company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

CISA

loading..
loading..
loading..

Exploitation of Windows MSHTML Spoofing Vulnerability (CVE-2024-43461) by Void Banshee APT Group

Cybersecurity and Infrastructure Security Agency (CISA) recently issued a directive to all U.S. federal agencies

16-Sep-2024
6 min read

No content available.

Related Articles

loading..

RCE

APEX ONE

Critical pre-auth RCE & auth bypass flaws in Trend Micro Apex Central & PolicySe...

Trend Micro recently patched multiple critical-severity vulnerabilities (CVE-2025-49212 to CVE-2025-49220) in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. All flaws enable pre-authentication remote code execution (RCE) or authentication bypass, fundamentally compromising the security posture of these enterprise management platforms. The root cause analysis reveals a pervasive pattern of insecure deserialization practices and broken authentication mechanisms, granting attackers SYSTEM (PolicyServer) or NETWORK SERVICE (Apex Central) privileges. With no evidence of active exploitation but lacking viable workarounds, immediate patching to PolicyServer v6.0.0.4013 and Apex Central Patch B7007 is operationally imperative. ### **Target Environment & Criticality** Trend Micro Endpoint Encryption (TMEE) PolicyServer and Apex Central serve as central nervous systems for enterprise security operations: * **TMEE PolicyServer:** Manages full-disk and removable media encryption for Windows endpoints in regulated industries (finance, healthcare, government). It is a high-value target because it enforces data protection compliance (e.g., HIPAA, GDPR, PCI-DSS). * **Apex Central:** Provides centralized monitoring and management for Trend Micro security products across large networks. A compromise offers attackers extensive lateral movement potential. The discovery of **eight critical/high vulnerabilities** (four critical in PolicyServer, two critical in Apex Central, plus four high in PolicyServer) represents a systemic failure in core security controls within these essential components of infrastructure. ### **TMEE PolicyServer Vulnerabilities (CVE-2025-49212, -49213, -49216, -49217)** * **Core Vulnerability Pattern: Insecure Deserialization** Three of the four critical flaws stem from the unsafe deserialization of untrusted data without adequate validation or type checking. This anti-pattern allows attackers to craft malicious serialized objects that, when processed, trigger unintended code execution paths. * **[CVE-2025-49212](https://success.trendmicro.com/en-US/solution/KA-0019928)(Critical):** Exploits insecure deserialization in the `PolicyValueTableSerializationBinder` class. Attackers send a specially crafted serialized object pre-authentication, resulting in **arbitrary code execution as the SYSTEM user**. * **[CVE-2025-49213](https://success.trendmicro.com/en-US/solution/KA-0019928) (Critical):** Targets deserialization within the `PolicyServerWindowsService` class. Similar to CVE-49212, unauthenticated attackers achieve **SYSTEM-level RCE** via malicious serialized payloads. * **[CVE-2025-49217](https://nvd.nist.gov/vuln/detail/CVE-2025-4217) (Critical/High\*):** Resides in the `ValidateToken` method. While exploitation complexity is marginally higher (potentially requiring specific object chaining or gadget discovery), successful attack still yields **pre-auth SYSTEM-level RCE**. (\*Note: ZDI assessed as High severity). * **Exploitation Impact:** SYSTEM privileges grant attackers complete control over the PolicyServer host, enabling decryption key theft, policy manipulation disabling encryption, installation of persistent malware, and lateral movement into managed endpoints. #### **Core Vulnerability Pattern: Broken Authentication** * **[CVE-2025-49216](https://nvd.nist.gov/vuln/detail/CVE-2022-49216) (Critical):** A fundamental flaw in the `DbAppDomain` service authentication mechanism allows **complete authentication bypass**. Remote attackers can forge requests appearing as authenticated administrators, enabling full administrative control over the PolicyServer without valid credentials. This flaw facilitates stealthy persistence, policy alteration, and credential harvesting. ### **Apex Central Vulnerabilities (CVE-2025-49219, -49220)** * **Core Vulnerability Pattern: Insecure Deserialization (Revisited)** Both critical RCE flaws in Apex Central echo the deserialization failures seen in PolicyServer, impacting different entry points: * **[CVE-2025-49219](https://nvd.nist.gov/vuln/detail/CVE-2025-49219) (Critical, CVSS 9.8):** Exploits insecure deserialization within the `GetReportDetailView` method. Unauthenticated attackers achieve **RCE in the context of the NETWORK SERVICE account**. * **[CVE-2025-49220](https://nvd.nist.gov/vuln/detail/CVE-2025-49220) (Critical, CVSS 9.8):** Leverages improper input validation during deserialization in the `ConvertFromJson` method. Pre-authentication exploitation leads to **arbitrary code execution as NETWORK SERVICE**. * **Exploitation Impact:** While NETWORK SERVICE has fewer inherent privileges than SYSTEM, compromise provides a potent beachhead within the security management infrastructure. Attackers gain access to sensitive monitoring data, agent configurations, and the ability to push malicious updates or commands to all managed security products (AV, EDR, etc.). ### **Additional Risks & Patch Scope** * **PolicyServer High-Severity Flaws:** The update also addresses four high-severity vulnerabilities, including SQL injection and privilege escalation paths. While not enabling direct pre-auth RCE, these flaws significantly lower the barrier for post-compromise persistence and data exfiltration. * **Universal Impact & Mitigation Absence:** All documented vulnerabilities impact **all prior versions** of the respective products up to the immediate predecessor of the patched release. Critically, Trend Micro confirms **no viable workarounds or mitigations exist** besides patching. * **Trend Micro Endpoint Encryption PolicyServer:** Install version **6.0.0.4013 (Patch 1 Update 6)**. * **Trend Micro Apex Central:** * **On-Premise (2019):** Apply **Patch B7007**. * **Apex Central as a Service:** Patches are applied automatically on the backend; no customer action required (verification recommended). While Trend Micro reports no active exploitation in the wild (as of June 2025), the nature of these vulnerabilities creates a desirable target for advanced threat actors: * **Pre-Authentication Exploitation:** Eliminates the need for credential theft or phishing. * **High Privileges:** SYSTEM (PolicyServer) provides maximum control; NETWORK SERVICE (Apex Central) offers broad access. * **Critical Product Function:** Compromise grants control over encryption enforcement (PolicyServer) or enterprise-wide security management (Apex Central). * **POC Availability:** Vulnerabilities of this nature (insecure deserialization) often see rapid Proof-of-Concept (PoC) development once details are public. The ZDI disclosure (noting the severity difference for CVE-49217) signals researcher attention. The cluster of vulnerabilities in Trend Micro's Apex Central and TMEE PolicyServer represents a severe systemic risk to organizations relying on these products for critical security and compliance functions. The recurring theme of **insecure deserialization** highlights a fundamental weakness in input validation and object processing pipelines, while the **authentication bypass** (CVE-49216) indicates critical flaws in access control implementation. **Immediate Actions:** 1. **Patch Urgently:** Apply PolicyServer v6.0.0.4013 and Apex Central Patch B7007 (On-Prem) immediately. Verify automatic patching for Apex Central SaaS. 2. **Inventory & Scan:** Identify all instances of Apex Central and TMEE PolicyServer within the enterprise. Conduct vulnerability scans confirming patch levels. 3. **Monitor Logs:** Aggressively monitor authentication logs, service execution logs, and network traffic to/from these servers for anomalous activity (especially pre-auth RCE attempts or unexpected administrative actions). 4. **Defense-in-Depth:** Enforce strict network segmentation, limiting access to management interfaces only to absolutely necessary administrative networks/hosts. Implement robust EDR/NDR solutions to detect post-exploitation activities. The absence of workarounds underscores the criticality of patching. Organizations in regulated sectors face not only operational disruption but also significant compliance and reputational risks if these central security management platforms are compromised. These vulnerabilities transform the very tools designed to protect the enterprise into potent vectors for its compromise.

loading..   13-Jun-2025
loading..   6 min read
loading..

Hack

Erie Insurance cyberattack (June 7) causes portal outages & claims disruption. I...

**ERIE, PA – June 12, 2025** – Erie Insurance Group and its management company, Erie Indemnity Company (Nasdaq: ERIE), have formally confirmed that a **cyberattack detected over the weekend** is the root cause of significant, ongoing business disruptions and platform outages affecting millions of policyholders. The incident, impacting critical customer-facing systems since Saturday, June 7th, continues to hinder access to online accounts and claims processing. ### Key Points: * **Cyberattack Confirmed:** Erie Indemnity disclosed the "unusual network activity" in a mandatory **Form 8-K filing** with the U.S. Securities and Exchange Commission (SEC). * **Widespread Disruption:** Customers nationwide report inability to log into the **Erie Insurance customer portal**, file claims electronically, or receive essential paperwork. * **Immediate Response Activated:** The company states it took "immediate action" upon detection, activating its **incident response protocol** to safeguard systems and data. * **Forensic Investigation Underway:** Leading **cybersecurity experts** are assisting Erie Insurance in a "comprehensive forensic analysis." Law enforcement has also been notified. * **Critical Warning Issued:** Erie Insurance explicitly states it **WILL NOT call or email customers to request payments** during this outage, urging vigilance against potential scams. ### The Incident Unfolds: From Detection to Disclosure The troubles for Erie Insurance, a major **property and casualty insurer** boasting over **6 million active policies** across auto, home, life, and business lines, began abruptly on **Saturday, June 7, 2025**. Customers attempting to access their online accounts or conduct business via the company's website encountered widespread errors and outages. Initially, the cause was unclear, leaving policyholders and independent agents who sell Erie products frustrated. The company maintained limited public communication until today's crucial disclosure. In its **SEC filing** and a corresponding notice on the **Erie Insurance website**, Erie Indemnity confirmed the origin: "On Saturday, June 7, Erie Insurance's Information Security team identified **unusual network activity**." The company emphasized its swift reaction: "We took immediate action to respond to the situation to safeguard our systems and data... Since Saturday, we have continued to take protective action for the security of our systems." This immediate action is standard protocol during cyberattacks – often involving **isolating affected systems or taking networks offline** – to contain the threat and prevent further spread. However, this necessary defense mechanism inherently causes significant **business disruption**, impacting applications and websites essential for daily operations, customer service, and agent functions. ### Ongoing Impact on Policyholders The repercussions for Erie Insurance customers are tangible and widespread: * **Portal Inaccessibility:** The primary **customer login portal** remains largely unavailable, preventing policyholders from viewing documents, making payments online, or managing their accounts digitally. * **Claims Processing Delays:** Customers report significant difficulties **filing new claims** or receiving updates on existing ones electronically. Obtaining necessary claim paperwork has also been hampered. * **Communication Challenges:** While alternative contact methods are provided (see below), the outage disrupts normal digital communication channels between the company, its agents, and its customers. ### Company Response and Critical Customer Guidance Erie Insurance acknowledges the severity and ongoing nature of the incident. "The full scope, nature, and impact of the incident are still being determined," the company stated. Its response focuses on three key areas: 1. **Investigation:** Collaborating with **law enforcement agencies** and engaging **leading cybersecurity forensics firms** to determine the attack's origin, methods, and full impact. 2. **Restoration:** Working to safely restore affected systems and services, though full recovery after major cyber incidents can often take **days or weeks**. 3. **Customer Support:** Providing alternative pathways for urgent needs: * **Claims Initiation:** Policyholders needing to file a claim are directed to contact their **local Erie Insurance agent** or call ERIE's **First Notice of Loss team directly at (800) 367-3743**. * **General Customer Care:** For other urgent issues, customers can call **(800) 458-0811**. **Crucially, Erie Insurance issued a stark warning against potential scams exploiting the chaos:** A prominent alert on their website states, "**During this outage, Erie Insurance will not call or email customers to request payments.**" The company strongly advises customers: "As is best practice, **do not click on any links from unknown sources or provide your personal information by phone or email.**" ### Unanswered Questions: Ransomware and Data Theft The **Form 8-K filing** and website notice stop short of confirming critical details that policyholders and regulators are keenly awaiting: * **Ransomware Involvement?** It remains unconfirmed whether this was a **ransomware attack**, where hackers encrypt systems and demand payment for decryption keys. * **Data Breach Confirmed?** Most critically, Erie Insurance has **not yet disclosed whether sensitive customer or corporate data was accessed or exfiltrated** during the breach. This will be a primary focus of the ongoing forensic investigation and future regulatory disclosures. ### Looking Ahead The **Erie Insurance cyberattack** underscores the persistent threat facing the insurance sector, a high-value target due to the vast amounts of sensitive personal and financial data it holds. As the forensic investigation progresses, Erie Insurance faces the dual challenge of securely restoring critical services for its **6 million policyholders** while meticulously determining the extent of any potential data compromise. Customers are advised to utilize the provided phone numbers for urgent needs, remain vigilant for phishing attempts, and monitor official Erie Insurance channels for further updates. The resolution timeline remains uncertain, reflecting the complex nature of modern cyber incident recovery.

loading..   12-Jun-2025
loading..   5 min read
loading..

Snowflake

Shinyhunter

Arkana Security listed 569GB of "new" Ticketmaster data? Our deep dive reveals i...

Over the past weekend, the cybersecurity landscape buzzed with alarming reports: the relatively new extortion outfit, **Arkana Security**, brazenly listed over **569 GB of allegedly fresh Ticketmaster data** for sale on its dark web leak site. Screenshots flaunting databases and file directories fueled immediate speculation of a devastating *new* breach impacting the world's largest ticketing platform. However, this analysis has pierced this facade, revealing a calculated deception. The data isn’t new; it’s a cynical **repackage of the massive cache stolen during the widespread 2024 Snowflake credential compromise attacks**, originally orchestrated by the notorious **ShinyHunters** group. ### **Deconstructing Arkana's Claim** 1. **Initial Posting:** Arkana Security promoted the Ticketmaster data dump, implying recent exfiltration. The sheer volume (569 GB) suggested a significant compromise, triggering urgent inquiries and media alerts. 2. **Smoking Gun - "RapeFlaked":** Crucially, one image accompanying Arkana's listing bore the damning caption: **"rapeflaked copy 4 quick sale 1 buyer."** This term is not generic hacker slang; it's a direct reference to **"RapeFlake"** – a **custom malicious tool** specifically developed and deployed by the threat actors behind the Snowflake attacks. RapeFlake's purpose was reconnaissance and data exfiltration from Snowflake customer instances using stolen credentials. 3. **Digital Fingerprint Match:** Security researchers conducted a meticulous comparison. The **file names, structures, and samples** showcased by Arkana **precisely matched** data samples they had previously analyzed and confirmed as originating from the **Ticketmaster breach via Snowflake**, disclosed and confirmed by the company in late May 2024. This digital fingerprint is undeniable evidence of origin. ### **Revisiting the Snowflake Onslaught** The **2024 Snowflake credential theft campaign** stands as one of the most significant supply-chain-style attacks of the year: * **Method:** Attackers leveraged credentials stolen by **infostealer malware** (like Vidar, Risepro, Lumma, etc.) from infected employee devices. These credentials provided direct access to Snowflake customer accounts *without* exploiting vulnerabilities in Snowflake itself. * **Perpetrator:** The campaign was widely claimed and executed by **ShinyHunters**, a prolific and aggressive extortion group with a long history of high-profile breaches. * **Victims:** Beyond Ticketmaster, confirmed victims included **Santander Bank, AT&T, Advance Auto Parts, Neiman Marcus, Los Angeles Unified School District (LAUSD), Pure Storage, and Cylance (a subsidiary of BlackBerry)** – demonstrating the attack's massive breadth. * **Ticketmaster's Ordeal:** Ticketmaster became a prime ShinyHunters target. After the initial Snowflake compromise, the group escalated extortion by leaking samples, even claiming to release print-at-home tickets, including highly sought-after **Taylor Swift tickets**, on hacking forums. Ticketmaster officially confirmed the breach stemming from the Snowflake incident in late May. ### **Arkana's Play: Opportunism, Recycling, and Uncertainty** Arkana Security's actions represent a concerning trend in the cybercrime ecosystem: 1. **Data Recycling for Profit:** Instead of conducting a new breach, Arkana is attempting to **monetize previously stolen data**. This could be because: * They purchased the data from ShinyHunters or a middleman. * They are a splinter group or affiliates with access to the original haul. * They simply obtained a copy circulating in underground markets. 2. **Creating Illusion for Leverage:** By presenting old data as new ("quick sale"), Arkana aims to: * Generate fresh panic and media attention. * Apply renewed pressure on Ticketmaster. * Attract a buyer willing to pay for what they mistakenly believe is exclusive, newly compromised information. 3. **ShinyHunters Connection? Murky Waters:** The direct link between Arkana and ShinyHunters remains unclear: * **Collaboration?** Are they working together to maximize extortion pressure or reach different buyer pools? * **Resellers?** Is Arkana purely a downstream distributor? * **Rebranding/Splintering?** Given ShinyHunters' history of arrests (see below), is Arkana a new face for old actors? * The shared reference to RapeFlake strongly suggests *some* level of connection or access to the original attackers' tools and narratives. ### **ShinyHunters Shadow** Understanding ShinyHunters is key to contextualizing this event: * **Prolific Track Record:** Responsible for countless breaches, including the monumental **PowerSchool compromise** affecting **62.4 million students and 9.5 million teachers** across 6,505 school districts globally. * **Evolving Tactics:** Recently linked by Mandiant to campaigns targeting **Salesforce accounts**, stealing customer data for extortion. * **Identity Crisis:** Law enforcement has scored significant victories: * Sebastien Raoult ("Sezyo Kaizen") sentenced to 3 years and a $5m restitution order (2023). * Multiple alleged members arrested in France and Australia (Operation TOURNIQUET, 2024). * This raises a critical question: Is the *current* ShinyHunters activity the original group, remnants, or entirely new actors cynically adopting the infamous brand to confuse law enforcement and capitalize on its notoriety? Adding intrigue, Arkana Security **removed the Ticketmaster data listing from their leak site on June 9th**. Possible reasons include: * Securing a buyer in their desired "quick sale." * Negative attention from researchers/media debunking the "new breach" claim. * Pressure from law enforcement or other threat actors. * Internal group decisions.

loading..   10-Jun-2025
loading..   4 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.