APT28 focuses on vulnerability exploitation

An analysis of the Russian APT28’s activities in the past two years shows a growing focus on vulnerability exploitation. In diverse campaigns, the GRU-linked group has used the Windows Print Spooler vulnerability (CVE-2022-38028), the Follina vulnerability (CVE-2022-30190), the SNMP vulnerability (CVE-2017-6742) and flaws in WinRAR (CVE-2023-38831), in HTTP File Server (CVE-2024-23692) and in RoundCube Webmail (CVE-2020-37530, CVE-2021-44026, CVE-2020-12641, CVE-2020-13965). It also weaponized a Microsoft Outlook zero-day (CVE-2023-23397). The group, which has developed its own backdoors and infostealers, mostly conducts operations for cyberespionage and destructive purposes, with an accent on targets from Ukraine, Germany and Eastern Europe.

‍

When cybercrime pivots to zero-days

XE Group, a sophisticated Vietnamese cybercrime gang known for credit card skimming operations, is now pivoting towards zero-day exploitation in enterprise software for information theft. The group has recently targeted two previously unknown vulnerabilities in Veracore (CVE-2024-57968,CVE-2025-25181), a platform letting e-retailers organize their orders and business operations. In the past, XE was limited to the exploitation of known web vulnerabilities with the aim of uploading skimmers and infostealers.  

‍

‍

[mitigate]Block access from IP addresses 123.20.29.193 and 222.253.102.94[/mitigate]

A zero-day in a file archiver

Since September 2024, Russian threat groups have been exploiting a zero-day in 7-Zip (CVE-2025-0411) against Ukrainian targets. The flaw, delivered through a malicious archived file sent through spear phishing emails, allows to bypass Microsoft Mark-of-the-Web (MotW) protection, aimed at preventing the automatic download of files from the Internet.

‍

Millions of airline customers exposed

A vulnerability in a leading online platform for travel and hotels has been revealed. The flaw allows malicious crafted links to bypass the authentication mechanism of the platform and, when clicked upon, to take control of a victim’s account. Millions of airline online users were at risk before the flaw has been patched.

‍

Web applications vulnerabilities at the top

A research shows that in 2024 Q4, the exploitation of vulnerabilities in web-facing applications has become the top initial access vector, replacing the use of valid accounts. In 35% of observed incidents, the attackers have deployed publicly disclosed or open source webshells against vulnerable web applications. In 40% of these cases, unprotected admin accounts or gaps in network segmentation resulted in post-compromise lateral movement. Moreover, in 25% of the recorded compromise incidents, an EDR has been found absent or misconfigured.

‍

Almost 800 exploited vulnerabilities in 2024

A new report shows that 784 vulnerabilities have been reported as exploited in the wild in 2024, even though most of them were not included in the KEV list. Among them, almost 25% were exploited as zero-days (i.e. on the day of the vulnerability’s public disclosure or beforehand), while 50% were used in the six months following disclosure.

‍

‍

A legislation for better vulnerability disclosure policies

The Federal Contractor Cybersecurity Vulnerability Reduction Act has been reintroduced in Congress after failing to get support in 2024. The bi-partisan bill requires all contractors of federal agencies to establish Vulnerability Disclosure Policies (VDPs).

‍