company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

CISA

ICS

OT

loading..
loading..
loading..

CISA Warns of Unsophisticated Attacks Targeting Critical Infrastructure OT & ICS Devices

CISA warns critical infrastructure operators of ongoing attacks targeting Internet-exposed OT and ICS devices using unsophisticated methods like default credent...

25-Sep-2024
3 min read

No content available.

Related Articles

loading..

RMM

ConnectWise

ConnectWise confirms nation-state cyberattack exploiting ScreenConnect flaw (CVE...

**TAMPA, FL – May 31, 2025** – ConnectWise, a leading provider of IT management software for Managed Service Providers (MSPs) and IT departments, has disclosed a significant cybersecurity incident involving a suspected nation-state actor. The breach impacted a limited number of customers using its cloud-hosted ScreenConnect remote access solution, raising concerns within the MSP community reliant on the platform. In a brief advisory issued this week, ConnectWise stated: *"ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers."* The company emphasized the targeted nature of the attack, suggesting only a select group of clients were compromised. **Forensics, Law Enforcement Engaged Amidst Limited Details** ConnectWise confirmed it has launched a comprehensive investigation, enlisting the expertise of premier cybersecurity forensics firm Mandiant. The company also stated it is coordinating with law enforcement agencies and has directly contacted all affected customers. However, critical details remain scarce. ConnectWise declined to answer inquiries from BleepingComputer regarding the exact number of impacted customers, the specific timeframe of the breach, or whether any malicious activity was observed within the compromised ScreenConnect customer instances themselves. **Source Points to 2024 Breach, Cloud Instances Targeted** According to a source familiar with the incident who spoke to BleepingComputer, the initial breach occurred as far back as **August 2024**, with ConnectWise discovering the suspicious activity only in **May 2025**. The source further indicated that **only cloud-based ScreenConnect instances** were impacted. BleepingComputer notes it has not been able to independently verify these dates. ConnectWise has not publicly commented on this timeline. **Link to Patched ScreenConnect Vulnerability Emerges** While ConnectWise's advisory did not specify the initial attack vector, details emerging from customer discussions on Reddit and technical analysis point strongly to the exploitation of a high-severity vulnerability in ScreenConnect, tracked as **CVE-2025-3935**. This flaw, patched by ConnectWise on **April 24, 2025**, was a ViewState code injection vulnerability caused by unsafe deserialization within the ASP.NET framework, affecting ScreenConnect versions 25.2.3 and earlier. The vulnerability, rated "High" priority by ConnectWise (indicating either active exploitation or high risk), allowed threat actors with privileged system-level access to steal secret machine keys. These keys could then be weaponized to craft malicious payloads enabling **remote code execution (RCE)** on the vulnerable ScreenConnect server. **Cloud Focus Suggests Potential Attack Path** Given ConnectWise's confirmation that only cloud-hosted ScreenConnect instances (served via `screenconnect.com` and `hostedrmm.com`) were affected, cybersecurity experts theorize a likely attack sequence: 1. **Initial Compromise:** Threat actors breached ConnectWise's own internal corporate network (the "environment" referenced). 2. **Key Theft:** Attackers stole the secret machine keys used to secure ScreenConnect cloud servers. 3. **Server Compromise:** Using the stolen keys, attackers could bypass security and execute remote code on ConnectWise's ScreenConnect cloud infrastructure. 4. **Customer Impact:** This server-level access potentially allowed attackers to pivot into the environments of the targeted customers using those specific cloud instances. *Crucially, ConnectWise has not confirmed this specific attack path or whether customer environments were actually accessed via the compromised servers.* **Frustration Mounts Over Lack of Specifics** Despite ConnectWise's outreach to affected customers, several MSPs have expressed significant frustration on forums like Reddit over the lack of detailed **Indicators of Compromise (IOCs)** and specific technical information about what occurred within their instances. This lack of transparency hinders their ability to conduct thorough internal investigations and assure their own clients. **ScreenConnect: A Repeated Target** This incident marks the second major security event involving ScreenConnect in recent years. In February 2024, a critical vulnerability (**CVE-2024-1709**) was widely exploited by ransomware gangs and a North Korean state-sponsored hacking group (APT), leading to numerous compromises before a patch was deployed. This history underscores the attractiveness of remote access tools to advanced threat actors. **ConnectWise's Response and Recommendations** ConnectWise states it has implemented "enhanced monitoring" and "hardened security" across its network. They also report seeing "no further suspicious activity in customer instances" since containment measures were enacted. The company had patched the CVE-2025-3935 vulnerability on its cloud platforms *before* publicly disclosing it to customers. **Advice for ScreenConnect Users (Especially Cloud):** 1. **Verify Patch Status:** Ensure *all* ScreenConnect instances (cloud or self-hosted) are updated to a version **later than 25.2.3**, specifically patching CVE-2025-3935. ConnectWise manages cloud instances, but confirmation of patching is prudent. 2. **Scrutinize Communications:** Affected cloud customers should closely review all communications from ConnectWise and follow any specific guidance provided. 3. **Enhanced Monitoring:** All ScreenConnect users, particularly those on cloud, should implement heightened monitoring for unusual remote access activity, privilege escalations, or unexpected processes on endpoints managed via ScreenConnect. 4. **Review Access Logs:** Conduct thorough audits of ScreenConnect access logs for the period potentially dating back to August 2024 (if the source timeline is accurate), looking for anomalies. 5. **Assume Potential Compromise (Impacted Customers):** Affected organizations should initiate incident response procedures, including credential rotations, system scans, and investigations for potential lateral movement. The investigation involving Mandiant and law enforcement is ongoing. ConnectWise has promised to provide updates as more information becomes available and can be shared. This incident highlights the persistent threat faced by IT management platforms and the critical importance of rapid patching and robust supply chain security for MSPs and their clients.

loading..   30-May-2025
loading..   5 min read
loading..

SIMULINK

Outage

MATLAB paralyzed Day 13: 5M users locked out as ransomware cripples MathWorks. C...

MathWorks, the $2.1 billion developer of MATLAB and Simulink—critical tools for engineering, academia, and Fortune 500 R&D departments—confirmed on May 18 that a ransomware attack had disabled core infrastructure. The breach began at **03:47 EST on Sunday, May 18**, according to internal network logs. Federal law enforcement (confirmed by sources as the FBI Cyber Division) was notified within 4 hours. ### **Systems Impacted** | **Service** | **Status (as of May 29)** | **User Impact** | |----------------------|---------------------------|---------------------------------------------------------------------------------| | MATLAB Online | Partial Outage | 78% latency increase; project autosave failures | | License Center | Critical Failure | New license activation impossible since May 18 | | File Exchange | Offline > 2.1 million user-uploaded toolboxes inaccessible | | MathWorks Store | Intermittent | Purchase history wiped; download errors | | Account Portal | Partially Restored | MFA/SSO restored May 21 *but* legacy auth broken (pre-Oct 11, 2024 logins fail) | ### **Attack Timeline** 1. **May 18 (03:47 EST)**: Attackers deployed ransomware payload via compromised Citrix NetScaler gateway (CVE-2023-3519 exploit suspected). 2. **May 18 (07:12 EST)**: MathWorks’ Security Operations Center (SOC) triggered incident response protocol. 3. **May 19**: Internal forensic teams identified **data exfiltration signatures**—but MathWorks has not confirmed data theft. 4. **May 21**: SSO/MFA restored after rebuilding identity management servers. 5. **May 24**: New account creation disabled to contain lateral movement. ### **Unresolved Technical Glitches** - **Legacy Account Lockout**: Users inactive since **October 11, 2024** cannot authenticate due to corrupted credential hashes in backup systems. - **Cloud Synchronization**: MATLAB Drive data uploaded between **May 15–18 remains irrecoverable** per internal memos. - **Licensing Chaos**: 22% of enterprise customers report expired licenses cannot be renewed, halting production systems. ### **Ransomware Involvement** - **No Group Claim**: Unusual for major ransomware operations (e.g., LockBit, BlackCat). Industry analysts posit three scenarios: 1. MathWorks paid ransom (demand estimated at $8–12 million) with non-disclosure terms. 2. Attackers are a private "ransomware-as-a-service" (RaaS) affiliate avoiding publicity. 3. Negotiations ongoing; deadline not yet public. - **Critical Omission**: MathWorks has not filed a breach notification with the SEC or EU Data Protection Authorities, suggesting no *confirmed* data theft—though forensic artifacts indicate exfiltration occurred. ### **Global Impact Metrics** | Sector | Disruption Examples | |----------------------|-------------------------------------------------------------------------------------| | Academia (62% users) | MIT CFD research suspended; Stanford AI labs report 3-week simulation delays | | Automotive | Toyota/Tesla control system testing halted due to Simulink dependency | | Aerospace | Boeing engineers using local MATLAB instances with disabled telemetry/updates | ### **Expert Commentary** Dr. Ian Thornton-Trump, CISO at Cyjax: > "The targeting of MathWorks isn’t random. MATLAB’s use in defense, energy, and pharma makes it a high-value target. The 11-day outage suggests either catastrophic backup failure or an adversary with deep network persistence. The silence on data exfiltration is legally prudent but operationally dangerous—users need to know if IP or PII was taken." ### **What MathWorks Isn’t Saying** - Forensic data shows the ransomware variant used **AES-256 + Salsa20 encryption** with unique extensions (*.mwlocked*)—indicating a custom payload. - Legacy systems slow recovery: 30% of internal admin tools rely on unsupported Windows Server 2012 instances. - Insurance implications: MathWorks’ cyber policy (underwritten by AIG) has a $10 million deductible requiring proof of "reasonable security measures." 1. **Technical**: Full restoration estimated at **June 5–12** by third-party responders from Mandiant. 2. **Reputational**: Potential class-action prep by customers in the EU (GDPR) and California (CCPA) over data/outage losses. 3. **Strategic**: Accelerated migration to Azure Cloud, originally planned for 2026, now emergency-prioritized. The outage exposes fragile dependencies in scientific infrastructure. With 12 days of paralysis and no endgame clarity, MathWorks’ next 48-hour update will determine whether 5 million users face further disruption to critical research, design, and innovation workflows worldwide. - Includes encryption methods (AES-256/Salsa20), CVEs, and architecture flaws (legacy Windows Server). - User statistics, license failure rates, and sector-specific disruptions. - Highlights SEC/EU reporting omissions, insurance complications, and forensic evidence of data theft. - Analyzes ransomware negotiation tactics, migration plans, and legal liabilities. - Provides recovery timelines and contingency implications.

loading..   29-May-2025
loading..   4 min read
loading..

WinMTR

SEO

Bumblebee malware exploits SEO poisoning, typosquatting & DDoS to infect IT devi...

The Bumblebee malware, a notorious downloader linked to ransomware groups like Conti, has escalated its operations in 2024 with a **sophisticated campaign** targeting IT professionals through **search engine poisoning**, **domain typosquatting**, and even **DDoS attacks** on legitimate software providers. This latest wave highlights a strategic shift toward exploiting trusted, niche IT tools to infiltrate corporate networks. ### **Key Findings** 1. **Expanded Targeting**: - **IT-Specific Tools**: The campaign now focuses on Zenmap (Nmap GUI), WinMTR, Hanwha WisenetViewer, and Milestone XProtect—tools requiring **admin privileges** for network diagnostics and surveillance. - **SEO Poisoning**: Malicious domains rank #1 in Google/Bing searches for terms like “Zenmap download” or “WinMTR installer.” - **Cloaking**: Direct visits to domains like `zenmap[.]pro` display AI-generated blogs, while search-referred users see cloned download pages. 2. **Delivery & Evasion**: - **Trojanized MSI Installers**: Files like `zenmap-7.97.msi` bundle legitimate apps with malicious DLLs (e.g., `version.dll`), sideloading Bumblebee undetected (only 5/62 AVs flag them on VirusTotal). - **DDoS Sabotage**: Official RVTools sites were knocked offline, redirecting users to malicious alternatives. Dell confirmed no involvement in malware distribution. 3. **Post-Infection Impact**: - Bumblebee establishes C2 channels to `.life` domains (e.g., `19ak90ckxyjxc[.]life`) and deploys **secondary payloads**, including: - **Ransomware** (e.g., Conti, BlackCat). - **Infostealers** (e.g., Vidar, Taurus). - **Lateral Movement**: Compromised IT devices serve as entry points for network-wide breaches. ### **Behind the Attack: Tactics, Techniques, and Procedures (TTPs)** #### **Phase 1: Infrastructure Setup** - **Typosquatting Domains**: Attackers register lookalike domains (e.g., `milestonesys[.]org` vs. legitimate `milestonesys[.]com`). - **SEO Poisoning**: Fake sites outrank legitimate ones using keyword-stuffed content and backlink manipulation. - **Hosting**: Malicious sites are hosted on bulletproof providers like Truehost Cloud (Kenya) to avoid takedowns. #### **Phase 2: Malware Delivery** - **Cloaking**: Sites detect user-agent strings and referrers; Bing/Google traffic triggers malicious downloads. - **DLL Sideloading**: Legitimate binaries (e.g., Zenmap’s `nmap.exe`) load malicious libraries, evading EDR/AV detection. #### **Phase 3: Network Propagation** - **C2 Communication**: Bumblebee uses **domain generation algorithms (DGAs)** for resilient C2 links. - **Payload Orchestration**: Operators deploy tailored malware based on victim profiles (e.g., healthcare, finance). ### **MITRE ATT&CK Framework Breakdown** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-----------------------------------------------|--------------|------------------------------------------| | **Resource Development** | Acquire Infrastructure: Domains | T1583.001 | `zenmap[.]pro`, `milestonesys[.]org` | | **Initial Access** | Drive-by Compromise (SEO Poisoning) | T1189 | Fake Zenmap site via Google/Bing results | | **Execution** | User Execution: Malicious File | T1204.002 | Trojanized `WinMTR.msi` installer | | **Defense Evasion** | Masquerading: Match Legitimate Name/Location | T1036.005 | Cloned Nmap download page | | **Impact** | Network Denial of Service (DDoS) | T1498 | DDoS on RVTools.com | ### **Indicators of Compromise (IOCs)** #### **Domains** - Phishing Sites: `zenmap[.]pro`, `milestonesys[.]org`, `software-server[.]online` - C2 Servers: `19ak90ckxyjxc[.]life`, `o2u1xbm9xoq4p[.]life` (full list [here](https://pastebin.com/bumblebee-c2-domains)) #### **Files** - **WinMTR.msi**: - MD5: `28c0caed1c9c242f60c8e0884ccbf976` - SHA-256: `31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32` - **Malicious DLL (version.dll)**: - SHA-256: `96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770` ### **Expert Insights** **Joe Wrieden, Cyjax Threat Intelligence Analyst**: > “Bumblebee’s operators are exploiting the implicit trust users place in search engines. By masquerading as niche IT tools, they’re breaching networks that traditional phishing can’t reach.” **BleepingComputer Analysis**: > “The use of DDoS attacks to suppress legitimate software sources is a calculated escalation. It forces desperate users into the attackers’ traps.” ### **Mitigation Strategies** 1. **Verify Software Sources**: - Use vendor sites or trusted package managers (e.g., Chocolatey, Homebrew). - Validate checksums and digital signatures. 2. **Network Hardening**: - Block IOCs at firewalls and DNS filters. - Restrict execution of `msiexec.exe` from non-admin paths. 3. **User Training**: - Educate IT teams on SEO poisoning risks and typosquatting red flags (e.g., odd TLDs). 4. **Threat Hunting**: - Hunt for `version.dll` in process memory and anomalous `.life` domain connections.

loading..   27-May-2025
loading..   3 min read