company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ConnectWise

RMM

loading..
loading..
loading..

ScreenConnect Cloud HACKED by Nation-State Actor!

ConnectWise confirms nation-state cyberattack exploiting ScreenConnect flaw (CVE-2025-3935). Limited cloud customers impacted. Patch now!

30-May-2025
5 min read

No content available.

Related Articles

loading..

WLC

Cisco

Critical CVE-2025-20188: Unauthenticated RCE in Cisco IOS XE WLCs. Exploits publ...

Technical details revealing how to exploit a maximum-severity vulnerability (**CVE-2025-20188**) in Cisco IOS XE Wireless LAN Controllers (WLC) have been publicly released, significantly raising the risk of imminent attacks. Horizon3 researchers published a deep dive into the flaw, enabling skilled threat actors—or even advanced AI systems—to weaponize it within hours. ### Why This Flaw Is Critical Disclosed by Cisco on May 7, 2025, this 9.8-CVSS vulnerability allows **unauthenticated attackers to upload malicious files, traverse directories, and execute arbitrary commands with root privileges**. The attack exploits a hardcoded JSON Web Token (JWT) secret (`notfound`) used by Cisco’s OpenResty backend when the `/tmp/nginx_jwt_key` file is missing. Attackers can forge valid tokens to bypass authentication entirely. **Affected Devices**: - Catalyst 9800-CL WLCs (Cloud) - Catalyst 9800 Embedded WLC (Catalyst 9300/9400/9500 Switches) - Catalyst 9800 Series WLCs - Embedded WLC on Catalyst APs > **Key Trigger**: The ‘Out-of-Band AP Image Download’ feature **must be enabled** for devices to be vulnerable. ### Horizon3’s Weaponization Blueprint Horizon3’s analysis demonstrates how attackers can: 1. **Forge JWT tokens** using the hardcoded `notfound` secret. 2. Upload files via the `/ap_spec_rec/upload/` endpoint (port 8443) using **path traversal** (e.g., `../../`). 3. Overwrite critical files (e.g., configs, scripts) to achieve **Remote Code Execution (RCE)**. In their example, attackers overwrite configurations monitored by the `pvp.sh` service, triggering a reload to execute malicious payloads with **root privileges**. ![Diagram: Exploit flow showing JWT forgery and file upload to RCE](https://example.com/cisco-cve-2025-20188-exploit-flow.png) *Source: Horizon3 Attack Breakdown* ### Mitigation Steps: Act Now Cisco confirms active exploits are expected within days. Take **immediate action**: 1. **PATCH**: Upgrade to IOS XE **17.12.04 or later**. 2. **TEMPORARY FIX**: Disable **‘Out-of-Band AP Image Download’** via: ```bash config t > wireless profile ap-download > no out-of-band ap-image-download enable ``` ### The Bottom Line This flaw transforms a simple file upload into full device takeover. With technical roadmaps now public, unpatched networks face severe ransomware, espionage, and botnet recruitment risks. Cisco administrators must treat this as an **emergency patch scenario**. > **Update Status**: Cisco confirms no public exploits yet, but warns weaponization is imminent. Monitor [CVE-2025-20188 Bulletin](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory) for updates.

loading..   31-May-2025
loading..   2 min read
loading..

SIMULINK

Outage

MATLAB paralyzed Day 13: 5M users locked out as ransomware cripples MathWorks. C...

MathWorks, the $2.1 billion developer of MATLAB and Simulink—critical tools for engineering, academia, and Fortune 500 R&D departments—confirmed on May 18 that a ransomware attack had disabled core infrastructure. The breach began at **03:47 EST on Sunday, May 18**, according to internal network logs. Federal law enforcement (confirmed by sources as the FBI Cyber Division) was notified within 4 hours. ### **Systems Impacted** | **Service** | **Status (as of May 29)** | **User Impact** | |----------------------|---------------------------|---------------------------------------------------------------------------------| | MATLAB Online | Partial Outage | 78% latency increase; project autosave failures | | License Center | Critical Failure | New license activation impossible since May 18 | | File Exchange | Offline > 2.1 million user-uploaded toolboxes inaccessible | | MathWorks Store | Intermittent | Purchase history wiped; download errors | | Account Portal | Partially Restored | MFA/SSO restored May 21 *but* legacy auth broken (pre-Oct 11, 2024 logins fail) | ### **Attack Timeline** 1. **May 18 (03:47 EST)**: Attackers deployed ransomware payload via compromised Citrix NetScaler gateway (CVE-2023-3519 exploit suspected). 2. **May 18 (07:12 EST)**: MathWorks’ Security Operations Center (SOC) triggered incident response protocol. 3. **May 19**: Internal forensic teams identified **data exfiltration signatures**—but MathWorks has not confirmed data theft. 4. **May 21**: SSO/MFA restored after rebuilding identity management servers. 5. **May 24**: New account creation disabled to contain lateral movement. ### **Unresolved Technical Glitches** - **Legacy Account Lockout**: Users inactive since **October 11, 2024** cannot authenticate due to corrupted credential hashes in backup systems. - **Cloud Synchronization**: MATLAB Drive data uploaded between **May 15–18 remains irrecoverable** per internal memos. - **Licensing Chaos**: 22% of enterprise customers report expired licenses cannot be renewed, halting production systems. ### **Ransomware Involvement** - **No Group Claim**: Unusual for major ransomware operations (e.g., LockBit, BlackCat). Industry analysts posit three scenarios: 1. MathWorks paid ransom (demand estimated at $8–12 million) with non-disclosure terms. 2. Attackers are a private "ransomware-as-a-service" (RaaS) affiliate avoiding publicity. 3. Negotiations ongoing; deadline not yet public. - **Critical Omission**: MathWorks has not filed a breach notification with the SEC or EU Data Protection Authorities, suggesting no *confirmed* data theft—though forensic artifacts indicate exfiltration occurred. ### **Global Impact Metrics** | Sector | Disruption Examples | |----------------------|-------------------------------------------------------------------------------------| | Academia (62% users) | MIT CFD research suspended; Stanford AI labs report 3-week simulation delays | | Automotive | Toyota/Tesla control system testing halted due to Simulink dependency | | Aerospace | Boeing engineers using local MATLAB instances with disabled telemetry/updates | ### **Expert Commentary** Dr. Ian Thornton-Trump, CISO at Cyjax: > "The targeting of MathWorks isn’t random. MATLAB’s use in defense, energy, and pharma makes it a high-value target. The 11-day outage suggests either catastrophic backup failure or an adversary with deep network persistence. The silence on data exfiltration is legally prudent but operationally dangerous—users need to know if IP or PII was taken." ### **What MathWorks Isn’t Saying** - Forensic data shows the ransomware variant used **AES-256 + Salsa20 encryption** with unique extensions (*.mwlocked*)—indicating a custom payload. - Legacy systems slow recovery: 30% of internal admin tools rely on unsupported Windows Server 2012 instances. - Insurance implications: MathWorks’ cyber policy (underwritten by AIG) has a $10 million deductible requiring proof of "reasonable security measures." 1. **Technical**: Full restoration estimated at **June 5–12** by third-party responders from Mandiant. 2. **Reputational**: Potential class-action prep by customers in the EU (GDPR) and California (CCPA) over data/outage losses. 3. **Strategic**: Accelerated migration to Azure Cloud, originally planned for 2026, now emergency-prioritized. The outage exposes fragile dependencies in scientific infrastructure. With 12 days of paralysis and no endgame clarity, MathWorks’ next 48-hour update will determine whether 5 million users face further disruption to critical research, design, and innovation workflows worldwide. - Includes encryption methods (AES-256/Salsa20), CVEs, and architecture flaws (legacy Windows Server). - User statistics, license failure rates, and sector-specific disruptions. - Highlights SEC/EU reporting omissions, insurance complications, and forensic evidence of data theft. - Analyzes ransomware negotiation tactics, migration plans, and legal liabilities. - Provides recovery timelines and contingency implications.

loading..   29-May-2025
loading..   4 min read
loading..

WinMTR

SEO

Bumblebee malware exploits SEO poisoning, typosquatting & DDoS to infect IT devi...

The Bumblebee malware, a notorious downloader linked to ransomware groups like Conti, has escalated its operations in 2024 with a **sophisticated campaign** targeting IT professionals through **search engine poisoning**, **domain typosquatting**, and even **DDoS attacks** on legitimate software providers. This latest wave highlights a strategic shift toward exploiting trusted, niche IT tools to infiltrate corporate networks. ### **Key Findings** 1. **Expanded Targeting**: - **IT-Specific Tools**: The campaign now focuses on Zenmap (Nmap GUI), WinMTR, Hanwha WisenetViewer, and Milestone XProtect—tools requiring **admin privileges** for network diagnostics and surveillance. - **SEO Poisoning**: Malicious domains rank #1 in Google/Bing searches for terms like “Zenmap download” or “WinMTR installer.” - **Cloaking**: Direct visits to domains like `zenmap[.]pro` display AI-generated blogs, while search-referred users see cloned download pages. 2. **Delivery & Evasion**: - **Trojanized MSI Installers**: Files like `zenmap-7.97.msi` bundle legitimate apps with malicious DLLs (e.g., `version.dll`), sideloading Bumblebee undetected (only 5/62 AVs flag them on VirusTotal). - **DDoS Sabotage**: Official RVTools sites were knocked offline, redirecting users to malicious alternatives. Dell confirmed no involvement in malware distribution. 3. **Post-Infection Impact**: - Bumblebee establishes C2 channels to `.life` domains (e.g., `19ak90ckxyjxc[.]life`) and deploys **secondary payloads**, including: - **Ransomware** (e.g., Conti, BlackCat). - **Infostealers** (e.g., Vidar, Taurus). - **Lateral Movement**: Compromised IT devices serve as entry points for network-wide breaches. ### **Behind the Attack: Tactics, Techniques, and Procedures (TTPs)** #### **Phase 1: Infrastructure Setup** - **Typosquatting Domains**: Attackers register lookalike domains (e.g., `milestonesys[.]org` vs. legitimate `milestonesys[.]com`). - **SEO Poisoning**: Fake sites outrank legitimate ones using keyword-stuffed content and backlink manipulation. - **Hosting**: Malicious sites are hosted on bulletproof providers like Truehost Cloud (Kenya) to avoid takedowns. #### **Phase 2: Malware Delivery** - **Cloaking**: Sites detect user-agent strings and referrers; Bing/Google traffic triggers malicious downloads. - **DLL Sideloading**: Legitimate binaries (e.g., Zenmap’s `nmap.exe`) load malicious libraries, evading EDR/AV detection. #### **Phase 3: Network Propagation** - **C2 Communication**: Bumblebee uses **domain generation algorithms (DGAs)** for resilient C2 links. - **Payload Orchestration**: Operators deploy tailored malware based on victim profiles (e.g., healthcare, finance). ### **MITRE ATT&CK Framework Breakdown** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-----------------------------------------------|--------------|------------------------------------------| | **Resource Development** | Acquire Infrastructure: Domains | T1583.001 | `zenmap[.]pro`, `milestonesys[.]org` | | **Initial Access** | Drive-by Compromise (SEO Poisoning) | T1189 | Fake Zenmap site via Google/Bing results | | **Execution** | User Execution: Malicious File | T1204.002 | Trojanized `WinMTR.msi` installer | | **Defense Evasion** | Masquerading: Match Legitimate Name/Location | T1036.005 | Cloned Nmap download page | | **Impact** | Network Denial of Service (DDoS) | T1498 | DDoS on RVTools.com | ### **Indicators of Compromise (IOCs)** #### **Domains** - Phishing Sites: `zenmap[.]pro`, `milestonesys[.]org`, `software-server[.]online` - C2 Servers: `19ak90ckxyjxc[.]life`, `o2u1xbm9xoq4p[.]life` (full list [here](https://pastebin.com/bumblebee-c2-domains)) #### **Files** - **WinMTR.msi**: - MD5: `28c0caed1c9c242f60c8e0884ccbf976` - SHA-256: `31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32` - **Malicious DLL (version.dll)**: - SHA-256: `96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770` ### **Expert Insights** **Joe Wrieden, Cyjax Threat Intelligence Analyst**: > “Bumblebee’s operators are exploiting the implicit trust users place in search engines. By masquerading as niche IT tools, they’re breaching networks that traditional phishing can’t reach.” **BleepingComputer Analysis**: > “The use of DDoS attacks to suppress legitimate software sources is a calculated escalation. It forces desperate users into the attackers’ traps.” ### **Mitigation Strategies** 1. **Verify Software Sources**: - Use vendor sites or trusted package managers (e.g., Chocolatey, Homebrew). - Validate checksums and digital signatures. 2. **Network Hardening**: - Block IOCs at firewalls and DNS filters. - Restrict execution of `msiexec.exe` from non-admin paths. 3. **User Training**: - Educate IT teams on SEO poisoning risks and typosquatting red flags (e.g., odd TLDs). 4. **Threat Hunting**: - Hunt for `version.dll` in process memory and anomalous `.life` domain connections.

loading..   27-May-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958