A RRM vulnerability used against a billing software

An unidentified ransomware group has recently exploited a vulnerability in the remote monitoring and management (RMM) software SimpleHelp (CVE-2024-57727) against a utility billing software provider. The same flaw has been recently exploited by the Play ransomware, the state actor Chinese Storm-1175 and DragonForce, which leveraged it in an attack on an MSP and its customers. The vulnerability, patched last January, allows to upload arbitrary files and elevate privileges to admin.

[mitigate] Apply Fortigate IPS rule 57217, Trellix rule 0x63079200, and Trend Microrule 45538 [/mitigate]

‍

Fog attacks financial institutions with untypical legit tools

In May 2025, Fog ransomware compromised an Asian financial institution by abusing untypical legitimate software, notably the Syteca employee monitoring tool. Ransomware deployment occurred weeks after initial access, and the attack vector included the compromise of two Microsoft Exchange servers. Fog, a group that emerged in 2024, is associated with its exploitation of a Veeam vulnerability (CVE-2024-40711) and known for its ransom notes mocking Elon Musk and DOGE.  

‍

‍

[mitigate] Apply FortiGuard IPS protection"Veeam.Backup.and.Replication.CVE-2024-40711.Code.Execution" [/mitigate]

‍

Rhysida targeted a large energy company

Rhysida ransomware has targeted the US branch of China National Petroleum Corporation (CNPC), demanding 20 bitcoins in ransom. Rhysida is an infamous Russian cybercrime known for exploiting VPN vulnerabilities and the ZeroLogon flaw, along other techniques.

‍

A Chrome flaw allowing sandbox escape used against Russia

Team46 (aka TaxOff) has been exploiting a Chrome vulnerability (CVE-2025-2783) against Russian targets. Victims were lured through phishing emails disguised as international conference invitations, leading them to a malicious website that triggered the exploit. This allowed attackers to fully escape Chrome sandbox and deploy the Trinper backdoor. The campaign is believed to have started in October 2024. Team46 is a sophisticated cyberespionage group, skilled in phishing campaigns and primarily targeting Russian government interests.

‍

‍

[mitigate] Track with Qualys QIDs 382974 and 382999 [/mitigate]

‍

Were Comcast and Digital Realty compromised by Salt Typhoon?

Anonymous sources close to CISA and the NSA revealed that the mass media company Comcast and the data center leader Digital Realty have been compromised by the Chinese Salt Typhoon’s December2024 campaign. The operation affected hundreds of organizations, including nine top US telecom companies. Comcast stated that it found no evidence of impact on its networks.

‍

Anubis adds wiper capability

Anubis ransomware is now combining traditional file encryption with a file-wiping capability, increasing pressure on its victims by making recovery impossible. The group, which surfaced recently, gains initial access via phishing and RDP vulnerabilities, and has so far targeted sectors including healthcare, engineering, and construction.

‍

‍

Zscaler tracked a threat actor for 3 years through a flaw in its malware

Over a span of three years, Zscaler tracked the DanaBot threat actor by leveraging a vulnerability dubbed “DanaBleed,” introduced in a 2022 malware release. The flaw enabled the collection of usernames, IP addresses, malicious domains, encryption keys, and other victim-related data. DanaBot is a long-running Malware-as-a-Service operation, known for deploying a banking Trojan used in credential theft and remote access.

‍

Flodrix is now exploiting Langflow vulnerability

The Flodrix botnet is currently leveraging a critical vulnerability in Langflow (CVE-2025-3248) to ensnare devices into DDOS operations. First observed in early March, the flaw has attracted various threat actors, with 370 IPs attempting exploitation in the past month. The vulnerability is simple to exploit and attackers can send crafted HTTP requests to an API endpoint with no authentication, enabling arbitrary code execution. Langflow is a low-code AI development tool that allows integration with APIs, LLM models, and databases.

‍

‍

[mitigate] Apply Cloudflare WAF rule 1a11fbe84b49451193ee1ee6d29da333 [/mitigate]

‍

A 2023 Zyxel flaw resurfaces

A vulnerability in Zyxel routers (CVE-2023-28771) is leveraged in new attacks, as 244 IP addresses were observed attempting to exploit it on June 16. The operation is possibly related to a Mirai-based botnet. The flaw has been notoriously used as initial access vector within the large Russian campaign against 11 Danish energy organizations in May 2023.

‍

Tenable and Trend Micro patch

Tenable patched three vulnerabilities (CVE-2025-36631/2/3) in its Nessus agent for Windows, which enable privileged escalation on compromised instances. At the same time, Trend Micro also released fixes for four critical flaws (CVE-2025-49212/3, CVE-2025-49216/7) enabling remote code execution in its Apex Central and Endpoint Encryption (TMEE) Policy Server products.

‍

A first AI 0-click vulnerability in AI

Cybersecurity researchers have discovered a zero-click vulnerability in Microsoft Copilot (CVE-2025-32711), named “EchoLeak”, that enables the exfiltration of sensitive data without any user interaction. This marks the first known zero-click flaw identified in an AI agent. Microsoft has stated that the issue has been fully remediated.

‍

Resurgent vulnerabilities are a security blindspot

A new report draws attention to “resurgent vulnerabilities” - flaws with unorthodox exploitation behaviors, sometimes leveraged years after first publication or first exploitation. According to the report. these weaknesses tend to be high-severity vulnerabilities and over half of them reside in edge devices, such as routers, VPNs and firewalls. The report also highlights that these threats are often overlooked: “without primary, real-time visibility into renewed attacker interest, teams may miss the moment when a dormant threat becomes urgent again.”

‍

‍

CISA budget cuts

A Congressional Homeland Security committee has approved a $135 million reduction in CISA’s 2025 budget, lowering it to $2.7billion. The Trump administration had originally proposed an even deeper cut of $495 million.