company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Ukraine

Telegram

loading..
loading..
loading..

Ukrainian SSSCIP warned of a newly discovered cyberattack aiming to target Telegram account

State Service of Special Communication and Information Protection (SSSCIP) of Ukraine warns of threat actors targeting aimed at gaining access to users’ Telegra...

06-Apr-2022
2 min read

No content available.

Related Articles

loading..

Extortion

Explore the PowerSchool data breach affecting millions of students and teachers....

The education technology sector experienced a major setback as PowerSchool, a leading provider of school records software, suffered a cyberattack compromising the personal data of millions of students and teachers. The breach, occurring in December, has raised concerns about data security and privacy within K-12 school systems across the United States, particularly due to its vast scale and the historical depth of the compromised data. Unlike many cyberattacks, this incident affected records spanning over a decade, exposing systemic vulnerabilities in how educational data is stored and protected. With PowerSchool’s software supporting over 60 million students, the incident has left educational institutions grappling with the fallout. ### Scale of the Breach Sources within affected school districts confirmed that hackers accessed vast troves of sensitive information, including historical data on students and teachers. This information reportedly dates back as far as the 2009-2010 school year for some districts. Compromised data includes names, addresses, Social Security numbers, some medical information, grade data, and other personally identifiable information (PII). A school district representative disclosed, “In our case, the attackers gained access to all historical student and teacher data. This breach extends far beyond current records, affecting anyone whose information has ever been stored in the PowerSchool system.” Logs from some districts revealed that unauthorized access began even earlier than PowerSchool’s official timeline of late December. ### Insufficient Security Measures One major concern highlighted by this incident is the lack of basic cybersecurity measures. According to affected districts, PowerSchool’s compromised system lacked multi-factor authentication (MFA), a critical layer of defense against cyberattacks. Without MFA, attackers could easily use stolen credentials to access sensitive systems, as there were no additional barriers like verification codes or biometric checks to prevent unauthorized logins. This glaring security lapse likely facilitated the breach, allowing hackers to infiltrate and extract data with minimal resistance. While PowerSchool spokesperson Beth Keebler confirmed that the company employs MFA in its operations, she declined to elaborate on its implementation or the specific systems protected. Experts argue that the absence of robust security measures, particularly in systems handling such sensitive information, underscores a systemic vulnerability in the education technology sector. Mark Racine, CEO of RootED Solutions, emphasized in a blog post that this breach affects not only current PowerSchool customers but also former customers, significantly expanding the scale of impacted individuals. ### Affected Districts and Data Exposure Several districts have publicly confirmed the breach’s impact on their data. For instance, the Menlo Park City School District reported unauthorized access to personal details of all current students and staff as well as historical records dating back over a decade. Similarly, the Rancho Santa Fe School District revealed that teachers' login credentials were also compromised, potentially endangering ongoing educational processes. These examples underscore the tangible effects of the breach on both operational and personal levels within the affected communities. The Menlo Park City School District in California revealed that all current and historical data on students and staff had been accessed. Similarly, the Rancho Santa Fe School District reported that the attackers gained access to teachers’ credentials for the PowerSchool system. Other districts are reporting affected student numbers that are four to ten times higher than current enrollment, further highlighting the magnitude of the breach. PowerSchool’s FAQ for customers indicated that while the type of stored data varies by district and state requirements, the breach included significant PII. Despite this, Keebler stated that the company’s ongoing review suggests most affected customers did not have Social Security numbers or medical information exfiltrated. ### PowerSchool’s Response PowerSchool claims to have taken “appropriate steps” to prevent the dissemination of stolen data, asserting that the compromised information has been deleted without further replication. Experts suggest that implementing robust encryption, regular security audits, and advanced access controls like multi-factor authentication could have minimized the risk of such breaches. Furthermore, clear communication about the specific measures taken and evidence supporting the deletion claims would bolster trust among stakeholders. Without such transparency, questions about the effectiveness of PowerSchool’s response are likely to persist. However, the company has not disclosed specific measures taken or provided evidence to support its claim. “While our data review remains ongoing, we have identified the schools and districts whose data was involved and are working to notify impacted individuals,” said Keebler in a statement. PowerSchool declined to publicly share the names of affected districts, adding to frustrations over transparency. ### Larger Implications The breach raises critical questions about the security of sensitive data in educational systems. Legislative changes, such as mandating comprehensive data encryption standards and requiring multi-factor authentication across all edtech platforms, could significantly reduce vulnerabilities. Additionally, implementing stricter data retention policies and ensuring regular compliance audits for educational institutions could help address these security concerns effectively. With more districts relying on technology to manage records, the need for stringent cybersecurity measures has never been greater. Experts advocate for mandatory adoption of practices like MFA, encryption, and regular security audits to protect data. Moreover, this incident highlights the risks of retaining extensive historical data without robust safeguards. School districts must reassess their data retention policies and invest in secure infrastructure to prevent similar breaches in the future.

loading..   17-Jan-2025
loading..   5 min read
loading..

Ransomhub

Backdoor

Python-based backdoor used by RansomHub ransomware, exploiting network flaws wit...

In an alarming incident reported in Q4 2024, reveals evidence of a sophisticated threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints. This breach was exploited to deploy RansomHub encryptors across the impacted network. Earlier, in February 2024, [ReliaQuest documented a prior version of this malware](https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/), highlighting the continuous evolution of this malicious tool. ### Key Features of the Latest Python Backdoor GuidePoint’s investigation revealed critical updates in the latest variant of the Python-based backdoor, setting it apart from its predecessors. Key distinctions include: - **Obfuscation Techniques**: Utilized [PyObfuscate[.]com](https://blog.sucuri.net/2024/06/socgholish-malware.html) for code obfuscation to evade detection. - **Deployment Method**: Exploited Remote Desktop Protocol (RDP) for lateral movement. - **Unique Indicators of Compromise (IoC)**: Introduced distinct filenames, scheduled task names, and command-and-control (C2) addresses. Collaboration with cybersecurity experts, including @drb_ra, resulted in the publication of 18 C2 IP addresses on GitHub under the repository “[drb-ra/C2IntelFeeds](https://github.com/drb-ra/C2IntelFeeds).” ### The Deployment Process The malware deployment followed a systematic and precise methodology: 1. **Initial Access**: [SocGholish (FakeUpdate)](https://mediatrust.com/blog/socgholish-driveby-download-compromised-landing-page/) was identified as the initial access vector. 2. **Python Backdoor Deployment**: Dropped on the initial compromised system 20 minutes post-infection. 3. **Lateral Movement**: Additional systems were infected via RDP. The five-step process for installing Python and deploying the backdoor included: 1. Navigating to the target directory: `C:\users\<redacted>\appdata\local\connecteddevicesplatform` 2. Installing Python: ``` wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile .\python3.12.zip ``` 3. Setting up PIP and required libraries: ``` wget https://bootstrap.pypa.io/pip/pip.pyz -OutFile .\pip.pyz; .\pythonw.exe pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location; ``` 4. Creating a Python proxy script: `get-pip2.pyd` 5. Establishing persistence with scheduled tasks: ``` powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'get-pip2.pyd'; $t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName 'get-pip2' -Action $a -Trigger $t -Settings $s -User 'system' ``` ### Technical Analysis of the Python Script #### Functionality The backdoor functions as a reverse proxy, creating a SOCKS5-like tunnel to enable lateral movement. Key operations include: 1. Establishing an initial TCP connection to a hardcoded IP address. 2. Utilizing the received data to create a secondary connection. 3. Acting as a proxy for threat actor communication. #### Obfuscation and AI-Generated Code The script employs advanced obfuscation techniques and demonstrates exceptional coding standards. Observations include: - **Polished Code**: Suggestive of meticulous programming or AI-assisted code generation. - **Structured Design**: Utilized classes, descriptive method names, and robust error handling. - **Dynamic Variables**: Hardcoded IPs and ports ensure seamless operation. #### C2 Behavior The backdoor’s C2 communications involve: 1. TCP socket creation and idle state awaiting specific bytes. 2. Secondary TCP connection based on received data. 3. SOCKS5-like tunnel establishment for proxied traffic. ### Evidence of Advanced Persistence The malware’s persistence strategy involves: - Regular execution via scheduled tasks. - Frequent updates to evade detection. - Leveraging obfuscated versions for minimal VirusTotal detection. Notably, [VirusTotal’s report on the malware](https://www.virustotal.com/gui/file/64d8f12cdcd1dfa7a3c012a36c011a43303dc8357b7899db254a022b187cba03) highlighted zero detections at the time of upload. ### Indicators of Compromise (IoC) Key IoCs include: - **Filename**: `get-pip2.pyd` - **Task Name**: `get-pip2` - **SHA256 Hash**: `5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c` - **C2 IPs**: Examples include `185.174.101.240`, `38.180.81.153`, and `104.238.61.144` (full list available on GitHub). ### Key Takeaways - RansomHub affiliates are leveraging Python-based backdoors for persistence and evasion. - The adoption of AI in malware development is an emerging trend. - Continuous monitoring and collaboration are essential to counter these threats. [Halcyon’s detailed threat insights](https://www.halcyon.ai/blog/halcyon-threat-insights-012-january-2025-ransomware-report) provide further context on this evolution.

loading..   16-Jan-2025
loading..   4 min read
loading..

Simplehelp

RCE

Critical SimpleHelp flaws expose systems to attacks. Learn how these vulnerabili...

The digital landscape was rocked in 2024 by a wave of zero-day vulnerabilities that exploited popular remote access software like [ConnectWise ScreenConnect (CVE-2024-1708)](https://nvd.nist.gov/vuln/detail/CVE-2024-1708) and [BeyondTrust products (CVE-2024-12356)](https://nvd.nist.gov/vuln/detail/CVE-2024-12356). As we entered 2025, the discovery of critical flaws in **SimpleHelp Remote Support Software** has sent shockwaves through the cybersecurity world, highlighting the pervasive risks in tools that many organizations rely on for remote assistance. ## **SimpleHelp: The Silent Player with a Significant Impact** SimpleHelp, a relatively lesser-known name in the remote support software arena, is more widespread than many might assume. A quick dive into its usage statistics reveals that the platform is being utilized by thousands of users globally, with the United States leading the pack, followed by the United Kingdom, France, Canada, and Australia. While its market share might not rival giants like TeamViewer or AnyDesk, SimpleHelp’s vulnerabilities pose a grave threat, as they potentially allow malicious actors to compromise not only the software itself but also the client machines it connects to. This alarming discovery underscores the urgent need for organizations to scrutinize the software they trust with sensitive operations. ## **Three Critical Vulnerabilities** After conducting a thorough security audit, researchers unearthed three severe vulnerabilities in SimpleHelp, each with the potential to wreak havoc on businesses relying on its services. Let’s break down these flaws: ### 1. **Unauthenticated Path Traversal Vulnerability (CVE-2024-57727)** This is the most critical of the trio. Exploiting this vulnerability, attackers can download arbitrary files from a SimpleHelp server without authentication. Since SimpleHelp stores all its data on disk as files, this creates an immediate threat: - Access to **serverconfig.xml**, a key configuration file, could provide hashed passwords for admin accounts and technicians. - Exposure of sensitive credentials like **LDAP secrets**, **OIDC client details**, and **API keys** could facilitate further attacks. The situation is worsened by the use of a hardcoded encryption key, rendering any encrypted logs or configuration files susceptible to decryption. For more technical details, see the [Horizon3.ai disclosure](https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/). ### 2. **Arbitrary File Upload Leading to Remote Code Execution (CVE-2024-57728)** With admin-level access, an attacker can exploit this vulnerability to upload arbitrary files directly onto the SimpleHelp server. This opens the door to remote code execution: - On Linux systems, attackers can upload malicious **crontab files** to execute remote commands. - On Windows, attackers can overwrite key executables or libraries, gaining control of the host machine. An example exploit demonstrated the use of a reverse shell on a compromised Linux server, showcasing the devastating potential of this flaw. ### 3. **Privilege Escalation From Technician to Admin (CVE-2024-57726)** Even low-level technician accounts are not immune. This vulnerability allows attackers to escalate their privileges to those of an administrator by exploiting unprotected backend authorization checks. Once elevated, attackers can: - Gain control of the entire SimpleHelp server. - Exploit the file upload vulnerability to execute commands remotely, extending their reach to other connected machines. ## **How to Detect Vulnerable Systems** SimpleHelp servers can be checked for vulnerabilities by accessing the `/allversions` endpoint or inspecting the HTTP Server header. Any version predating **5.5.8**, **5.4.10**, or **5.3.9** is at risk. A complete list of exploited vulnerabilities is available in [CISA’s Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). ## **Solution: Patch Immediately** SimpleHelp has responded quickly, releasing patches to address these vulnerabilities. The latest versions (**5.5.8**, **5.4.10**, and **5.3.9**) contain the necessary fixes, and all users are strongly urged to update immediately. For more details, refer to the [SimpleHelp KnowledgeBase article](https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier). ## **Timeline of Events** - **Dec. 30, 2024**: Researchers contact SimpleHelp to report vulnerabilities. - **Jan. 6, 2025**: SimpleHelp acknowledges the report and begins remediation. - **Jan. 7, 2025**: Researchers notify affected customers. - **Jan. 8, 2025**: Patch versions **5.5.8** and **5.4.10** are released. - **Jan. 13, 2025**: Patch version **5.3.9** is released. - **Jan. 14, 2025**: CVEs are officially assigned. ## **Trust and Remote Support Tools** The SimpleHelp vulnerabilities highlight a broader issue in the cybersecurity ecosystem. Tools designed to facilitate remote support and management are inherently attractive targets for attackers due to their access privileges and widespread use. Organizations must adopt a proactive approach: - Conduct regular security audits of third-party software. - Implement strict privilege management and monitoring. - Stay informed about known vulnerabilities and apply patches promptly. ## **Final Thoughts** The recent vulnerabilities demonstrate how attackers exploit overlooked weaknesses to devastating effect. Addressing these challenges requires organizations to rethink their cybersecurity strategy: proactive threat modeling, continuous monitoring of software dependencies, and leveraging zero-trust principles to reduce attack surfaces. Effective responses must be as agile as the threats they face, turning every exploit into an opportunity to strengthen their security posture. For users of SimpleHelp, the message is clear: **Upgrade now or risk falling victim to these critical flaws.** For further updates, visit the [official SimpleHelp website](https://simple-help.com/).

loading..   15-Jan-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958