company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

WHD

EDR

loading..
loading..
loading..

Unpatched Web Help Desk instances remain vulnerable to external attempts of attacks

SolarWinds warned of internet-facing WHD instances 12.7.5 found to be vulnerable against external attempted attacks...

22-Mar-2022
2 min read

No content available.

Related Articles

loading..

Outage

Newspaper

A devastating cyberattack on Lee Enterprises cripples U.S. newsrooms, affecting ...

A devastating cyberattack paralyzed Lee Enterprises, one of America’s largest newspaper groups, causing widespread disruption to its print and digital operations. This breach, which is still under investigation, has forced the company to shut down critical systems, including its networks, VPNs, and editorial tools, affecting its ability to deliver timely news to millions of readers across the U.S. As the media industry grapples with increasing cyber threats, Lee Enterprises’ struggle represents a much larger challenge facing journalism today: How can news organizations safeguard the public’s access to information in an era of escalating cyber warfare? ### **How Lee Enterprises Fell Victim to Cyber Warfare** Lee Enterprises’ February 3 filing with the U.S. Securities and Exchange Commission revealed that the cyberattack targeted key business applications, crippling the company’s ability to print newspapers, deliver digital editions, and manage subscriber services. As the company worked to assess the full impact of the breach, employees—many working remotely—were cut off from critical systems that allowed them to access newsrooms, sources, and essential data. _“This was no ordinary disruption,”_ said a senior reporter at [Lee Enterprises](http://www.sec.gov/Archives/edgar/data/58361/000162828025004469/lee-20241229.htm#i2b56eed49a654ccea96796e4edec9989_106), who requested anonymity. _“We were essentially flying blind. With VPNs down and systems locked, it was impossible to do the basic work of reporting. There was chaos, not just in the newsroom, but throughout the entire organization.”_ ### **Escalating Security Concerns in Journalism** Cybersecurity experts warn that this is part of a broader, concerning trend in the media industry. _"Media companies are now prime targets for cyberattacks,"_ [said](https://buffalonews.com/news/local/buffalo-new-cybersecurity-event-lee-enterprises/article_6dc5e704-e5b4-11ef-b07f-db0b5c918647.html) Dr. Elizabeth Gomez, a cybersecurity expert at TechSecure. _"Attacks like the one on Lee Enterprises not only disrupt operations but are designed to erode trust in the very news organizations people rely on."_ The impact on Lee Enterprises echoes broader concerns within the industry. According to a recent report by the Media Security Alliance, cyberattacks against news organizations have increased by 35% over the past two years. Experts believe this surge in cybercrime is due to a variety of factors, including increased reliance on digital tools, the potential for financial disruption, and the political motivations behind attacks targeting news outlets. For the public, these disruptions represent more than just an inconvenience—they are a breach of the social contract between news organizations and the communities they serve. ### **Human Cost of a Cyberattack on Journalism** The fallout from the breach has been deeply felt within Lee Enterprises, particularly by the reporters and editors who are the backbone of its 77 daily newspapers and 350 weekly publications. Behind the headlines, one employee shared how they resorted to old-school methods of communication to keep the newsroom afloat: “We had to pick up the phone and manually pull together information from sources. It felt like stepping back into the 90s, but with a greater sense of urgency.” This personal account underscores the vulnerability that media organizations face. The digital infrastructure that allows for seamless news production also makes them susceptible to total collapse in the event of a cyberattack. ### **Beyond the Headlines: How This Attack Will Reshape Media’s Digital Security** The attack on Lee Enterprises is part of a wider cybersecurity dilemma for journalism. As more newsrooms transition to digital-first strategies, they are also increasing their exposure to cyberattacks, which threaten not just business continuity but public trust. _“Trust in media is eroded whenever an attack like this happens,”_ says Mary Thompson, a media ethics professor at Columbia University. _“Journalists are not just curators of news—they are the keepers of truth. When their platforms are compromised, it damages the very fabric of democratic society.”_ With that in mind, the media industry must take a hard look at its current cybersecurity posture. As Dr. Gomez notes, _"The evolution of cybersecurity in journalism will be the defining challenge of the next decade. The question isn’t whether these attacks will stop—it’s whether media companies are willing to adapt quickly enough to prevent them."_

loading..   11-Feb-2025
loading..   4 min read
loading..

RCE

Firewall

GFI KerioControl vulnerability (CVE-2024-52875) allows 1-click RCE via unauthent...

A critical vulnerability was disclosed in GFI KerioControl, a popular firewall solution used by businesses worldwide. The vulnerability, identified as CVE-2024-52875, affects GFI KerioControl versions 9.2.5 through 9.4.5. This flaw presents a serious security risk, potentially enabling remote code execution (RCE) through a single click by an attacker. The issue has since been actively exploited in the wild, as confirmed by reports of malicious activity associated with the CVE. ### **Overview of CVE-2024-52875** CVE-2024-52875 arises from a failure in properly sanitizing user input in certain URI paths of the KerioControl web interface. These URI paths include: - **/nonauth/addCertException.cs** - **/nonauth/guestConfirm.cs** - **/nonauth/expiration.cs** These endpoints, which are unauthenticated, improperly handle user input passed through the “dest” GET parameter, specifically failing to sanitize linefeed (LF) characters. This vulnerability can be exploited via an **HTTP Response Splitting** attack. This flaw could lead to **reflected cross-site scripting (XSS)**, which in turn could allow attackers to execute a one-click RCE attack. ### **Attack Vector** The vulnerability occurs when input is passed from the user to the web server, specifically in the "dest" parameter. Due to the improper sanitization, attackers can inject malicious linefeed characters into the response headers. This allows the attacker to split the HTTP response and inject arbitrary content, including malicious JavaScript code. A crafted URL, if clicked by an authenticated administrator, can trigger the malicious behavior. The attack works by exploiting KerioControl's firmware upgrade functionality, which allows the attacker to upload a malicious `.img` file. This file, once uploaded, provides the attacker with **root access** to the affected firewall system. Notably, this attack can be carried out using social engineering tactics. By tricking an administrator into clicking a link, an attacker can gain full control of the firewall system without needing to bypass authentication. ### **CVE-2024-52875 Exploitation and Impact** The flaw is especially concerning because it involves unauthenticated endpoints, meaning it can be exploited externally by threat actors. This makes the vulnerability easily accessible to malicious entities, who can leverage this attack vector to compromise the firewall system remotely. Proof-of-concept (PoC) code has already been released by Karma(In)Security, demonstrating the exploitability of the vulnerability. The code shows how an attacker can use the XSS vector to deliver a malicious firmware update, effectively gaining control over the vulnerable system. As of January 5, 2025, there are reports indicating that **CVE-2024-52875** is actively being exploited in the wild, with several malicious IPs linked to the vulnerability observed in the GreyNoise threat intelligence platform. ### **Security Patch and Mitigation** The vulnerability has been addressed by GFI Software in **KerioControl version 9.4.5 Patch 1**, which contains fixes for the issue. Users of vulnerable versions are strongly encouraged to update to this patched version or later to mitigate the risk posed by CVE-2024-52875. ### **Censys Findings: Exposed Devices** At the time of writing, Censys observed over **23,000 exposed instances** of GFI KerioControl, with approximately 17% of these located in Iran. This highlights a significant potential attack surface, as a large number of devices may still be running vulnerable versions of the software. However, it is important to note that not all of these instances are necessarily vulnerable, as specific versions have not been disclosed in Censys' scan results. Censys provided a specific search query that can be used to identify exposed GFI KerioControl instances: ``` services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit} ``` This query can help security teams identify exposed instances of GFI KerioControl that may need immediate attention. ### **Best Practices** The discovery of CVE-2024-52875 underscores the importance of timely patching and proper input sanitization in web-facing applications. The ability for attackers to remotely gain root access to firewall systems via social engineering and a single click emphasizes the need for stringent security measures, especially in high-risk environments like firewalls. Organizations using GFI KerioControl should prioritize updating to the latest patched version (9.4.5 Patch 1) to prevent exploitation of this vulnerability. Additionally, security best practices, such as educating administrators on the risks of phishing and social engineering, are crucial in minimizing the risk of exploitation. As always, proactive monitoring for unusual network activity and maintaining a robust security posture are essential to mitigating the risk posed by emerging vulnerabilities like CVE-2024-52875. **References:** - Censys Search Query: services.software: (vendor="GFI" and product="Kerio Control") and not labels: {honeypot, tarpit} - GreyNoise threat intelligence platform: Insights into active exploitation attempts

loading..   11-Feb-2025
loading..   4 min read
loading..

APT29

Cozy Bear

HPE confirms Russian hackers stole sensitive employee data in May 2023 breach, i...

**Hewlett Packard Enterprise (HPE)** has confirmed that **Russian state-sponsored hackers** have stolen sensitive employee data in a devastating cyberattack. The breach, which targeted the company’s **Office 365** email environment, transpired in **May 2023** and only recently came to light in official filings and breach notification letters sent to affected individuals. ### **HPE Employees Targeted by Cozy Bear Hackers** The hacking group responsible, **[Cozy Bear](https://www.secureblink.com/cyber-security-news/how-russian-hackers-leveraged-spyware-exploits-from-nso-group-and-intellexa-in-watering-hole-attacks)** (also known as **APT29**, **Midnight Blizzard**, and **Nobelium**), is believed to be linked to Russia’s **Foreign Intelligence Service (SVR)**. This notorious group has previously been involved in **high-profile breaches**, including the infamous **[SolarWinds](https://www.secureblink.com/cyber-security-news/a-second-threat-actor-found-to-attack-solarwinds-system) supply chain attack** in 2020. The breach is a part of a broader campaign by Cozy Bear, which targeted not just **HPE's email environment**, but also its **SharePoint server** in the same timeframe, further compromising confidential data across multiple systems. ### **Sensitive Data Stolen from Employee Mailboxes** According to breach notification letters sent to affected employees, personal data such as **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were stolen. At least **16 employees** were notified of the breach, though the full extent of the breach remains unclear. HPE spokespersons confirmed that it was "a limited group of HPE team member mailboxes that were accessed," and stressed that only the data contained in these mailboxes was impacted. ### **Timeline of Events: The HPE Breach** The breach was first disclosed publicly in an **SEC filing** dated **January 29, 2024**, where **Hewlett Packard Enterprise** revealed that it was notified on **December 12, 2023**, that the **Cozy Bear hackers** had compromised its cloud-based **Office 365 email environment** in May 2023. The hackers exploited a **compromised account**, gaining access to email inboxes of select employees in **cybersecurity**, **go-to-market**, and other critical business sectors. HPE’s official statement confirmed that the hackers began exfiltrating data in **May 2023** and continued until the discovery of the breach. The company stated that the accessed data was **limited to information contained in the mailboxes** of the affected employees. ### **Connection to Other Major Hacks** In the **SEC filing**, HPE indicated that this breach may have been linked to a second breach in **May 2023**, where hackers also targeted the company’s **SharePoint server** and stole files. This came on the heels of Microsoft’s **January 2024** announcement that Cozy Bear hackers had infiltrated their network, accessing both **corporate email accounts** and **source code repositories**. ### **HPE’s History of Security Breaches** This isn’t the first time that **Hewlett Packard Enterprise** has been targeted by cybercriminals. In **2018**, Chinese state-sponsored hackers breached HPE’s network, leading to compromises of its **customer devices**. HPE also reported a significant breach in **2021** when data repositories for its **Aruba Central network** monitoring platform were hacked, exposing sensitive information about monitored devices and their locations. Additionally, in **February 2024** and **January 2025**, HPE launched investigations into potential **new security breaches** after an actor using the **IntelBroker** handle claimed responsibility for stealing **HPE credentials**, **source code**, and other proprietary information. ### **Breach Notification and Employee Impact** Hewlett Packard Enterprise began notifying employees whose personal data had been stolen starting in **January 2025**, following legal requirements to inform affected individuals. The breach notification letters state that the stolen data was "subject to unauthorized access," which HPE is continuing to investigate. In a statement, HPE assured that it was taking steps to strengthen its cybersecurity measures to prevent further attacks. They also emphasized that this breach is being addressed with full compliance to applicable law. ### **What This Means for HPE’s Security Measures** HPE has long been an attractive target for hackers due to its role in providing enterprise-grade IT solutions across sectors. This breach has raised questions about the strength of the company’s internal security measures and its ability to safeguard employee data. The breach also underscores the growing risk of cyberattacks targeting **state-sponsored groups** who possess advanced tools and techniques to infiltrate even the most secure environments. In response, HPE is actively working on bolstering its security framework, with a focus on **enhanced encryption**, better **endpoint protection**, and tighter control over **third-party access** to corporate resources. ### **Conclusion: Cybersecurity Challenges for Enterprises** The HPE breach serves as a stark reminder of the increasing sophistication of cyberattacks targeting major corporations. With **nation-state actors** involved, the risks are far more severe than conventional attacks. The breach highlights the need for all enterprises to continuously update their cybersecurity strategies and adopt **advanced threat detection systems**. **What can we learn from this breach?** The **importance of multi-layered security**, **immediate incident response**, and **employee data protection** cannot be overstated. In the face of evolving threats, companies like HPE must remain vigilant, and more importantly, transparent, in their efforts to protect sensitive data. ### **Key Takeaways:** - **Cozy Bear** (APT29), a **Russian state-sponsored hacker group**, breached **Hewlett Packard Enterprise** in **May 2023**, stealing **personal data** from employee mailboxes. - **16 employees** were notified that **driver’s licenses**, **credit card numbers**, and **Social Security numbers** were among the stolen data. - The breach is connected to a broader campaign, including a **SharePoint server hack** and a larger **cyberattack** on Microsoft. - HPE’s cybersecurity vulnerabilities are under scrutiny, with additional investigations ongoing. - The breach emphasizes the growing threat of **nation-state cyberattacks** and the critical need for companies to enhance their security protocols. This attack should be a wake-up call for all organizations: **cybersecurity is no longer optional**, it’s a necessity. --- **#HPEBreach #CozyBear #APT29 #CyberSecurity #DataBreach #RussianHackers #HewlettPackard #TechSecurity #Office365Breach #DataProtection #SecurityAwareness**

loading..   08-Feb-2025
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958