackers' strategic targeting of vulnerable remote access infrastructure. One particularly concerning aspect of the campaign involves the exploitation of poor password hygiene, with threat actors leveraging a local super admin account (admin@LocalDomain) that was configured with the insecure default password "password". This combination of vulnerability exploitation and weak credential security provides attackers with an effective method to compromise these critical access points. The timing of this campaign is significant, beginning several months before SonicWall's public acknowledgment of active exploitation. Our observation of this activity from January through April 2025 suggests that threat actors identified and weaponized the vulnerability long before it was officially flagged as being exploited in the wild. This delay between initial exploitation and public disclosure created an extended period during which attacks could proceed with reduced detection and response from security teams who may not have prioritized patching what was previously considered a lower-severity vulnerability. The campaign demonstrates how threat actors continually scan for and exploit vulnerabilities in security appliances, particularly those that provide remote access capabilities. ### Exploitation Tactics and Techniques The exploitation of CVE-2021-20035 showcases a sophisticated approach combining credential access with vulnerability exploitation. Attackers first target the VPN appliances for credential access, either using default credentials or employing brute force, password stuffing, or dictionary-based attacks to compromise legitimate accounts[^1_1]. Once authenticated, they leverage the vulnerability to inject arbitrary commands as a "nobody" user, which can lead to code execution despite the limited privileges of this account[^1_6][^1_12]. This two-stage approach allows threat actors to establish persistence and potentially widen the scope of their attacks within the target network. The campaign highlights how even vulnerabilities requiring authentication can be effectively weaponized when combined with common authentication bypass techniquesUsing the default admin account with its default password illustrates how basic security misconfigurations can undermine even patched systems, providing attackers with the initial access needed to exploit the vulnerability. Our researchers continues to track indicators of compromise associated with this campaign, alerting customers when related activity is observed in their environments[^1_1]. ## Regulatory Response and Implications On April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming that the vulnerability is being actively exploited in attacks. This addition to the KEV catalog triggers requirements under CISA's Binding Operational Directive (BOD) 22-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies must either patch their SonicWall appliances or discontinue use of the products if mitigations cannot be applied by May 7, 2025. This three-week remediation timeline underscores the urgency with which CISA views this threat to federal infrastructure. The CISA listing for the SonicWall flaw notes that it's currently unknown whether the exploitation activity involves ransomware attacks, though the agency clearly considers the vulnerability a significant threat to federal networks. The explicit timeline for remediation puts pressure on federal agencies to prioritize patching these devices, even if it requires service disruption. While BOD 22-01 only directly applies to U.S. federal agencies, the directive also sets a benchmark for private sector organizations, signaling that this vulnerability requires immediate attention from all SonicWall users regardless of sector. ## Recommended Mitigations To protect against exploitation of CVE-2021-20035, organizations should immediately apply the appropriate firmware updates provided by SonicWall. The vendor recommends updating to firmware version 10.2.1.14-75sv, including patches for this vulnerability and other security improvements. Organizations unable to patch their systems immediately should implement compensating controls to limit potential exposure while preparing for updates. Given the confirmed exploitation in the wild, these updates should be treated as urgent security measures rather than routine maintenance. Beyond patching, several additional security measures have been recommended to reduce the risk of compromise. Organizations should limit VPN access to only the minimum necessary accounts, removing all superfluous access. Any unused or unnecessary accounts should be deactivated entirely to reduce the attack surface. Multi-factor authentication should be enabled for all accounts, providing an additional layer of security even if passwords are compromised. Finally, all local accounts on SonicWall SMA firewalls should have their passwords reset, with particular attention to removing any default credentials like the admin@LocalDomain account’s default "password". ### Additional Security Recommendations Network defenders should also implement a comprehensive monitoring strategy for their VPN appliances, actively auditing access logs to identify signs of unauthorized or anomalous remote access attempts[^1_4]. Implementing network segmentation can help limit the potential impact of a successful breach, ensuring that compromised VPN access doesn’t immediately translate to full network access. Organizations should consider applying web application firewalls (WAF) and additional hardening measures to further reduce the attack surface of their SMA management interfaces. The vulnerability underscores the importance of proper credential management and authentication practices for administrative accounts on security appliances. Even fully patched firewall devices may become compromised if accounts use poor password hygiene, as demonstrated by exploiting the default admin account in this campaign. Organizations should review their password policies, particularly for administrative accounts on network security devices, to ensure they meet current security standards and are regularly rotated. This comprehensive approach to security goes beyond merely patching vulnerabilities to address the broader security posture necessary to protect critical infrastructure devices. ## Broader Context and Related Vulnerabilities The exploitation of [CVE-2021-20035](https://www.sonicwall.com/support/notices/product-notice-arbitrary-command-injection-vulnerability-in-sonicwall-sma-100-series-appliances/250415122607607) is part of a concerning trend of attacks targeting VPN and secure access appliances, which represent critical components of organizational security infrastructure. These edge devices have become popular targets for threat actors as both cybercriminals and nation-state attackers have shifted focus to VPNs and firewalls as entry points into protected networks. This trend is particularly significant as many organizations continue to support remote work arrangements, increasing their reliance on VPN infrastructure and potentially expanding their attack surface. SonicWall products have experienced multiple serious security challenges in recent months. In January 2025, the company urged customers to patch a critical vulnerability [CVE-2025-23006](https://nvd.nist.gov/vuln/detail/CVE-2025-23006) affecting SMA1000 secure access gateways following reports of zero-day exploitation. This vulnerability had a CVSS score of 9.8 out of 10, indicating extremely high severity, and allowed unauthenticated remote attackers to execute arbitrary operating system commands under certain conditions. In February 2025, SonicWall warned of an actively exploited authentication bypass flaw (CVE-2024-53704) in Gen 6 and Gen 7 firewalls that could allow hackers to hijack VPN sessions. This pattern of vulnerabilities suggests ongoing security challenges across SonicWall's product portfolio. Originally underestimated as a denial-of-service issue when patched in 2021, this vulnerability has now been confirmed to enable remote code execution by sophisticated threat actors. The addition of this vulnerability to CISA's Known Exploited Vulnerabilities catalog underscores its significance and creates regulatory pressure for federal agencies to address the issue by May 7, 2025. For all organizations using SonicWall SMA devices, immediate patching to the latest firmware versions is essential, along with implementing additional security measures such as multi-factor authentication, account auditing, and password resets. This incident serves as a powerful reminder that security infrastructure itself can become a vector for attacks when not properly maintained and secured, highlighting the critical importance of comprehensive security practices for edge devices and remote access solutions.

loading..   19-Apr-2025
loading..   10 min read
loading..

Hertz

Clop

Hertz data breach: Cleo zero-day attack exposes customer info. Learn how Clop ra...

Hertz Corporation has confirmed a significant data breach affecting customers of its Hertz, Dollar, and Thrifty car rental brands. The breach, disclosed in April 2025, resulted from zero-day vulnerabilities in the Cleo Communications file transfer platform that the notorious Clop ransomware gang exploited. This comprehensive analysis examines the breach details, affected customer data, Hertz’s response, and the broader implications of the Cleo vulnerability exploitation campaign. ## Hertz Data Breach: Timeline and Scope Hertz Corporation [confirmed](https://www.hertz.com/content/dam/hertz/global/resources/Notice_of_Data_Incident-United_States.pdf) on February 10, 2025, On February 10, 2025, Hertz Corporation confirmed that customer data was _“acquired by an unauthorized third party”_ that exploited zero-day vulnerabilities in Cleo’s file transfer platform during October and December 2024. After completing its data analysis on April 2, 2025, Hertz determined that various types of customer information had been compromised. The compromised data includes names, contact information, dates of birth, credit card details, driver’s license information, and workers’ compensation claims records. More sensitive information may have been exposed for a smaller subset of affected individuals, including Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs, and injury-related information associated with vehicle accident claims. While Hertz has not publicly disclosed the total number of affected customers globally, regulatory filings indicate that the breach impacted at least 3,409 Maine residents. The breach appears to have affected customers internationally, with notifications posted on Hertz websites in the United States, Canada, the European Union, the United Kingdom, Australia, and New Zealand. ### Attribution to Clop Ransomware Gang The attack has been attributed to the [Clop](https://www.secureblink.com/threat-research/clop-ransomware) (also stylized as Cl0p) ransomware group, which has claimed responsibility for exploiting vulnerabilities in Cleo’s managed file transfer products. Following their established pattern, Clop added Hertz to their leak site, making the stolen data available for download. According to [Malwarebytes Labs](https://www.malwarebytes.com/blog/news/2025/04/hertz-data-breach-caused-by-cl0p-ransomware-attack-on-vendor), the number of available archives for download is "tenfold," suggesting a significant amount of stolen data. ## Cleo Vulnerabilities: Technical Details The breach stemmed from two critical vulnerabilities in Cleo's file transfer platform, tracked as CVE-2024-50623 and [CVE-2024-55956](https://nvd.nist.gov/vuln/detail/CVE-2024-55956). These vulnerabilities affected multiple Cleo products, including Cleo Harmony, VLTrader, and LexiCom[7][8]. [CVE-2024-50623](https://nvd.nist.gov/vuln/detail/CVE-2024-50623) involves improper handling of file uploads in the Autorun directory, enabling attackers to upload and execute malicious files on a server[8]. CVE-2024-55956 allows for remote code execution through Autorun, enabling unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using default settings[8]. This second vulnerability also facilitates the deployment of modular Java backdoors to steal data and conduct lateral movement within networks. ### Pattern of Targeting File Transfer Platforms This incident represents the latest in a series of attacks by Clop targeting managed file transfer platforms. In 2023, the group executed a similar campaign exploiting vulnerabilities in Progress Software’s MOVEit Transfer tool, which affected hundreds of organizations worldwide[8][7]. Dray Agha, senior manager of security operations at Huntress, noted that the Hertz breach “reflects a growing trend of cyber criminals targeting secure file transfer platforms, which are integral to many organisations’ operations"[8]. ## Broader Impact of the Cleo Campaign The Cleo vulnerabilities exploitation campaign has had far-reaching effects beyond Hertz. Other confirmed victims include [Western Alliance Bank](https://www.secureblink.com/cyber-security-news/hackers-stole-22-k-social-security-numbers-in-a-80-b-bank-scandal), WK Kellogg Company, and Sam's Club. Security researchers at Comparitech have suggested that “many more breach notifications from this exploit" may be forthcoming, as Clop has added over 350 victims to its data leak site[3]. The impact of the Cleo breach has been significant enough to drive a measurable increase in ransomware activity. According to ReliaQuest, the incident fueled a 23% increase in overall ransomware activity between Q4 2024 and Q1 2025[3]. Paul Bischoff, a consumer privacy advocate at Comparitech, told SecurityWeek in March 2025 that hundreds of organizations were likely affected by the Cleo incident. ## Hertz's Response to the Breach Hertz has emphasized that its own network was not compromised in the attack. "Importantly, to date, our forensic investigation has found no evidence that Hertz's own network was affected by this event," a Hertz spokesperson told SecurityWeek[2][9]. The company has confirmed that Cleo investigated the incident and addressed the identified vulnerabilities. As part of its response, Hertz has: 1. Reported the incident to law enforcement and relevant regulatory authorities. Filed data breach notifications with the Attorney General’s Offices in several states, including Maine, California, and Vermont. Secured Kroll's services to provide two years of free identity monitoring or dark web monitoring services to potentially affected individuals. Established a dedicated phone line for customers seeking additional information about the breach. In its notification, Hertz stated: _"While Hertz is not aware of any misuse of personal information for fraudulent purposes in connection with the event, we encourage potentially impacted individuals, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring free credit reports for any unauthorized activity and reporting any such activity"_. ## The Clop Ransomware Gang: Evolution and Tactics The Clop ransomware gang, also known as TA505 and Cl0p, began operations in March 2019, initially targeting companies with ransomware attacks[9][7]. Since 2020, the group has shifted its focus toward data theft attacks, particularly exploiting zero-day vulnerabilities in secure file transfer platforms. Clop's attack methodology has evolved to become more systematic and scalable. In 2023, the group “broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits in file sharing software like MOVEit Transfer and GoAnywhere MFT”. The group has continued this approach with the Cleo attacks in 2024. ### Operational Pattern Clop's operational pattern typically involves: 1. Identifying and exploiting zero-day vulnerabilities in widely used file transfer platforms 2. Mass-exploiting these vulnerabilities to steal data from multiple organizations simultaneously 3. Adding victim companies to their leak site 4. Demanding ransom payments to prevent the public release of the stolen data. Leaking the data of non-paying victims This evolution from traditional ransomware encryption attacks to data theft and extortion reflects a broader trend in the cybercriminal ecosystem, as noted by security experts[8]. ## Recommendations for Affected Customers Hertz has provided several recommendations for potentially affected individuals to protect themselves against possible fraud or identity theft: 1. Remain vigilant by reviewing account statements and monitoring credit reports for unauthorized activity 2. Consider placing a fraud alert on credit files with the three major credit reporting bureaus (Equifax, Experian, and TransUnion) 3. As an alternative to a fraud alert, consider placing a credit freeze (also known as a security freeze) on credit reports 4. File a police report in the event of identity theft or fraud 5. Report instances of known or suspected identity theft to law enforcement and the relevant state Attorney General Additionally, affected U.S. residents can sign up for the offered identity monitoring services through Kroll at the designated website: http://hufcuwxgqzil.kroll.com/. ## Broader Implications and Future Concerns The Hertz data breach illustrates several concerning trends in the cybersecurity landscape: ### Supply Chain Vulnerabilities The incident highlights the significant risks posed by supply chain vulnerabilities. Even though Hertz’s own network wasn’t directly compromised, the company suffered a major data breach through a third-party vendor. As companies increasingly rely on external partners and services, these interconnections create new attack vectors that can be difficult to secure. ### Targeting of File Transfer Platforms The continued targeting of file transfer platforms by ransomware groups like Clop represents a strategic focus on critical business infrastructure. These platforms often contain valuable data being transferred between organizations and may not receive the same level of security scrutiny as other systems. ### Scale of Modern Attacks The Cleo campaign demonstrates how modern ransomware groups have developed capabilities to simultaneously conduct large-scale, automated attacks affecting hundreds of organizations. This represents a significant evolution from earlier, more targeted approaches. While Hertz has responded with appropriate mitigation measures, including offering identity monitoring services to affected individuals, this breach underscores the growing threat posed by supply chain attacks and the targeting of file transfer platforms. The incident also demonstrates the evolving tactics of ransomware groups, which increasingly focus on data theft and extortion rather than traditional encryption-based attacks. For affected individuals, maintaining vigilance through regular monitoring of financial accounts and credit reports remains the best defense against potential fraud resulting from this breach.

loading..   16-Apr-2025
loading..   8 min read
loading..

Healthcare

DaVita, a major kidney care provider, suffered a ransomware attack that encrypte...

DaVita, a prominent kidney care provider in the United States, disclosed on Monday that it has fallen victim to a ransomware attack. The cyberattack encrypted parts of its network, causing operational disruptions and raising alarms about potential data theft. DaVita, which operates over 2,600 dialysis centers and employs over 76,000 individuals worldwide, is now working to contain the attack and mitigate its impact on patient care.* ### What Happened During DaVita's Ransomware Attack? On April 12, 2025, DaVita confirmed in an SEC FORM-8K filing that it became aware of a ransomware incident that had encrypted certain parts of its network. The attack occurred on a weekend, a typical strategy for cybercriminals, as IT teams are often understaffed and slower to respond during this time. In response, DaVita promptly activated its security protocols and implemented containment measures to isolate the affected systems. The company has yet to provide a clear timeline for when the impacted operations will return to normal, though it remains focused on restoring its network. ### Impact on Operations and Patient Care Despite the ransomware attack, DaVita stated that it continues to provide care to patients across its treatment centers. The company assured stakeholders that its contingency plans were effectively activated to ensure that critical healthcare services, such as dialysis, are not compromised. While the ransomware attack has disrupted some operational processes, the company has emphasized that patient safety and care remain a top priority. DaVita has also taken interim steps to restore impacted systems as quickly as possible. ### Patient Data Security Concerns One of the most pressing concerns in the aftermath of a ransomware attack is the potential theft of sensitive data. In the filing, DaVita mentioned that the scope of the breach, including whether patient data had been accessed or stolen, is still under investigation. This concern is particularly significant as ransomware gangs often steal data before encrypting it in a bid to extort additional payment from their victims. Given DaVita's size and prominence in the healthcare industry, any breach involving patient data could have serious repercussions for both the company and its patients. As of now, there has been no confirmation of data theft, but the company is conducting a thorough investigation to determine the full extent of the attack. ### Company’s Immediate Actions and Response Upon detection of the ransomware attack, DaVita acted quickly by isolating the affected systems to prevent further damage. The company’s security teams have been working tirelessly to restore operations while also ensuring that all critical patient care services remain uninterrupted. DaVita's swift response illustrates the effectiveness of its contingency plans, which are designed to minimize disruption in the face of cyberattacks. However, as the investigation progresses, the company has made it clear that more details about the attack’s full impact will be provided as soon as they are available. ### What’s Next for DaVita and Its Customers? The ransomware attack on DaVita raises serious questions about the security of sensitive patient data within the healthcare industry. As cyberattacks on healthcare providers continue to rise, it is becoming increasingly critical for companies in the sector to bolster their cybersecurity measures to protect patient information and maintain trust. While DaVita has yet to determine the full extent of the damage, including any potential patient data theft, it remains committed to restoring its network and operations. The company has assured the public that it will keep stakeholders informed as more information becomes available. ### How Can Healthcare Providers Protect Themselves From Ransomware Attacks? Healthcare organizations like DaVita are prime targets for ransomware attacks due to the critical nature of the services they provide and the sensitive data they store. In response to growing cybersecurity threats, healthcare providers must implement robust security protocols, including the following: 1. **Regularly Update Systems and Software:** Keeping software up to date ensures that known vulnerabilities are patched, reducing the likelihood of an attack. 2. **Employee Training on Cybersecurity Best Practices:** Educating employees about phishing emails and other common attack vectors can help prevent ransomware from gaining access to networks. 3. **Data Backup and Encryption:** Ensuring that critical data is backed up and encrypted can make it easier to recover if a ransomware attack occurs. 4. **Incident Response Planning:** Having a well-defined incident response plan in place allows organizations to respond swiftly and minimize damage during a cyberattack. The recent ransomware attack on DaVita highlights the ongoing cybersecurity challenges faced by healthcare organizations, particularly those that manage sensitive patient data. While the company continues to investigate the attack and restore operations, patient care remains a priority, and DaVita has implemented contingency measures to minimize disruptions. As the investigation unfolds, stakeholders will be keenly watching for any updates regarding the potential theft of patient data and how DaVita plans to prevent future cyberattacks. Healthcare providers must take immediate action to safeguard their networks and data to prevent similar incidents from occurring in the future. In an increasingly connected world, ransomware attacks are an unfortunate reality that organizations must prepare for. With a focus on proactive cybersecurity measures and quick response protocols, healthcare companies like DaVita can minimize the impact of such incidents and continue providing vital services to their patients. --- **Keywords:** DaVita ransomware attack, ransomware attack healthcare, cybersecurity, patient data security, ransomware response, DaVita ransomware breach, healthcare cybersecurity, data encryption, ransomware incident response, cybersecurity measures in healthcare. **Meta Description:**

loading..   15-Apr-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958