company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Chess

loading..
loading..
loading..

Chesscom Breach Exposes Vendor Weakness Despite Swift Response

Chesscom confirms data breach via third-party app affecting 4,500 users, raising supply-chain security concerns despite rapid response.

04-Sep-2025
4 min read

No content available.

Related Articles

loading..

Exploit

Ghost in the machine! Operation Zero Disco hijacks Cisco switches via a critical...

In one of the most significant cybersecurity disclosures of the year, Trend Micro has detailed **"Operation Zero Disco,"** a highly sophisticated attack campaign leveraging a critical vulnerability in Cisco switches. The threat actors use a flaw in the Simple Network Management Protocol (SNMP) to install a stealthy Linux rootkit, granting them permanent, hidden control over the network infrastructure. This represents a fundamental shift in attacker methodology, moving from servers and workstations to the very backbone of the network itself. ## **CVE-2025-20352 Explained** The entire attack chain begins with a single point of failure: **CVE-2025-20352**. This is a critical-rated vulnerability (CVSS score likely 9.8+) within the SNMP subsystem of specific Cisco IOS XE and IOS Software. SNMP, or Simple Network Management Protocol, is a ubiquitous service used for monitoring and managing network devices. The flaw allows an unauthenticated, remote attacker to execute arbitrary code with the highest level of privileges (root) by sending a specially crafted SNMP packet to a vulnerable device. The most alarming aspect is that the exploitation requires no user interaction and leaves no immediate forensic trace, making the initial breach virtually silent. ### **Primary Targets in the Crosshairs** The campaign has shown a deliberate focus on essential Cisco switching hardware, including: * Cisco Catalyst 9400 and 9300 Series Switches * Legacy Cisco Catalyst 3750 Series Switches These devices are not obscure; they are the foundational plumbing of enterprise networks worldwide, handling data for corporations, governments, and critical infrastructure. The attackers are strategically targeting older, unpatched, or internet-facing instances of this equipment. ## **The Anatomy of an Advanced Attack** Operation Zero Disco is not a simple smash-and-grab; it is a methodical, multi-stage operation designed for maximum stealth and persistence. ### **Phase 1: Initial Compromise and Exploitation** The attack initiates with broad scanning to identify vulnerable devices. Once a target is located, the attacker deploys the exploit for CVE-2025-20352. This malicious SNMP packet triggers the vulnerability, allowing the attacker to break out of the protocol's intended constraints and execute their own commands on the underlying operating system with root-level authority. ### **Phase 2: Deployment of the "Zero Disco" Rootkit** With a foothold established, the attacker installs their namesake payload: a custom Linux rootkit. This is where the operation's true sophistication is revealed. Unlike traditional malware that writes files to a disk, this rootkit is largely fileless. It operates by injecting malicious code directly into the memory of the key IOSd process—the core software that runs the switch's operating system. **Key capabilities of the rootkit include:** * **A Universal Backdoor Password:** It sets a secret, hardcoded password that provides backdoor access to the switch's console, completely bypassing all legitimately configured user credentials. * **Memory Residency:** By living primarily in memory, it avoids leaving traces on the filesystem, rendering conventional file-based antivirus and integrity checks useless. * **Persistence Mechanism:** The rootkit is engineered to survive device reboots, ensuring the compromise is long-lasting. ### **Phase 3: Command and Control via the UDP Backdoor** To maintain remote control, the rootkit establishes a covert communication channel. A separate UDP-based backdoor component listens for encrypted commands from the attacker's command-and-control (C2) server. **This backdoor controller grants the attacker god-like control over the device, enabling them to:** * **Disable all system logging,** effectively making the switch "forget" all malicious activity. * **Bypass authentication checks** to grant access to anyone using the secret handshake. * **Hide malicious configurations** from the `show running-config` command. Specific user accounts, EEM (Embedded Event Manager) applets, and Access Control Lists (ACLs) can be active on the device while remaining completely invisible to network administrators. * **Execute "timestomping,"** manipulating file timestamps to avoid detection during forensic audits. ### **Phase 4: Lateral Movement and Espionage** With full, invisible control over a network switch, the attacker gains a strategic vantage point. They can now: * **Bridge separate VLANs,** dismantling critical network segmentation designed to contain breaches. * **Conduct ARP spoofing** to impersonate trusted IP addresses, allowing them to bypass internal firewalls and intercept sensitive data in transit. * **Move laterally** throughout the network to target high-value servers and workstations, all from a trusted network position. ## **Mitigation and Defense: A Strategic Response** Given the severity and stealth of this threat, a layered and immediate defensive strategy is non-negotiable. ### **Immediate Action: Patching and Workarounds** The single most effective action is to apply the official patch. Organizations must immediately upgrade their Cisco switches to a fixed software release. The **Cisco Software Checker** should be used to identify the correct version for specific hardware models. If patching cannot be performed instantly, a temporary mitigation is available. Administrators can disable the specific vulnerable Object ID (OID) using the SNMP view configuration: `snmp-server view NO-DISCO iso excluded` `snmp-server community public view NO-DISCO RO` **Important Note:** This is a temporary workaround, not a permanent solution. Patching remains critical. ### **Strategic Security Hardening** Beyond immediate mitigation, organizations must reinforce their security posture: * **Eliminate Default SNMP Communities:** Immediately change or disable well-known community strings like "public" and "private." * **Restrict SNMP Access:** Use Access Control Lists (ACLs) to ensure the SNMP service is only accessible from a dedicated, trusted management station and is blocked from general network access. * **Conduct Proactive Threat Hunting:** There is no automated tool to reliably detect a compromise. Security teams must hunt for anomalies, such as unexplained device reboots, unexpected EEM scripts, or unusual SNMP traffic patterns. * **Engage Cisco TAC for Forensic Analysis:** If a compromise is suspected, the only reliable course of action is to contact Cisco's Technical Assistance Center for a low-level forensic investigation. It demonstrates that advanced threat actors are now systematically targeting the network infrastructure itself with tools designed to be invisible to conventional security controls. The combination of a potent, remotely exploitable flaw and an advanced, persistent rootkit creates a perfect storm for enterprise security. This campaign serves as a stark reminder that network devices are not just plumbing—they are critical security endpoints that require the same level of scrutiny, patching, and monitoring as any server or desktop.

loading..   16-Oct-2025
loading..   6 min read
loading..

Exploit

TigerJack's malicious VS Code extensions, like C++ Playground & HTTP Format, ste...

A threat actor known as **TigerJack** has been systematically infiltrating developer marketplaces with malicious Visual Studio Code (VS Code) extensions, creating a sophisticated attack infrastructure that steals source code, hijacks system resources for cryptocurrency mining, and establishes remote backdoors for complete system control. This ongoing campaign highlights a critical and escalating threat to the software supply chain, leveraging the trust developers place in popular IDE marketplaces. ### Malicious Extension Arsenal TigerJack operates a coordinated multi-account campaign across at least three publisher identities (`ab-498`, `498`, and `498-00`), deploying at least 11 malicious extensions. The most successful ones, "C++ Playground" and "HTTP Format," infected over **17,000 developers** before being removed from the Microsoft Marketplace, though they remain available on the open-source **OpenVSX registry** (used by Cursor, Windsurf, and other VS Code-compatible IDEs). The attack employs a "Trojan Horse" strategy: the extensions function as advertised to avoid suspicion while malicious code runs invisibly in the background. | Extension Name | Primary Malicious Function | Key Technique | | :--- | :--- | :--- | | **C++ Playground** | Source code theft | Exfiltrates C++ code via document change listener | | **HTTP Format** | Cryptocurrency mining | Runs CoinIMP miner with hardcoded credentials | | **cppplayground, httpformat, pythonformat** | Remote Code Execution (Backdoor) | Fetches & executes remote JavaScript payloads every 20 minutes | ### A Multi-Faceted Attack on Developers 1. **Real-Time Source Code Theft**: The "C++ Playground" extension uses an `onDidChangeTextDocument` listener that activates 500 milliseconds after a keystroke, capturing and exfiltrating complete C++ source files in near-real-time to multiple remote servers. The stolen code, often containing proprietary algorithms and intellectual property, is packaged into JSON payloads and sent to endpoints like `https://ab498.pythonanywhere.com/test4`. 2. **Cryptojacking and System Hijacking**: "HTTP Format" secretly runs a **CoinIMP miner**, using hardcoded API credentials to monopolize CPU resources. This causes noticeable performance issues like constant fan noise and system lag, which developers often mistake for hardware or software problems. The threat actor can monitor mining progress and withdraw mined cryptocurrency directly. 3. **Persistent Remote Backdoor**: The most dangerous extensions establish a **persistent backdoor** that polls a remote server (`https://ab498.pythonanywhere.com/static/in4.js`) every 20 minutes for new commands. Using JavaScript's `eval()` function on the fetched code, TigerJack can dynamically push any malicious payload without updating the extension. This allows for: * Stealing credentials and API keys * Deploying ransomware * Using developer machines as entry points into corporate networks * Injecting backdoors into software projects ### A Persistent & Evolving Threat TigerJack demonstrates high persistence. As recently as September 2025, the actor launched a coordinated republication campaign, repackaging the same malicious code under the new "498-00" publisher account. This occurred even as the investigation was ongoing, proving the operation's sophistication. This campaign is part of a broader trend of attacks targeting developers through their tools. Recent incidents include a malicious dependency in the **"Material Theme"** that impacted nearly 4 million users, a cryptojacking campaign impersonating popular tools like **"Prettier"** and **"Discord Rich Presence"**, and a supply chain attack on the **"Ethcode"** extension via a malicious pull request. ### How to Protect Your Development Environment For individual developers and organizations, vigilance and proactive security measures are critical: * **Vet Extensions and Publishers**: Only install extensions from verified, well-known publishers. Scrutinize the publisher's name, history, and other extensions. * **Practice Least Privilege**: Grant extensions only the minimum permissions they require. Regularly audit installed extensions and revoke access for those no longer in use. * **Monitor System Performance**: Unexplained high CPU usage or system slowdown could indicate a hidden cryptominer. * **Use Security Tools**: Consider community-built security scanners like **ExtensionTotal** that can detect malicious or risky extensions before they cause harm. * **Maintain Visibility**: Organizations should have visibility into third-party vendors and tools integrated into their development environment, as limited visibility is a major risk factor. The TigerJack campaign serves as a stark reminder that the very tools intended to boost productivity can become potent weapons in the hands of threat actors. As the attack vector evolves, a shift from blind trust to verified security becomes not just prudent, but essential for safeguarding intellectual property and infrastructure.

loading..   15-Oct-2025
loading..   4 min read
loading..

CLOP

Zero Day

Critical Oracle E-Business Suite flaws CVE-2025-61882 and CVE-2025-61884 were ex...

The enterprise software landscape is facing a significant security crisis following the discovery of two critical vulnerabilities in **Oracle E-Business Suite (EBS)**. The situation escalated when a vulnerability patched in early October, **CVE-2025-61882**, was exploited as a zero-day by threat actors linked to the **CL0P extortion group**, leading to a widespread data theft and extortion campaign affecting dozens of organizations . Oracle has since issued another emergency alert for a separate, high-severity flaw, **CVE-2025-61884**, warning that it could allow unauthenticated attackers to access sensitive data. This one-two punch has placed organizations relying on the popular enterprise resource planning platform at severe risk, underscoring the critical need for immediate patching and robust security measures. ## CVE-2025-61882 and CVE-2025-61884 ### Technical Specifications at a Glance The following table breaks down the key characteristics of the two recently disclosed Oracle E-Business Suite vulnerabilities: | **Characteristic** | **CVE-2025-61882** | **CVE-2025-61884** | | :--- | :--- | :--- | | **CVSS v3.1 Score** | 9.8 (Critical) | 7.5 (High) | | **Attack Vector** | Network | Network | | **Authentication Required** | No | No | | **Primary Impact** | Remote Code Execution | Unauthorized Data Access | | **Affected Component** | Oracle Concurrent Processing (BI Publisher Integration) | Oracle Configurator (Runtime UI) | | **Affected Versions** | 12.2.3 through 12.2.14 | 12.2.3 through 12.2.14 | ### Technical Mechanism of Attack The critical vulnerability **CVE-2025-61882** has been the primary vector for the ongoing extortion campaign. Analysis from CrowdStrike and Google Threat Intelligence Group (GTIG) reveals a sophisticated, multi-stage exploit chain. The attack begins with an **authentication bypass**, initiated by a malicious `POST` request to the `/OA_HTML/SyncServlet` endpoint. Once access is gained, the threat actors abuse Oracle's **XML Publisher Template Manager** to achieve code execution. They upload a malicious XSL template into the EBS database, where it is stored in the `XDO_TEMPLATES_B` table . The template's name consistently begins with the prefix `TMP` or `DEF`. The final stage involves triggering the execution of this payload by calling the Template Preview functionality, which executes the embedded commands. This technique allows the attackers to deploy web shells and other malware, establishing persistence and enabling data exfiltration. ## Extortion Campaign: Tactics, Techniques, and Procedures (TTPs) ### CL0P's Mass Exploitation Playbook GTIG and Mandiant have attributed this campaign to a threat actor claiming affiliation with the **CL0P extortion brand**, a group notorious for mass exploitation of zero-day vulnerabilities in managed file transfer systems. The campaign follows a now-familiar playbook: exploit a zero-day, steal victim data, and initiate extortion attempts weeks later. The first known exploitation of CVE-2025-61882 [occurred](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html) as early as **August 9, 2025**, with suspicious activity dating back to July 10, 2025—weeks before a patch was available. The extortion phase began on **September 29, 2025**, when the actor launched a high-volume email campaign to executives at numerous organizations. These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from the victims' Oracle EBS environments and provided limited file listings as proof. The emails directed victims to contact `[email protected]` and `[email protected]`, addresses associated with the CL0P data leak site. ### A Sophisticated Malware Arsenal To maintain control within compromised environments, the threat actors deployed a chain of Java-based implants. These malware families are designed for in-memory execution to avoid detection on disk. Observed payloads include: * **GOLDVEIN.JAVA**: A downloader used to retrieve additional malicious components . * **SAGEGIFT, SAGELEAF, and SAGEWAVE**: A suite of tools that blend dynamic filters and template-based payload delivery through the database, facilitating stealthy operations and data exfiltration. ## A Defender's Guide ### Immediate Patching is Non-Negotiable Oracle has strongly recommended that customers apply the emergency updates for both CVE-2025-61882 and CVE-2025-61884 as soon as possible. [Link to CVE-2025-61884] (https://nvd.nist.gov/vuln/detail/CVE-2025-61884). It is crucial to note that for CVE-2025-61882, the **October 2023 Critical Patch Update is a prerequisite** for applying the new security patch. Organizations should urgently review their patch levels and proceed with updates. Patches are provided for product versions covered under Premier or Extended Support phases. ### Proactive Threat Hunting and Hardening Given that exploitation may have begun months before patches were released, organizations must proactively hunt for signs of compromise. Security researchers and Oracle recommend the following actions: * **Scan for Malicious Templates**: Query the `xdo_templates_vl` database table for templates with names starting with `TMP` or `DEF` followed by 16 random hex characters . * **Monitor for IOCs**: Hunt for network connections to known malicious IPs provided by Oracle, including `200[.]107[.]207[.]26` and `185[.]181[.]60[.]11` . Also, monitor for commands associated with the exploit, such as reverse shell commands . * **Inspect Session Logs**: Investigate suspicious sessions in the `icx_sessions` table, particularly for `UserID 0` (sysadmin) and `UserID 6` (guest) . * **Reduce Attack Surface**: As a temporary measure, consider disabling direct internet access to exposed Oracle EBS services and ensure instances are secured behind a web application firewall (WAF) . ## Escalating Threat to Enterprise Software This incident is part of a dangerous trend where sophisticated threat actors systematically target business-critical software. The CL0P group has repeatedly used this model with great success, having previously exploited zero-days in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. Shifting this playbook to a core enterprise platform like Oracle E-Business Suite, which manages finances, supply chains, and customer relationships for countless organizations, represents an escalation in both ambition and potential impact. The public leaking of a proof-of-concept exploit for [CVE-2025-61882](https://nvd.nist.gov/vuln/detail/CVE-2025-61882) on a Telegram channel on October 3, 2025, has further heightened the threat landscape. This disclosure lowers the barrier to entry for other threat actors, making it likely that attacks will evolve from targeted exploitation to broader, opportunistic campaigns in the near future.

loading..   13-Oct-2025
loading..   5 min read