Qilin targets 2 FortiGate flaws

Qilin Ransomware is now taking advantage of two FortiGate vulnerabilities (CVE-2024-21762, CVE-2024-55591), both of which have already seen widespread exploitation throughout 2024 by multiple threat actors. The current campaign is mainly focused on Spanish-speaking regions, but expansion to other geographies is anticipated. Qilin, a well-known Russian double extortion group, has recently risen in prominence — likely due to its absorption of affiliates formerly tied to RansomHub. The group has over 300 confirmed victims, including Lee Enterprises, NHS provider Synovis, and a major South Korean industrial conglomerate.

‍

Chinese actors after SentinelOne compromised 70 organizations with Ivanti flaws

SentinelOne revealed that after the PurpleHaze campaign attempted to compromise the company’s systems through its Internet-facing servers in October 2024, a second attack occurred in early 2025 - this time against a third-party providing logistics services to the company. Neither attack succeeded to infiltrate SentinelOne’s environment. Notably, the second wave seems to be part of a wider operation that affected over 70 organizations worldwide between July 2024 and March 2025 - including a South Asian government, a large European media company and an IT services provider. Victims were infected with the ShadowPad backdoor characteristic of Chinese state actors – and indeed the tactics and infrastructures used in the campaign seem to overlap with APT15 and UNC5174. Initial access was obtained by chaining two Ivanti CSA vulnerabilities (CVE-2024-8963, CVE-2024-8190), which were first exploited a few days before the release of official patches. Additionally, initial access vector included prior compromise of CheckPoint gateways as of Fortigate, Microsoft IIS, SonicWall and CrushFTP servers.  

‍

‍

[mitigate] In Ivanti CSA, ensure dual-homed CSA configurations with eth0 as an internal network. [/mitigate]

‍

Wazuh vulnerability targeted by botnets

Two distinct Mirai botnets are recently exploiting a critical vulnerability in Wazuh (CVE-2025-24016), a widely-used open-source threat detection platform combining XDR and SIEM capabilities. The flaw, exploitable by anyone with anAPI access, was used to execute a shell script on Wazuh servers that download a Mirai payload. One of the two campaigns appears to target solely Italian-speaking users. In addition to the Wazuh flaw, the botnet operators also attempted to exploit additional known vulnerabilities in ZTE and TP-Link routers.

‍

Ransomware alert: Play compromised over 900 organizations

CISA and the FBI report that Play Ransomware has so far compromised no fewer than 900 organizations, making it one of the most prolific cybercrime groups in 2024. Initially targeting Windows systems, the group is now also targeting ESXi systems. For initial access, the group frequently leverages known vulnerabilities, including in FortiOS (CVE-2018-13379, CVE-2020-12812), Microsoft Exchange (CVE-2022-41040, CVE-2022-41082) and, more recently, in the SimpleHelp RRM (CVE-2024-57727). Play is responsible for high profile attacks on government agencies and also operates in sectors such as manufacturing, logistics, legal, technology, and retail.

‍

A new threat actor targeting DevOps environments

A threat actor dubbed as JINX-0132 is conducting cryptojacking campaigns by compromising DevOps web servers. Initial access is gained by abusing misconfigurations in tools such as HashiCorp Nomad, HashiCorp Consul, Docker API and Gitea. In the case of Gitea, an open-source alternative to GitHub, the group has also been observed exploiting an old RCE vulnerability (CVE-2020-14144).

[mitigate] Disable git hooks in the config file by settingDISABLE_GIT_HOOKS = true [/mitigate]

‍

Stealh Falcon exploited a Windows WebDAV zero-day

Stealth Falcon (aka Project Raven, Fruity Armor) has exploited a Windows zero-day (CVE-2025-33053) against a Turkish defense company and possibly other targets in the Middle East. The one-click RCE flaw resides in Windows Web Distributed Authoring and Versioning (WebDAV). Stealth Falcon is a sophisticated cyberespionage group believed to be related to the UAE government and typically targeting government, defense, and civil society organizations. While known for its expertise in spear-phishing operations, it has been observed in the past acquiring Windows zero-days in underground fora.  

‍

‍

[mitigate] Apply CheckPoint protections R81, R80, R77, R75 [/mitigate]

‍

Iranian cyberespionage persistent for 8 years

An Iranian state actor nicknamed BladedFeline, likely a sub-group of APT34 (aka OilRig), has compromised systems used by Iraqi and Kurdish governments, in which it had maintained persistence since 2017. In the Iraqi case, initial access was achieved through the exploitation of an vulnerability in an Internet-facing web server.

‍

‍

A 50,000$ POC of RoundCube's new vulnerability raises concerns

Threat actors have begun circulating a POC exploit code for a newly disclosed RCE vulnerability in RoundCube webmail (CVE-2025-49113), dubbed “Email Armageddon.” The code was allegedly sold for $50,000, and exploitation is expected imminently. While valid credentials are required, the seller claims these can be easily obtained through brute force or log data. The vulnerability was exposed after hackers successfully reverse-engineered a June 1 patch. It had gone undetected in RoundCube's code for a decade, and it currently evades detection by network security tools. RoundCube vulnerabilities are especially favored by Russian cyberespionage groups like APT28 and Winter Vivern. Globally, 84,000 RoundCube servers remain exposed to the vulnerability.

‍

‍

Vodafone fined over a web vulnerability

The German government has fined Vodafone $34 million following the discovery of authentication flaws in its online portal, which exposed eSIM profiles. An additional fine was levied due to privacy violations.

‍

U-Turn from cybersecurity policy

The Trump administration has rolled back President Biden’s Executive Order 14144 which, among other measures, required federal contractors to adopt secure development practices and maintain SBOMs. The new directive instead claims to focus on developing standards to detect, mitigate, and respond to AI-related vulnerabilities. Additionally, Executive Order 13694, which permits sanctions on threat actors, has been revised to target only foreign actors.

‍