Sign up for this weekly newsletter
SubscribeAPT28 exploits webmail servers
The notorious Russian state actor APT28 is apparently behind Operation RoundPress, a campaign exploiting 1-click XSS vulnerabilities in webmail servers to target European government and defense organizations since 2023. Among the compromised services are Roundcube (CVE-2023-43770), Horde, MDaemon (CVE-2024-11182) and Zimbra (CVE-2024-27443). The MDaemon flaw was apparently used as a zero-day.
Mitigate it
Monitor with Qualys QID 150810
A Chinese group exploiting flaws in web servers
It has now been revealed that in 2023, a Chinese state actor known as Earth Ammit has exploited vulnerabilities in web servers to compromise various heavy industry, software services, media, and healthcare organizations. The campaign named Venom was targeting mostly entities from South Korea and Taiwan.
Two major ransomwares involved in SAP Netweaver campaigns
Besides Chinese state actors, two ransomware groups have been involved in the exploitation of the SAP Netweaver vulnerability (CVE-2025-31324): BianLian, a prominent double extortion group targeting various sectors (healthcare, manufacturing, legal services…) and that is eventually currently restructuring (the group ceased its activities a month ago); and Ransom EXX (aka Storm-2460), a mysterious and recently emerged group observed last March in attacks against IT and real estate companies via the exploitation of a Windows CLFS zero-day.
Mitigate it
Block access from 5.204.56[.]106
Old Office flaws are still used
The Indian state actor SideWinder continues to exploit anold Microsoft Office memory corruption vulnerability (CVE-2017-11882) in a campaign against South Asian government entities. The flaw is triggered via a malicious RTF file, itself downloaded after victims clicked upon a Word document initiating another old Office vulnerability (CVE-2017-0199).
Mitigate it
Apply Palo Alto Threat Prevention Signature 36804; Update registry key [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}] with "Compatibility Flags"=dword:00000400
Large increases in vulnerability data
A new report analyzing NVD data shows that from 2023 to 2024 the number of newly discovered vulnerabilities increased by 61% (37% for critical ones) while exploited vulnerabilities surged by 96%. Moreover, Linux flaws rose by 967% and exploited web browsers’ ones by 657%.
A new metric: Likely Exploited Vulnerabilties (LEV)
Researchers from CISA and NIST propose a new model assessing Likely Exploited Vulnerabilities, or LEV. The model is built upon the KEV list and EPSS system, and LEV scores will incorporate parameters such as the first date on which an EPSS score was made available, aggregated daily EPSS scores, and KEV list’s most recent update.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
