company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

LockBit

Ransomware

Data Leak

loading..
loading..
loading..

9 Million Dental Patients Affected by LockBit Ransomware Attack on MCNA

Discover the shocking LockBit attack on MCNA that exposed 9M dental patients' data. Learn about the cyber breach's impact & implications.

01-Jun-2023
4 min read

No content available.

Related Articles

loading..

SSL

Sonicwall

SonicWall SMA VPN flaws (CVE-2023-44221, CVE-2024-38475) exploited. Patch now to...

SonicWall, a leading cybersecurity firm, has issued urgent warnings to customers about two critical vulnerabilities in its Secure Mobile Access (SMA) appliances that attackers are actively exploiting. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, pose significant risks to organizations using affected VPN devices, prompting calls for immediate patching. ### **Critical and High-Severity Flaws Under Active Exploitation** The first vulnerability, **CVE-2023-44221**, is a high-severity command injection flaw in the SMA100 series SSL-VPN management interface. Attackers with administrative privileges can exploit this bug to execute arbitrary commands as a low-privileged “nobody” user. SonicWall updated its advisory this week to confirm active exploitation, urging admins to audit logs for unauthorized access. The second flaw, **CVE-2024-38475**, carries a critical severity rating and stems from improper escaping in Apache HTTP Server’s mod_rewrite module (versions 2.4.59 and earlier). This vulnerability allows unauthenticated remote attackers to execute code by manipulating URLs to access restricted files, potentially enabling session hijacking. SonicWall disclosed that “unauthorized access to certain files could enable attackers to hijack authenticated sessions,” amplifying risks for unpatched systems. **Affected devices** include SMA 200, 210, 400, 410, and 500v appliances. Patches are available in firmware version **10.2.1.14-75sv** or later. ### **A Pattern of Exploited Vulnerabilities** This alert follows a series of security incidents involving SonicWall products. Earlier in June, the company flagged **CVE-2021-20035**, a high-severity remote code execution flaw patched in 2021, as under active exploitation. Cybersecurity firm Arctic Wolf reported attacks leveraging this vulnerability since at least January 2025—a timeline discrepancy that raises questions, though experts speculate a possible typographical error (likely 2024). In January 2024, SonicWall addressed a **zero-day flaw** in SMA1000 secure access gateways, and in February, it warned of an **authentication bypass vulnerability** in Gen 6 and Gen 7 firewalls that enabled VPN session hijacking. These repeated incidents underscore persistent targeting of SonicWall’s network infrastructure products. ### **Federal Agencies Directed to Patch** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its **Known Exploited Vulnerabilities (KEV) catalog** on June 6, mandating federal agencies to remediate the issue by June 27. While this directive applies to government networks, private organizations are strongly encouraged to follow suit. ### **Recommendations for Mitigation** SonicWall’s Product Security Incident Response Team (PSIRT) advises customers to: 1. **Immediately upgrade** SMA appliances to firmware version 10.2.1.14-75sv or newer. 2. **Audit device logs** for signs of unauthorized access or unusual activity. 3. **Enforce strict access controls** on administrative interfaces and monitor privileged accounts. 4. Apply patches for older vulnerabilities, including CVE-2021-20035 and firewall flaws. “The discovery of these exploitation techniques highlights the need for layered defenses,” SonicWall stated. “Proactive monitoring and rapid patching are critical.” With threat actors aggressively targeting VPN vulnerabilities, organizations relying on SonicWall’s SMA devices must prioritize updates to avoid disruptive breaches. The convergence of newly exploited flaws and legacy vulnerabilities still under attack paints a stark picture: in today’s threat landscape, delayed patching is not an option.

loading..   01-May-2025
loading..   3 min read
loading..

Akira

Hitachi Vantara cyberattack by Akira ransomware disrupts global enterprises & go...

Hitachi Vantara, a critical player in global data infrastructure and ransomware recovery services, has become the latest high-profile victim of the notorious **Akira ransomware gang**. The subsidiary of Japan’s Hitachi Ltd. was forced to take its servers offline over the weekend of April 26–28, 2025, to contain the breach, disrupting operations for government agencies and multinational clients, including BMW, T-Mobile, and China Telecom. The incident underscores the escalating audacity of cybercriminals targeting firms entrusted with safeguarding sensitive data—even those specializing in cybersecurity resilience. ### **Timeline and Impact** #### **Detection and Containment** On **April 26, 2025**, Hitachi Vantara’s internal security teams detected “suspicious activity” across its network, prompting an immediate shutdown of servers to prevent lateral movement by attackers. The company confirmed the ransomware incident in a statement, emphasizing its collaboration with third-party cybersecurity experts to investigate and remediate the breach. #### **Scope of Disruption** - **Internal Systems:** Hitachi’s manufacturing divisions, remote support operations, and internal project management platforms were taken offline. - **Unaffected Services:** Cloud-based solutions and self-hosted customer environments remained operational, allowing clients like Telefónica and BMW to access their data independently. - **Government Projects:** Multiple undisclosed government initiatives managed by Hitachi Vantara were disrupted, raising concerns about national security and critical infrastructure vulnerabilities. #### **Data Theft & Ransom Notes** Sources familiar with the investigation revealed that Akira operators exfiltrated sensitive files before deploying ransomware payloads. The gang left ransom notes on compromised systems, though Hitachi has not publicly disclosed whether it intends to negotiate. Cybersecurity analysts note that Akira typically demands ransoms between **$200,000 and $4 million**, adjusted to the victim’s revenue and data sensitivity. ### **Damage Control and Challenges** In its statement, Hitachi Vantara stressed its adherence to “incident response protocols” and commitment to restoring services “securely.” However, the company faces mounting challenges: 1. **Reputation Risk:** As a provider of ransomware recovery services, the breach undermines client trust. 2. **Operational Delays:** Manufacturing and support outages could delay product deliveries and contractual obligations. 3. **Regulatory Scrutiny:** Governments affected by the breach may demand audits or penalties under data protection laws like GDPR and Japan’s APPI. A spokesperson said _“We are working tirelessly with third-party experts to remediate this incident and appreciate our customers’ patience as we prioritize a secure recovery.”_ ### **Akira Ransomware Group** First observed in **March 2023**, Akira employs a double-extortion model: encrypting victims’ data while threatening to leak stolen files on its dark web portal. The group targets organizations across sectors, leveraging phishing, VPN vulnerabilities, and compromised credentials for initial access. #### **High-Profile Victims** - **Stanford University (2023):** Stolen research data auctioned for $1.3 million. - **Nissan Oceania (2024):** Production halted for 72 hours after supply chain systems were encrypted. - **European Healthcare Provider (2024):** Patient records leaked, triggering a $2.8 million payout. #### **Financial Impact** Per the FBI’s April 2024 advisory, Akira has extorted **$42 million** from over 250 victims globally. The gang’s leak site lists 300+ organizations, with recent additions including aerospace contractors and U.S. school districts. ### **Contextual Nuances: Why Hitachi?** Hitachi Vantara’s role as a backbone for government and enterprise IT infrastructure made it a lucrative target. The company manages petabytes of sensitive data, including: - **Telecommunications:** T-Mobile’s customer analytics. - **Automotive:** BMW’s autonomous driving datasets. - **National Security:** Classified projects for Asian and European governments. #### **Irony of Resilience Providers** The breach highlights a paradox: firms offering cybersecurity and recovery services are increasingly targeted to maximize disruption. In 2024, ransomware groups attacked **Kaseya**, **SolarWinds**, and **CrowdStrike**, exploiting their centralized access to client networks. #### **Geopolitical Undercurrents** While Akira’s affiliation remains unclear, its focus on Japanese and Western entities aligns with trends of state-aligned groups testing critical infrastructure resilience. Notably, Hitachi’s parent company supplies components for defense and energy sectors, adding layers of geopolitical intrigue. ### **Broader Implications** The attack exposes systemic risks in industries reliant on third-party IT providers: - **Supply Chain Domino Effect:** A single breach can paralyze clients across sectors. - **Cloud vs. On-Premises:** While Hitachi’s cloud systems were spared, the incident renews debates about hybrid infrastructure security. #### **Ransomware’s Evolution** Akira’s success reflects ransomware’s maturation into a **$30 billion annual criminal industry** (Cybersecurity Ventures, 2025). Key trends include: - **Ransomware-as-a-Service (RaaS):** Lowering barriers for entry. - **AI-Powered Attacks:** Automated phishing and vulnerability scanning. #### **Regulatory Gaps** Despite stricter laws, enforcement remains fragmented. The EU’s NIS2 Directive and U.S. Cyber Incident Reporting Act lack harmonization, enabling gangs like Akira to exploit jurisdictional ambiguities.

loading..   30-Apr-2025
loading..   4 min read
loading..

Woocommerce

WebShell

Critical WooCommerce phishing alert: Fake patches install backdoors & web shells...

A brazen, large-scale phishing campaign is exploiting panic among WooCommerce users, duping website administrators into installing a "critical security patch" that hijacks their sites, creates secret backdoors, and plants web shells for long-term control. Discovered by Patchstack researchers, the operation mirrors a 2023 attack but deploys chilling new tactics to evade detection. ### **A Perfect Storm of Fear and Deception** The attack begins with an email that strikes at the heart of every website owner's fears: a *critical vulnerability*. Posing as an urgent security alert from WooCommerce (`help@security-woocommerce[.]com`), the message claims hackers are actively exploiting an “*unauthenticated administrative access*” flaw. Recipients are urged to download a patch immediately, or risk catastrophic breaches. **Key Red Flags Hidden in Plain Sight:** - **Spoofed Domain**: The link directs to `woocommėrce[.]com`, using a Lithuanian “ė” (U+0117) to mimic the legitimate `woocommerce.com`. - **Fabricated Dates**: The email references a non-existent vulnerability “discovered” on April 14, 2025, and a scan from April 21, 2025—dates deliberately set in the future to avoid suspicion. - **Urgency Overload**: Phrases like “*urgent measures*” and “*protect your data*” pressure victims to act without scrutiny. _“This is psychological warfare,” says a Patchstack analyst. “They weaponize trust in brands like WooCommerce to bypass rational judgment.”_ --- ### **A Malicious Plugin That Disappears** The downloaded file, `authbypass-update-31297-id.zip`, masquerades as a security patch. But once installed, it unleashes a cascade of attacks: 1. **Hidden Cronjob Hijacking**: A randomly named cronjob executes every minute, spawning a new admin account with an 8-character randomized username (e.g., `xq9f7zty`). 2. **Silent Backchannel**: The plugin pings `woocommerce-services[.]com/wpapi` to fetch a second-stage payload—a heavily obfuscated script. 3. **Web Shell Onslaught**: The payload deploys PHP-based shells like **P.A.S.-Form**, **p0wny**, and **WSO** into `wp-content/uploads/`, granting attackers full server control. **Why This Matters**: These web shells can: - Steal credit card data from checkout pages. - Redirect users to phishing/scam sites. - Enlist the server in DDoS botnets. - Deploy ransomware to lock owners out. Worse, the plugin *erases itself* from the WordPress dashboard and hides the malicious admin account—leaving victims oblivious. ### **Anatomy of an Attack** *(Source: Patchstack)* | **Stage** | **Action** | |-------------------------|---------------------------------------------------------------------------| | **1. Phishing Email** | Fake WooCommerce alert with “Download Patch” button. | | **2. Malicious Domain** | Homograph `woocommėrce[.]com` mimics the real site. | | **3. Plugin Installation** | Installs cronjob, hidden admin, and fetches payload. | | **4. Web Shell Deployment** | Drops P.A.S.-Form, p0wny, and WSO shells for remote access. | | **5. Persistence** | Self-deletes from plugins list; evades manual audits. | --- ### **How Attackers Stay Invisible** The campaign’s sophistication lies in its stealth: - **Domain Rotation**: Payloads are fetched from `woocommerce-services[.]com`, `woocommerce-api[.]com`, or `woocommerce-help[.]com`—domains likely discarded once exposed. - **Legacy Code Mimicry**: The plugin’s structure resembles legitimate WooCommerce updates to avoid raising flags. - **No Trace Left**: After installation, the plugin vanishes, forcing admins to hunt for artifacts like cronjobs or hidden folders. _“This isn’t smash-and-grab,”_ warns Patchstack. _“It’s a silent siege designed to persist undetected for months.”_ --- ### **Detection & Mitigation** **If You’re Affected:** - **Check for**: - Random 8-character admin accounts. - Cronjobs executing `/wp-content/plugins/[random]/includes.php`. - Folders named `authbypass-update`. - Outbound traffic to suspicious domains (e.g., `woocommerce-services[.]com`). - **Immediate Steps**: - Terminate unrecognized admin accounts. - Scan for web shells in `wp-content/uploads/`. - Audit server logs for unusual GET/POST requests. **Prevention Tactics**: 1. **Never Trust Email Links**: Manually navigate to official sites for updates. 2. **Homograph Defense**: Type domains manually or use bookmarks. 3. **Enable 2FA**: Mandate two-factor authentication for all admin accounts. 4. **Backup Relentlessly**: Store backups offline to counter ransomware. ### **A Repeating Threat** This campaign is a sequel to a late-2023 operation that peddled fake patches for a fictional WordPress vulnerability. Both attacks share: - Identical payload-hiding methods. - Overlapping web shell toolkits. - Near-identical email templates. _“These actors are iterating,”_ says Patchstack. _“They learn from past campaigns to refine their social engineering.”_ As phishing campaigns grow more polished, the line between legitimate alerts and lethal traps blurs. For WooCommerce’s 5+ million users, this attack is a wake-up call: *assume every email is guilty until proven innocent*. **“Cybersecurity isn’t about tools—it’s about habits,”** says a Patchstack spokesperson. “Slow down. Verify. Question urgency. That’s how you break the chain.” --- *Stay vigilant. Share this article with your network. For real-time updates, follow [Your Publication] on Twitter/X and subscribe to our Threat Intel newsletter.*

loading..   29-Apr-2025
loading..   4 min read