company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Phishing

Data Breach

American Airlines

loading..
loading..
loading..

American Airlines hack was yet another phishing target

Hackers compromised an employee's Microsoft 365 account to pull off the hack on American Airlines successfully...

24-Sep-2022
3 min read

No content available.

Related Articles

loading..

WP

Hackers are exploiting a critical privilege escalation flaw in OttoKit (SureTrig...

A critical vulnerability in the OttoKit WordPress plugin (formerly SureTriggers), used by over 100,000 websites, has unleashed a wave of cyberattacks, enabling hackers to hijack administrative privileges and seize control of vulnerable sites. Tracked as **CVE-2025-27007**, this flaw allows unauthenticated attackers to create rogue administrator accounts, posing a severe risk to businesses, bloggers, and e-commerce platforms relying on WordPress. The vulnerability was first reported to Patchstack, a leading vulnerability disclosure platform, by cybersecurity researcher Denver Jackson on **April 11, 2025**. Within hours, the plugin’s developers were notified, and a patch was rolled out by **April 21** in OttoKit version **1.0.83**. However, as Patchstack warned in its May 5 advisory, exploitation began a mere **90 minutes** after public disclosure, highlighting the ruthless efficiency of modern cybercriminals. --- **How the Exploit Works: Anatomy of an Attack** The vulnerability stems from a **logic flaw** in OttoKit’s REST API endpoint `/wp-json/sure-triggers/v1/create_wp_connection`. Attackers exploit the `create_wp_connection` function, which improperly bypasses authentication checks when application passwords are not configured. This oversight allows hackers to: 1. **Guess or brute-force administrator usernames** (e.g., “admin,” “administrator”). 2. Inject **fake access keys** and email addresses (e.g., `hacked@ottokit[.]com`). 3. Abuse the `/sure-triggers/v1/automation/action` endpoint with a malicious payload: ```json {"type_event": "create_user_if_not_exists"} ``` This payload silently generates new administrator accounts, granting full site control. According to Patchstack, attackers mimic legitimate integration requests, making detection challenging. Once inside, hackers can install backdoors, steal data, or deploy ransomware. --- **The Fallout: A Pattern of Vulnerabilities** This marks the **second critical flaw** in OttoKit since April 2025. The earlier **CVE-2025-3102**, another authentication bypass bug, was similarly exploited to hijack sites. Such recurring issues raise concerns about the plugin’s security architecture, particularly given its role in automating workflows and connecting sensitive third-party services (e.g., payment gateways, CRMs). **WordPress Security Expert [Insert Name]** warns, *“Plugins like OttoKit operate with high privileges. A single vulnerability here isn’t just a backdoor—it’s a highway for catastrophic breaches.”* --- **Who’s at Risk?** - **Unpatched OttoKit Users**: Sites running versions below **1.0.83**. - **Default Admin Usernames**: Sites using “admin” or similar easily guessable usernames. - **Sites Without Application Passwords**: Configurations lacking app-specific passwords are more vulnerable. --- **Mitigation Steps: Protecting Your Website** 1. **Immediate Patching**: - Update OttoKit to **version 1.0.83 or later**. Most users were force-updated by April 24, but manually verify your installation. 2. **Audit User Accounts**: - Check for suspicious admins (e.g., `ottokit-admin@example[.]com`) under *Users > All Users* in WordPress. 3. **Analyze Server Logs**: - Look for repeated POST requests to `/create_wp_connection` or `/automation/action` from unfamiliar IPs. 4. **Harden Security**: - **Disable unused plugins**: Reduce attack surfaces. - **Enforce application passwords**: Require them for all integrations. - **Deploy a Web Application Firewall (WAF)**: Block malicious payloads targeting OttoKit endpoints. --- **Vendor Response and Industry Reactions** OttoKit’s developers have faced criticism for delayed patching timelines, though they resolved CVE-2025-27007 within **10 days** of disclosure. In a statement, the vendor urged users to *“enable auto-updates and monitor for unauthorized changes.”* Meanwhile, the WordPress Security Team has yet to address broader concerns about plugin vetting processes. With over **55,000 plugins** in the official repository, experts argue that high-risk tools like OttoKit warrant stricter scrutiny. --- **Broader Implications for WordPress Security** This incident underscores systemic risks in the WordPress ecosystem: - **Third-Pplugin Reliance**: 98% of WordPress vulnerabilities stem from plugins/themes (Wordfence, 2024). - **Supply Chain Attacks**: Compromised plugins can disrupt millions of sites. - **Patching Fatigue**: Many small businesses lack resources to apply updates promptly. *[Insert Quote from Industry Analyst]*: *“WordPress’s flexibility is its greatest strength and weakness. Site owners must treat plugins like OttoKit as potential liabilities, not just conveniences.”* --- **Conclusion: Vigilance in a Vulnerable Landscape** The OttoKit exploit serves as a stark reminder of the fragility of digital ecosystems. While patches exist, the rapid weaponization of CVE-2025-27007 proves that hackers move faster than many defenders. For WordPress administrators, proactive measures—patching, auditing, and hardening—are no longer optional but existential. **Stay Updated**: Follow [Your Brand Name] for real-time alerts on emerging vulnerabilities. --- **Keywords for SEO**: OttoKit vulnerability, CVE-2025-27007, WordPress admin exploit, privilege escalation, Patchstack advisory, WordPress security, plugin vulnerability, SureTriggers exploit. **Internal Linking Suggestions**: - “How to Secure Your WordPress Site in 2025” - “Previous Coverage: CVE-2025-3102 Exploit Analysis” - “Top 10 Most Vulnerable WordPress Plugins” --- *[Your Brand Name] is committed to delivering actionable cybersecurity insights. Subscribe to our newsletter for expert analysis on the latest threats.*

loading..   07-May-2025
loading..   4 min read
loading..

Botnet

MIRAI

Administrators are advised to reference Samsung’s security advisory and SSD-Disc...

A severe vulnerability in Samsung’s MagicINFO Server, a widely used content management system (CMS) for digital signage, is being actively exploited by hackers to hijack devices and deploy malware, including a Mirai botnet variant. The unpatched flaw allows attackers to execute malicious code remotely without authentication, posing significant risks to organizations globally. **Details of the Exploitation** Tracked as **CVE-2024-7399**, the vulnerability stems from improper pathname restrictions in Samsung MagicINFO 9 Server, enabling attackers to upload arbitrary files with system-level privileges. The flaw, patched in August 2024 with version 21.1050, resurfaced this week after security researchers at SSD-Disclosure published a proof-of-concept (PoC) exploit on April 30, 2025. The exploit targets the server’s file upload functionality, designed to distribute content to displays. Attackers abuse this feature by sending unauthenticated POST requests to upload malicious JavaServer Pages (JSP) web shells. Using path traversal techniques, these files are placed in web-accessible directories, allowing threat actors to execute operating system commands remotely. By appending a `cmd` parameter to the uploaded JSP file’s URL, attackers can run commands directly and view outputs in a browser. **Active Campaigns and Impact** Cybersecurity firm Arctic Wolf confirmed active exploitation of CVE-2024-7399 within days of the PoC’s release. “The low barrier to entry, combined with publicly available exploit code, makes this vulnerability a prime target for threat actors,” the company warned. Johannes Ullrich, a prominent threat analyst, corroborated these findings, noting a Mirai botnet variant leveraging the flaw. Mirai, infamous for hijacking devices into botnets for distributed denial-of-service (DDoS) attacks, could transform compromised digital signage systems into attack vectors. Samsung MagicINFO Server is deployed across high-traffic sectors, including retail chains, airports, hospitals, and corporate campuses. A successful breach could allow attackers to: - Disrupt critical signage (e.g., flight information, medical alerts). - Deploy ransomware or spyware. - Use compromised devices as footholds for lateral network movement. **Urgent Mitigation Steps** Samsung urges all users to immediately upgrade to MagicINFO Server version 21.1050 or later. Organizations unable to patch promptly should: - Isolate MagicINFO servers from the internet. - Monitor network traffic for suspicious file uploads or POST requests. - Audit systems for unexpected JSP files or unauthorized administrative activity. **Broader Implications** This incident highlights the risks of delayed patch adoption and the rapid weaponization of disclosed vulnerabilities. With digital signage systems often overlooked in security strategies, experts warn that unpatched devices could fuel escalating attacks. “Critical infrastructure sectors must prioritize vulnerability management, especially for internet-facing systems,” Arctic Wolf emphasized. “Threat actors are agile—defenders need to be faster.” --- **Follow-Up Actions:** Administrators are advised to reference Samsung’s security advisory and SSD-Disclosure’s technical analysis (CVE-2024-7399) for additional mitigation guidance. *Stay updated via [Your News Outlet] for further developments on this ongoing threat.*

loading..   06-May-2025
loading..   3 min read
loading..

Hack

UK retail giant Co-op confirms data breach as DragonForce ransomware claims atta...

UK retail giant Co-op has confirmed a large-scale data breach after affiliates of the DragonForce ransomware gang claimed responsibility for a cyberattack that compromised sensitive information of millions of current and former customers. Initially downplayed by the company, the breach highlights escalating threats from financially motivated hackers leveraging social engineering tactics. ### **What Happened?** On April 22, threat actors linked to the Scattered Spider/Octo Tempest collective breached Co-op’s systems using a social engineering attack. Posing as legitimate personnel, hackers reset an employee’s password to infiltrate the network. Once inside, they extracted the *Windows NTDS.dit* file—a critical Active Directory database containing password hashes for user accounts. This allowed attackers to potentially move laterally across Co-op’s infrastructure. While Co-op initially stated the breach caused minimal damage, forensic investigations revealed hackers stole personal data, including names and contact details, of a “significant number” of loyalty program members. DragonForce affiliates later boasted to the BBC that they had access to records for 20 million people, though Co-op had not verified this figure. ### **Extortion Tactics and Corporate Response** DragonForce operatives contacted Co-op’s cybersecurity executives via Microsoft Teams, sharing screenshots of stolen corporate and customer data as proof. Internal emails seen by the BBC warned employees to avoid sharing sensitive information on Teams, signaling lingering concerns about ongoing access. Co-op has since partnered with Microsoft’s Detection and Response Team (DART) and KPMG to rebuild Windows domain controllers, harden Entra ID (formerly Azure AD), and secure AWS environments. The company emphasized that passwords, bank details, and transaction histories remained untouched. ### **DragonForce’s Rising Threat** DragonForce, a ransomware-as-a-service (RaaS) operation, demands ransoms in exchange for decryptors and promises to delete stolen data. Affiliates keep 70-80% of payouts, incentivizing aggressive extortion. The group has also claimed responsibility for recent attacks on Marks & Spencer and an attempted breach of luxury retailer Harrods. ### **Scattered Spider’s Shadowy Network** The attack mirrors tactics attributed to Scattered Spider—a decentralized collective of hackers specializing in social engineering, SIM swapping, and MFA fatigue attacks. While some members were arrested in 2023 following high-profile breaches at MGM Resorts and Reddit, new actors have adopted their playbook, complicating law enforcement efforts. ### **Expert Warnings and Recommendations** Cybersecurity researcher Will Thomas urges organizations to adopt multi-layered defenses against social engineering, including: - Strict controls over password resets and privileged access. - Monitoring for MFA fatigue attacks (repeated push notifications). - Regular audits of Active Directory and cloud identity systems. _“These attackers prey on human vulnerabilities,”_ Thomas said. _“Training employees to recognize phishing attempts and enforcing zero-trust policies are critical.”_ ### **What’s Next for Co-op Customers?** Affected members are advised to monitor for phishing emails or calls exploiting stolen contact details. Co-op has not disclosed whether ransomware was deployed or if a ransom demand was made. The Information Commissioner’s Office (ICO) is investigating the breach, which could result in fines under GDPR if security failures are proven. ### **Broader Implications** The Co-op breach underscores the vulnerability of legacy systems like Active Directory and the growing boldness of ransomware gangs. With DragonForce emerging as a major player, businesses worldwide face pressure to fortify defenses against an evolving threat landscape. *Co-op stated, _“We continue to investigate this incident and apologize for the concern this may cause.”_ The company has yet to confirm if data will be published on DragonForce’s dark web leak site.*

loading..   05-May-2025
loading..   3 min read