company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Eggfree Cake Box

Data breach

loading..
loading..
loading..

Eggfree Cake Box disclosed data breach to their customers, which exposed credit cards

Eggfree Cake Box discovered the breach on April 27, 2020, when...

19-Jun-2021
3 min read

No content available.

Related Articles

loading..

Sp

Global Law Enforcement Shatters 20-Year-Old Botnet 'Shadow Empire'—Criminals Rak...

In a landmark global operation, U.S. and international authorities have dismantled one of the longest-running cybercrime networks in history. Dubbed **Operation Moonlander**, the takedown targeted the **Anyproxy** and **5socks** botnets, which infected thousands of aging routers over two decades to fuel a $46 million illicit proxy service empire. The U.S. Department of Justice (DOJ) unsealed indictments against **four individuals**—three Russians and one Kazakhstani—exposing their roles in operating malware-laden networks that enabled cyberattacks, ad fraud, and cryptocurrency theft worldwide. --- ### **The Rise and Fall of Anyproxy & 5socks** **A 20-Year Cybercrime Legacy** Court documents reveal the botnet began infecting routers as early as **2004**, exploiting devices from brands like **Linksys** and **Cisco** to create sprawling proxy networks. These proxies, marketed on **Anyproxy.net** and **5socks.net**, were sold to cybercriminals for $9.95 to $110 monthly, offering anonymity for illegal activities ranging from **DDoS attacks** to **credential brute-forcing**. **How the Botnet Operated** - **Targeting Vulnerable Hardware**: The hackers exploited **end-of-life (EoL) routers**—devices no longer receiving security updates—using a variant of **TheMoon malware**. - **Proxy Networks for Hire**: Compromised routers were repurposed into “residential proxies,” masking malicious traffic as legitimate user activity. - **Evading Detection**: Only **10% of infected IPs** triggered alerts on platforms like VirusTotal, making the networks ideal for high-risk criminal operations. --- ### **International Collaboration: A Global Takedown** Operation Moonlander united the **U.S. DOJ**, **Dutch National Police**, **Royal Thai Police**, and analysts from **Lumen Technologies’ Black Lotus Labs**. Key actions included: 1. **Seizing Domains**: Anyproxy.net and 5socks.net now display law enforcement seizure banners (see image below). 2. **Charging Suspects**: - **Alexey Chertkov**, **Kirill Morozov**, and **Aleksandr Shishkin** (Russian nationals) - **Dmitriy Rubtsov** (Kazakhstani national) The group faces charges of **conspiracy**, **damaging protected computers**, and **domain fraud**. **Infrastructure Insights** - Servers hosted in **Russia** (via JCS Fedora Communications), the **Netherlands**, and **Türkiye** supported the botnet. - Payments were processed in **cryptocurrency**, complicating financial tracking. --- ### **TheMoon Malware: A Silent Router Killer** The FBI’s latest advisory warns that the botnet relied on a **new variant of TheMoon malware**, which: - Exploited routers with **remote administration features enabled**. - Installed covert proxies to facilitate **cybercrime-for-hire services**. **Affected Devices** | **Brand** | **Models** | |------------------|---------------------------------------------------------------------------| | Linksys | E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N | | Cisco | M10, Cradlepoint E100 | --- ### **Why Residential Proxies Are a Cybercrime Goldmine** Residential IPs are prized for their ability to mimic legitimate traffic. According to **Black Lotus Labs**: > *“Proxies like Anyproxy help criminals bypass fraud detection systems, making ad scams, credential stuffing, and data theft harder to trace.”* **Documented Misuses** - **Ad Fraud**: Generating fake clicks to siphon advertising revenue. - **DDoS Attacks**: Masking the origin of disruptive traffic floods. - **Data Exploitation**: Harvesting sensitive information from compromised networks. --- ### **FBI Warning: Secure Your Routers Now** The FBI’s **public service announcement** urges users and businesses to: 1. **Replace EoL Routers**: Upgrade devices no longer supported by manufacturers. 2. **Disable Remote Administration**: Limit exposure to malware like TheMoon. 3. **Monitor Network Traffic**: Use tools to detect unusual proxy activity. **Quote from the DOJ**: > *“This operation disrupts a critical tool for cybercriminals. Residential proxies are not just a privacy threat—they’re a gateway to global harm.”* --- ### **Broader Implications and Lessons Learned** - **The Cost of Outdated Tech**: The botnet thrived on neglected hardware, underscoring risks of using unsupported devices. - **Global Jurisdiction Challenges**: Prosecuting foreign nationals (e.g., Russian suspects) highlights legal hurdles in cybercrime enforcement. - **Public-Private Partnerships**: Collaboration with firms like **Lumen** proved vital in mapping the botnet’s infrastructure. --- ### **What’s Next?** While Operation Moonlander marks a victory, experts warn botnets will adapt. **Black Lotus Labs** notes: > *“Threat actors increasingly target IoT devices. Vigilance and firmware updates are non-negotiable.”* **SEO Keywords**: Operation Moonlander, Anyproxy botnet, 5socks, FBI cybercrime, TheMoon malware, residential proxies, end-of-life routers, DDoS attacks, cybercrime-for-hire, Lumen Black Lotus Labs -

loading..   09-May-2025
loading..   4 min read
loading..

WP

Hackers are exploiting a critical privilege escalation flaw in OttoKit (SureTrig...

A critical security flaw in the widely used OttoKit WordPress plugin (formerly SureTriggers) is being actively exploited by hackers to hijack websites by creating unauthorized administrator accounts. Tracked as **CVE-2025-27007**, this vulnerability exposes over 100,000 WordPress sites to unauthenticated privilege escalation attacks, enabling threat actors to take full control of vulnerable installations. With exploitation activity surging since its public disclosure on May 5, 2025, cybersecurity experts urge administrators to patch immediately and audit their systems for signs of compromise. ### **Anatomy of CVE-2025-27007** **OttoKit**, a popular automation plugin for WordPress, allows users to integrate their websites with third-party services and automate workflows. However, a logic flaw in its REST API endpoints opened the door for attackers to bypass authentication checks. **Root Cause**: The vulnerability resides in the `create_wp_connection` function, which failed to validate user permissions when application passwords were not configured. Attackers exploited this oversight to send malicious API requests, bypassing authentication and granting themselves administrative privileges. **How Exploitation Works**: 1. **Initial Access**: Attackers target the `/wp-json/sure-triggers/v1/create_wp_connection` endpoint, mimicking legitimate integration requests. 2. **Brute-Force Tactics**: Hackers guess or brute-force administrator usernames (e.g., “admin”) and inject random passwords, fake access keys, and spoofed email addresses (e.g., `admin@ottokit[.]com`). 3. **Privilege Escalation**: Successful exploitation triggers follow-up requests to `/sure-triggers/v1/automation/action`, leveraging the `"type_event": "create_user_if_not_exists"` payload to silently create new admin accounts. **Patchstack**, the vulnerability disclosure platform, [confirmed](https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched/) that researcher Denver Jackson reported the flaw on April 11, 2025. The plugin’s developers released a fix in **version 1.0.83** on April 21, adding validation checks for access keys. ### **Timeline of Exploitation and Disclosure** - **April 11, 2025**: Vulnerability reported to Patchstack. - **April 12**: Vendor notified. - **April 21**: Patched version (1.0.83) released. - **April 24**: Most users force-updated to the secure version. - **May 5**: Patchstack publishes advisory. - **May 5, 90 minutes later**: Active exploitation begins. ### **Why This Vulnerability Matters** 1. **High Impact, Low Complexity**: Attackers need no prior authentication or advanced tools—only basic knowledge of WordPress APIs. 2. **Stealthy Attacks**: The exploit leaves minimal traces, as rogue admin accounts can be masked with legitimate-looking credentials. 3. **Widespread Risk**: OttoKit’s 100,000+ install base includes e-commerce sites, blogs, and enterprise platforms, amplifying potential damage. ### **Indicators of Compromise (IoCs)** Website administrators should scrutinize their systems for: - **Suspicious API Activity**: - Frequent POST requests to `/create_wp_connection` or `/automation/action`. - Use of invalid access keys (e.g., “ottokit_1234”) or randomized strings. - **Unexpected Admin Users**: Accounts with usernames like “admin,” “wpadmin,” or emails such as `admin@ottokit[.]com`. - **Log Entries**: REST API calls from unfamiliar IP addresses, particularly following the May 5 disclosure. ### **Mitigation and Remediation Steps** 1. **Immediate Patching**: - Confirm OttoKit is updated to **v1.0.83 or later**. - Manually update if auto-updates were disabled. 2. **User Account Audit**: - Check WordPress user lists for unrecognized admins. - Remove suspicious accounts and enforce strong passwords. 3. **Log Analysis**: - Use security plugins like Wordfence or Sucuri to scan for IoCs. - Review `wp-admin` and REST API access logs for brute-force patterns. 4. **Harden Security**: - **Disable Unused Plugins**: Reduce attack surfaces. - **Enforce Application Passwords**: Require unique passwords for integrations. - **Deploy a WAF**: Block malicious payloads targeting OttoKit endpoints. This incident marks the **second critical flaw** in OttoKit since April 2025, following **CVE-2025-3102**, another authentication bypass bug. The recurrence highlights systemic risks in third-party plugins, which power 60% of WordPress sites but often lack rigorous security testing. - **Zero-Day Risks**: Attackers increasingly exploit vulnerabilities within hours of public disclosure. - **Supply Chain Threats**: A single vulnerable plugin can jeopardize entire website ecosystems. - **Proactive Monitoring**: Real-time logging and intrusion detection systems (IDS) are critical for early threat detection. _“Immediately update OttoKit and audit user roles. Assume compromise if suspicious activity is detected.”_

loading..   07-May-2025
loading..   4 min read
loading..

Botnet

MIRAI

Administrators are advised to reference Samsung’s security advisory and SSD-Disc...

A severe vulnerability in Samsung’s MagicINFO Server, a widely used content management system (CMS) for digital signage, is being actively exploited by hackers to hijack devices and deploy malware, including a Mirai botnet variant. The unpatched flaw allows attackers to execute malicious code remotely without authentication, posing significant risks to organizations globally. **Details of the Exploitation** Tracked as **CVE-2024-7399**, the vulnerability stems from improper pathname restrictions in Samsung MagicINFO 9 Server, enabling attackers to upload arbitrary files with system-level privileges. The flaw, patched in August 2024 with version 21.1050, resurfaced this week after security researchers at SSD-Disclosure published a proof-of-concept (PoC) exploit on April 30, 2025. The exploit targets the server’s file upload functionality, designed to distribute content to displays. Attackers abuse this feature by sending unauthenticated POST requests to upload malicious JavaServer Pages (JSP) web shells. Using path traversal techniques, these files are placed in web-accessible directories, allowing threat actors to execute operating system commands remotely. By appending a `cmd` parameter to the uploaded JSP file’s URL, attackers can run commands directly and view outputs in a browser. **Active Campaigns and Impact** Cybersecurity firm Arctic Wolf confirmed active exploitation of CVE-2024-7399 within days of the PoC’s release. “The low barrier to entry, combined with publicly available exploit code, makes this vulnerability a prime target for threat actors,” the company warned. Johannes Ullrich, a prominent threat analyst, corroborated these findings, noting a Mirai botnet variant leveraging the flaw. Mirai, infamous for hijacking devices into botnets for distributed denial-of-service (DDoS) attacks, could transform compromised digital signage systems into attack vectors. Samsung MagicINFO Server is deployed across high-traffic sectors, including retail chains, airports, hospitals, and corporate campuses. A successful breach could allow attackers to: - Disrupt critical signage (e.g., flight information, medical alerts). - Deploy ransomware or spyware. - Use compromised devices as footholds for lateral network movement. **Urgent Mitigation Steps** Samsung urges all users to immediately upgrade to MagicINFO Server version 21.1050 or later. Organizations unable to patch promptly should: - Isolate MagicINFO servers from the internet. - Monitor network traffic for suspicious file uploads or POST requests. - Audit systems for unexpected JSP files or unauthorized administrative activity. **Broader Implications** This incident highlights the risks of delayed patch adoption and the rapid weaponization of disclosed vulnerabilities. With digital signage systems often overlooked in security strategies, experts warn that unpatched devices could fuel escalating attacks. “Critical infrastructure sectors must prioritize vulnerability management, especially for internet-facing systems,” Arctic Wolf emphasized. “Threat actors are agile—defenders need to be faster.” --- **Follow-Up Actions:** Administrators are advised to reference Samsung’s security advisory and SSD-Disclosure’s technical analysis (CVE-2024-7399) for additional mitigation guidance. *Stay updated via [Your News Outlet] for further developments on this ongoing threat.*

loading..   06-May-2025
loading..   3 min read