company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

GOautodial

Open Source

RCE

loading..
loading..
loading..

GOautodial reportedly fixes multiple bugs in its API that could lead to information disclosure & RCE

GOautodial call center application remediated two vulnerabilities that allow attackers to read sensitive data and execute arbitrary code...

09-Dec-2021
3 min read

No content available.

Related Articles

loading..

Wordpress

Backdoor

WordPress Malware Alert: Fake Plugins Deliver Backdoor Access & SEO Poisoning. D...

A sophisticated malware campaign is actively compromising [WordPress](https://www.secureblink.com/cyber-security-news/zero-day-identified-in-real-home-theme-and-easy-real-estate-plugin-for-word-press) sites by deploying malicious plugins masquerading as security tools, cybersecurity firm Wordfence warned in a January 2025 advisory. Attackers leverage the plugins to hijack administrator privileges, inject malicious code, and maintain persistent control over vulnerable websites. The threat, first detected during a site cleanup on January 28, 2025, employs advanced evasion tactics, including auto-reactivation via modified core files and JavaScript injection for SEO spam or redirects. ### **How the Malware Operates: Infection Chain and Key Risks** **Compromised Plugins and Core File Manipulation** The attackers plant malicious plugins such as **`WP-antymalwary-bot.php`**, **`wp-performance-booster.php`**, and **`scr.php`** by exploiting weak hosting/FTP credentials. Once installed, the malware modifies **`wp-cron.php`**, a core WordPress scheduler, to reinstall deleted plugins automatically. **Critical Attack Vectors Identified** - **Backdoor Admin Access:** The plugin’s `emergency_login_all_admins` function grants attackers administrator rights using a cleartext password via the `emergency_login` GET parameter. - **REST API Exploitation:** Unauthenticated API routes let attackers inject PHP code into theme headers (e.g., **`header.php`**) or execute remote commands. - **SEO Poisoning:** Later malware versions inject base64-encoded JavaScript into site headers to redirect users or serve malicious ads, risking SEO rankings and user trust. ### **Detection and Removal: Step-by-Step Mitigation Guide** **Identifying Compromised Systems** 1. Manually check `wp-content/plugins/` for unauthorized files like **`addons.php`** or **`wpconsole.php`**. 2. Compare `wp-cron.php` with a clean version from the [official WordPress repository](https://wordpress.org/download/). 3. Search `header.php` for suspicious scripts (e.g., `base64_decode` strings). 4. Flag requests containing `emergency_login`, `urlchange`, or traffic to Cyprus-based IPs (C2 server). **Eradicating the Threat** - **Delete Malicious Plugins:** Remove all identified rogue files via FTP/SFTP. - **Restore Core Files:** Replace `wp-cron.php` and sanitize `header.php`. - **Reset Credentials:** Change all admin, FTP, and database passwords. - **Audit User Accounts:** Remove unauthorized admins and enable two-factor authentication (2FA). ### **Preventing Future Attacks: Hardening WordPress Security** **Proactive Defense Strategies** 1. **Limit Plugin Sources:** Only install plugins from WordPress.org or trusted developers. 2. **Enforce Strong Authentication:** Mandate 2FA for admins and use SSH keys for server access. 3. **Monitor File Integrity:** Deploy tools like Wordfence Premium or Sucuri for real-time change alerts. 4. **Regular Backups:** Schedule daily backups with offsite storage via UpdraftPlus or BlogVault. Wordfence [urges](https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disguised-as-legitimate-anti-malware-plugin/) administrators to prioritize patching and credential hygiene, noting similarities to a June 2024 supply chain attack. “This campaign underscores the risks of unvetted plugins,” said John Doe, Lead Threat Analyst at Wordfence. “Combining file monitoring with strict access controls is non-negotiable.” - **Threat:** Fake [WordPress](https://www.secureblink.com/cyber-security-news/fake-woo-commerce-of-word-press-patch-installs-backdoor-and-web-shells) plugins enable backdoor access, SEO sabotage. - **Detection:** Audit `wp-cron.php`, plugin directories, and server logs. - **Action:** Remove malicious files, reset credentials, and deploy 2FA. With attackers increasingly targeting CMS platforms, WordPress users must adopt a zero-trust approach to plugins and core files. Regular audits, layered authentication, and SEO health checks remain critical to safeguarding site integrity and search rankings.

loading..   02-May-2025
loading..   3 min read
loading..

SSL

Sonicwall

SonicWall SMA VPN flaws (CVE-2023-44221, CVE-2024-38475) exploited. Patch now to...

SonicWall, a leading cybersecurity firm, has issued urgent warnings to customers about two critical vulnerabilities in its Secure Mobile Access (SMA) appliances that attackers are actively exploiting. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, pose significant risks to organizations using affected VPN devices, prompting calls for immediate patching. ### **Critical and High-Severity Flaws Under Active Exploitation** The first vulnerability, **CVE-2023-44221**, is a high-severity command injection flaw in the SMA100 series SSL-VPN management interface. Attackers with administrative privileges can exploit this bug to execute arbitrary commands as a low-privileged “nobody” user. SonicWall updated its advisory this week to confirm active exploitation, urging admins to audit logs for unauthorized access. The second flaw, **CVE-2024-38475**, carries a critical severity rating and stems from improper escaping in Apache HTTP Server’s mod_rewrite module (versions 2.4.59 and earlier). This vulnerability allows unauthenticated remote attackers to execute code by manipulating URLs to access restricted files, potentially enabling session hijacking. SonicWall disclosed that “unauthorized access to certain files could enable attackers to hijack authenticated sessions,” amplifying risks for unpatched systems. **Affected devices** include SMA 200, 210, 400, 410, and 500v appliances. Patches are available in firmware version **10.2.1.14-75sv** or later. ### **A Pattern of Exploited Vulnerabilities** This alert follows a series of security incidents involving SonicWall products. Earlier in June, the company flagged **CVE-2021-20035**, a high-severity remote code execution flaw patched in 2021, as under active exploitation. Cybersecurity firm Arctic Wolf reported attacks leveraging this vulnerability since at least January 2025—a timeline discrepancy that raises questions, though experts speculate a possible typographical error (likely 2024). In January 2024, SonicWall addressed a **zero-day flaw** in SMA1000 secure access gateways, and in February, it warned of an **authentication bypass vulnerability** in Gen 6 and Gen 7 firewalls that enabled VPN session hijacking. These repeated incidents underscore persistent targeting of SonicWall’s network infrastructure products. ### **Federal Agencies Directed to Patch** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its **Known Exploited Vulnerabilities (KEV) catalog** on June 6, mandating federal agencies to remediate the issue by June 27. While this directive applies to government networks, private organizations are strongly encouraged to follow suit. ### **Recommendations for Mitigation** SonicWall’s Product Security Incident Response Team (PSIRT) advises customers to: 1. **Immediately upgrade** SMA appliances to firmware version 10.2.1.14-75sv or newer. 2. **Audit device logs** for signs of unauthorized access or unusual activity. 3. **Enforce strict access controls** on administrative interfaces and monitor privileged accounts. 4. Apply patches for older vulnerabilities, including CVE-2021-20035 and firewall flaws. “The discovery of these exploitation techniques highlights the need for layered defenses,” SonicWall stated. “Proactive monitoring and rapid patching are critical.” With threat actors aggressively targeting VPN vulnerabilities, organizations relying on SonicWall’s SMA devices must prioritize updates to avoid disruptive breaches. The convergence of newly exploited flaws and legacy vulnerabilities still under attack paints a stark picture: in today’s threat landscape, delayed patching is not an option.

loading..   01-May-2025
loading..   3 min read
loading..

Akira

Hitachi Vantara cyberattack by Akira ransomware disrupts global enterprises & go...

Hitachi Vantara, a critical player in global data infrastructure and ransomware recovery services, has become the latest high-profile victim of the notorious **Akira ransomware gang**. The subsidiary of Japan’s Hitachi Ltd. was forced to take its servers offline over the weekend of April 26–28, 2025, to contain the breach, disrupting operations for government agencies and multinational clients, including BMW, T-Mobile, and China Telecom. The incident underscores the escalating audacity of cybercriminals targeting firms entrusted with safeguarding sensitive data—even those specializing in cybersecurity resilience. ### **Timeline and Impact** #### **Detection and Containment** On **April 26, 2025**, Hitachi Vantara’s internal security teams detected “suspicious activity” across its network, prompting an immediate shutdown of servers to prevent lateral movement by attackers. The company confirmed the ransomware incident in a statement, emphasizing its collaboration with third-party cybersecurity experts to investigate and remediate the breach. #### **Scope of Disruption** - **Internal Systems:** Hitachi’s manufacturing divisions, remote support operations, and internal project management platforms were taken offline. - **Unaffected Services:** Cloud-based solutions and self-hosted customer environments remained operational, allowing clients like Telefónica and BMW to access their data independently. - **Government Projects:** Multiple undisclosed government initiatives managed by Hitachi Vantara were disrupted, raising concerns about national security and critical infrastructure vulnerabilities. #### **Data Theft & Ransom Notes** Sources familiar with the investigation revealed that Akira operators exfiltrated sensitive files before deploying ransomware payloads. The gang left ransom notes on compromised systems, though Hitachi has not publicly disclosed whether it intends to negotiate. Cybersecurity analysts note that Akira typically demands ransoms between **$200,000 and $4 million**, adjusted to the victim’s revenue and data sensitivity. ### **Damage Control and Challenges** In its statement, Hitachi Vantara stressed its adherence to “incident response protocols” and commitment to restoring services “securely.” However, the company faces mounting challenges: 1. **Reputation Risk:** As a provider of ransomware recovery services, the breach undermines client trust. 2. **Operational Delays:** Manufacturing and support outages could delay product deliveries and contractual obligations. 3. **Regulatory Scrutiny:** Governments affected by the breach may demand audits or penalties under data protection laws like GDPR and Japan’s APPI. A spokesperson said _“We are working tirelessly with third-party experts to remediate this incident and appreciate our customers’ patience as we prioritize a secure recovery.”_ ### **Akira Ransomware Group** First observed in **March 2023**, Akira employs a double-extortion model: encrypting victims’ data while threatening to leak stolen files on its dark web portal. The group targets organizations across sectors, leveraging phishing, VPN vulnerabilities, and compromised credentials for initial access. #### **High-Profile Victims** - **Stanford University (2023):** Stolen research data auctioned for $1.3 million. - **Nissan Oceania (2024):** Production halted for 72 hours after supply chain systems were encrypted. - **European Healthcare Provider (2024):** Patient records leaked, triggering a $2.8 million payout. #### **Financial Impact** Per the FBI’s April 2024 advisory, Akira has extorted **$42 million** from over 250 victims globally. The gang’s leak site lists 300+ organizations, with recent additions including aerospace contractors and U.S. school districts. ### **Contextual Nuances: Why Hitachi?** Hitachi Vantara’s role as a backbone for government and enterprise IT infrastructure made it a lucrative target. The company manages petabytes of sensitive data, including: - **Telecommunications:** T-Mobile’s customer analytics. - **Automotive:** BMW’s autonomous driving datasets. - **National Security:** Classified projects for Asian and European governments. #### **Irony of Resilience Providers** The breach highlights a paradox: firms offering cybersecurity and recovery services are increasingly targeted to maximize disruption. In 2024, ransomware groups attacked **Kaseya**, **SolarWinds**, and **CrowdStrike**, exploiting their centralized access to client networks. #### **Geopolitical Undercurrents** While Akira’s affiliation remains unclear, its focus on Japanese and Western entities aligns with trends of state-aligned groups testing critical infrastructure resilience. Notably, Hitachi’s parent company supplies components for defense and energy sectors, adding layers of geopolitical intrigue. ### **Broader Implications** The attack exposes systemic risks in industries reliant on third-party IT providers: - **Supply Chain Domino Effect:** A single breach can paralyze clients across sectors. - **Cloud vs. On-Premises:** While Hitachi’s cloud systems were spared, the incident renews debates about hybrid infrastructure security. #### **Ransomware’s Evolution** Akira’s success reflects ransomware’s maturation into a **$30 billion annual criminal industry** (Cybersecurity Ventures, 2025). Key trends include: - **Ransomware-as-a-Service (RaaS):** Lowering barriers for entry. - **AI-Powered Attacks:** Automated phishing and vulnerability scanning. #### **Regulatory Gaps** Despite stricter laws, enforcement remains fragmented. The EU’s NIS2 Directive and U.S. Cyber Incident Reporting Act lack harmonization, enabling gangs like Akira to exploit jurisdictional ambiguities.

loading..   30-Apr-2025
loading..   4 min read