Phishing attempts, malicious redirects, and hidden malware can lurk in seemingly harmless links, putting your company’s data and systems at risk. To streamline threat detection and response, ANY.RUN has upgraded its browser extension, making the Safebrowsing feature free for all users. 

How Safebrowsing Works in ANY.RUN’s Extension 

Safebrowsing from ANY.RUN provides a fully functional browser, allowing users to interact with potential threats safely. This is especially useful for investigating multi-stage phishing attacks and CAPTCHA-based fraud.  

Now, security teams can quickly analyze suspicious URLs without extra steps and launch analysis in ANY.RUN’s Safebrowsing instantly. This eliminates the hassle of copying and pasting links into the platform manually, making security investigations faster and more efficient! 

Most importantly, it’s completely free! 

How to Use Safebrowsing for Free 

ANY.RUN’s Safebrowsing feature is now available for all users at no cost—all you need is a registered account to start analyzing suspicious links instantly. 

1. Install the ANY.RUN browser extension 

2. Right-click on any suspicious link 

3. Select “Safebrowsing” to launch an instant analysis 

How Safebrowsing Helps Agasinst Cyber Attacks 

With the updated extension, businesses can take advantage of Safebrowsing’s capabilities to: 

Check suspicious links with a single click: No need to manually copy and paste URLs into the sandbox. Simply use the Safebrowsing option from your browser’s right-click menu, and the link will open in an isolated environment. 

Speed up threat analysis: The extension streamlines the process, allowing security teams to quickly assess a link’s behavior in a full-size virtual browser without interacting with the page on their own system. 

Ensure safe link browsing for employees: By testing unknown URLs in an isolated virtual browser before opening them on company devices, businesses can prevent malware infections, credential theft, and phishing attacks. 

Don’t have an ANY.RUN account yet? Sign up now.

Use Cases for Safebrowsing 

With Safebrowsing, security analysts can interact with the entire attack chain, observe network activity, and uncover hidden threats in a controlled environment. 

Multi-Stage Phishing Analysis 

In the following Safebrowsing example, we analyze a phishing attempt disguised as a TransferNow link — a free file transfer service that allows sending large documents up to 250GB. 

View Safebrowsing analysis session 

Right-clicking on the suspicious link instantly opens it in ANY.RUN’s isolated browser, eliminating the need to copy and paste URLs manually. 

The link leads to a fake TransferNow page, appearing to offer a free document download. After clicking the download file button, a PDF file opens instead. 

The PDF mimics a SharePoint document, prompting the user to download yet another file. This staged approach is a common tactic in phishing schemes, forcing users into a series of seemingly harmless steps to lower suspicion. 

Once the second file is downloaded, a Microsoft sign-in page appears. However, after closer inspection, we see that the URL has no connection to Microsoft. This is a clear indicator of a fraudulent attempt to steal login credentials. 

Additional red flags include a broken favicon, which often signals a hastily put-together phishing page lacking proper hosting configurations. 

CAPTCHA-Based Fraud Investigation 

Cybercriminals use CAPTCHA barriers to block automated scanners while still targeting real users. Safebrowsing lets you bypass these obstacles with automated interactivity and analyze what’s behind the CAPTCHA wall. 

View attack analysis inside Safebrowsing 

For this example, a suspicious link is right-clicked, and the “Safebrowsing” option is selected. The link automatically opens inside the Safebrowsing service, saving time and streamlining the investigation. 

The link initially loads a Cloudflare “Verify You’re Human” CAPTCHA page, a tactic often used to evade automated scanning tools. 

After passing the CAPTCHA, the page redirects to what appears to be a Google login page. However, upon closer inspection, the URL is fake, having no connection to Google. 

Another major red flag is the broken Google favicon, a common sign of a poorly cloned phishing site. Legitimate websites rarely have favicon issues, making this a simple yet effective phishing indicator. 

The Network Inspector, located in Safebrowsing’s upper-right corner of the screen, provides a detailed view of network connections, HTTP requests, and potential threats triggered by Suricata rules.  

This feature allows analysts to monitor outgoing and incoming traffic, inspect request headers and payloads, and identify malicious activity in real time.  

By using Suricata-based detection, security teams can quickly spot anomalies, detect exploit attempts, and track threat actor infrastructure, making network analysis faster and more effective.

These cases demonstrate how Safebrowsing allows businesses to quickly expose phishing schemes, track multiple attack stages, and analyze network behavior, all without putting corporate infrastructure at risk. 

Sandbox Analysis with the Extension 

For businesses and security teams, the full version of the extension offers even more powerful capabilities. Beyond Safebrowsing, users can launch analysis sessions inside ANY.RUN’s Interactive Sandbox to access: 

• File and Link Analysis: Analyze files and links on fully interactive Windows (7-11 version) cloud virtual machines (VMs). 

• Comprehensive Threat Reports: Generate detailed threat reports in JSON, MISP, and HTML formats, including IOCs and malware configurations. 

• Malicious Behavior Monitoring: Observe samples’ malicious behavior and study tactics, techniques, and procedures (TTPs) using the MITRE ATT&CK Matrix. 

• Customizable Settings: Adjust settings for system reboot, locale selection, and network features like MITM proxy and FakeNET. 

• Extended Analysis: Run VMs for up to 1200 seconds for in-depth analysis. 

To utilize the sandbox functionality via the extension, you will need an active Hunter or Enterprise subscription. Each analysis session launched through the extension counts towards your API quota. 

Conclusion 

With these enhanced features, security teams can streamline their workflow, uncover hidden threats, and improve detection accuracy, all from within their browser. Install ANY.RUN’s extension now to try it right away! 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Instant URL Analysis: Use Safebrowsing via ANY.RUN’s Extension appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

“Hello, this is your distant relative from Nigeria. I’m writing because I have a terminal illness and no other living relatives. My dying wish is to transfer my inheritance of $100 million to you while I still can…” — we’ve all probably received an email like this at some point during our online existence. Originally known as “Nigerian prince” scams, today they bear the label “419” (after the section of the Nigerian Criminal Code dealing with fraud). These days, however, instead of a “Nigerian prince”, you’re more likely to receive a letter from a fake employee of a bank, online store, or delivery service — or even… the President of the United States.

This post looks at the most common types of spam emails, and explains what to do if one lands in your inbox.

Emails from investors, philanthropists, and other rich people

This is perhaps the oldest — and most common — email scam scenario. Even in 2025, benefactors of all stripes are queuing up to hand over their hard-earned cash to you in particular. Such emails are nothing if not formulaic: a fabulously rich individual (a) describes their source of wealth, (b) mentions a problem, and (c) proposes a solution. Let’s take a look at each step in turn:

• The source of wealth can be anything: an inheritance, an incredibly profitable business in a faraway land, or a discovered crypto wallet worth millions.
• The problem can also vary — from a fatal disease to a burning desire to donate everything to charity, and your help is needed.
• The solution is always the same: the money needs to be transferred to your account ASAP.

Of course, if you reply with your deepest condolences and bank details, it’s unlikely that the promised millions will materialize. Instead, the scammers will use every tool in the box to get you transfer cash to them. For example, this may take the form of a “transfer fee” they can’t pay themselves for some reason.

Don’t believe such an email, even if it seems to come from the U.S. president. Riding the wave of the Donald Trump phenomenon, spammers have launched a new-old scam in which they email potential victims pretending to be the White House incumbent, who for some reason has decided to give US$15 million to a handful of lucky souls around the world. To claim your millions, you only need to reply to the email, whereupon the fake Donald will ask you to follow a link and enter your bank details, or pay a fee to have the funds transferred to your account.

Delivery scams

Spam arrives from spoofed email addresses of delivery services, marketplaces, and online stores. The message is simplicity itself: “Dear customer, we are having problems with sending your goods and kindly ask that you pay a surcharge for delivery.” You’re asked to pay for delivery by following a link to a web page that asks for your bank details at the very least, and often also your home address. You can find examples of such spam in our Delivery payment fraud post.

There are more complex variations of this scheme. Just as “philanthropists”, “investors”, and “Nigerian princes” spin yarns about their imminent death from covid-19 as a pretext to make contact, delivery scammers also exploit current events. Last year, for instance, ahead of International Women’s Day, we warned readers of a flower delivery scam: cybervillains introduce themselves as flower-shop employees offering free bouquets — except that delivery charges are covered by the recipient. You guessed it: no one gets any flowers, and the “delivery fee” (as well as the bank card details) are lost.

Compensation scams

If you’ve swallowed the bait once, there’s a high risk you’ll be offered some more — but under a different guise. Masquerading as a bank, law enforcement agency, or international organization, scammers may offer to pay compensation: allegedly you’ve been the victim of fraud and the targeted institution is reaching out to those affected.

Alternatively, the senders of the fake email may pose as “fellow victims” who are seeking out others in the same boat: if we all chip in, they say, we can hire a merry band of Robin Hood hackers who, for a reward, will get all our money back.

Spammers can even pose as top managers of large banks. In this case, the email will weave a tale about how ~“… bad employees tried to steal your money, but we, the good managers, are ready to compensate you for the inconvenience.” But of course, there’ll be no compensation at all — it’s just a pretext for further extortion.

What to do if spam lands in your inbox

The first step is to identify it as such. Nowadays, most email clients automatically send unsolicited and suspicious messages to the Spam folder, but if one does sneak into your inbox, you need to identify it yourself. Carefully examine the text of the email for spelling and grammar mistakes, check the sender address, and ask yourself a few questions:

1. Is it relevant to me?
2. Why has a millionaire uncle I’ve never heard of suddenly got in touch?
3. Where did they get my email address?
4. Why should I pay to receive the money?

By answering these four questions honestly, you’ll know whether the email in front of you is spam or not. Here are our tips to reduce the amount of spam in your inbox:

• Don’t respond. Even if the sender wants to give you a million bucks, buy you a new smartphone, or help you get back something stolen.
• Don’t disclose personal information. Threat actors can scrape your name, phone number, and email address from a social network where you’ve kindly provided them yourself.
• Don’t follow suspicious links. It’s quite easy to distinguish real links from fake ones: our Passwords 101: don’t enter your passwords just anywhere they’re asked for post explains how. Easier still is to install reliable protection on all your devices: Kaspersky Premium automatically blocks redirects to malicious sites — keeping you safe.
• Don’t enter your data. If you impulsively followed a link in an email, or responded to the sender in some way, and now you’re having doubts, don’t under any circumstances enter personal or payment information. A request for such data is the same as hanging out a red flag saying “We are scammers!”
• Report fraud. Here are the instructions on how to report spam in Google Mail, and how to filter messages on Apple devices.

Kaspersky official blog – ​Read More

A supply-chain attack can totally thwart all a targeted company’s efforts to protect its infrastructure. Preventing such attacks is extremely difficult because a significant portion of an attack occurs in infrastructure that’s not within the security team’s control. This makes supply-chain attacks one of the most dangerous threats in recent years, and today we’ll look at some of the biggest that took place in 2024.

January 2024: malicious npm packages stole SSH keys from hundreds of developers on GitHub

The first major supply-chain attack in 2024 involved malicious npm packages uploaded to GitHub in early January. The main purpose of these modules, named warbeast2000 and kodiak2k, was to search infected systems for SSH keys and send them back to the criminals. Some versions of kodiak2k also included a script to launch Mimikatz, a tool used to extract passwords from memory.

In total, attackers managed to publish eight versions of warbeast2000, and over 30 versions of kodiak2k. By the time they were discovered and removed from the repository, the malicious packages had already been downloaded 412 and 1281 times, respectively — meaning potentially hundreds of developers were affected.

February 2024: abandoned PyPI package used to distribute NovaSentinel infostealer

In February, a malicious update was discovered in the django-log-tracker package, which was hosted on the Python Package Index (PyPI). The latest legitimate version of this module was published in 2022, and since then it had been abandoned by its creators. It appears that the attackers managed to hijack the developer’s PyPI account and upload their own malicious version of the package.

The malicious update contained only two files with identical and very simple code; all the original module content was deleted. This code downloaded an EXE file from a certain URL and executed it.

This EXE file was an installer for the NovaSentinel stealer malware. NovaSentinel is designed to steal any valuable information it can find in the infected system, including saved browser passwords, cryptocurrency wallet keys, Wi-Fi passwords, session tokens from popular services, clipboard contents, and more.

March 2024: backdoor implanted in popular Linux distributions using XZ Utils

In late March an incident was reported that could potentially have become the most dangerous supply-chain attack of 2024 with devastating consequences. As part of a sophisticated operation lasting two-and-a-half years, a GitHub user known as Jia Tan managed to gain control over the XZ Utils project — a set of compression utilities included in many popular Linux distributions.

With the project under his control, Jia Tan published two versions of the package (5.6.0 and 5.6.1), both containing the backdoor. As a result, the compromised liblzma library was included in test versions of several Linux distributions.

According to Igor Kuznetsov, head of Kaspersky’s Global Research & Analysis Team (GReAT), the CVE-2024-3094 vulnerability could have become the biggest ever attack on the Linux ecosystem. Had the vulnerability been introduced into stable distributions, we might have seen massive server compromises. Fortunately, CVE-2024-3094 was detected in test and rolling-release distributions, so most Linux users remained safe.

April 2024: malicious Visual Studio projects spread malware on GitHub

In April, an attack targeting GitHub users was discovered in which attackers published malicious Visual Studio projects. To aid their attack, the attackers skillfully manipulated GitHub’s search algorithm. First, they used popular names and topics for their projects. Second, they created dozens of fake accounts to “star” their malicious projects, creating the illusion of popularity. And third, they automatically published frequent updates, making meaningless changes to a file included solely for this purpose. This made their projects appear fresh and up-to-date compared to available alternatives.

Inside these projects, malware resembling Keyzetsu Clipper was hidden. This malware intercepts and replaces cryptocurrency wallet addresses copied to the clipboard. As a result, crypto-transactions on the infected system are redirected to the attackers instead of the intended recipient.

May 2024: backdoor discovered in the JAVS courtroom video recording software

In May, reports emerged about the trojanization of the JAVS (Justice AV Solutions) courtroom recording software. This system is widely used in judicial institutions and other law enforcement-related organizations, with around 10 000 installations worldwide.

A dropper was found inside the ffmpeg.exe file — included in the JAVS.Viewer8.Setup_8.3.7.250-1.exe installer on the official JAVS website. This dropper executed a series of malicious scripts on infected systems, designed to bypass Windows security mechanisms, download additional modules, and collect login credentials.

June 2024: tens of thousands of websites using Polyfill.io delivered malicious code

In late June, the cdn.polyfill.io domain began distributing malicious code to visitors of websites relying on the Polyfill.io service. Users were redirected to a Vietnamese-language sports betting site through a fake domain impersonating Google Analytics (www[.]googie-anaiytics[.]com).

Polyfill.io was originally created by the Financial Times to ensure that websites remain compatible with older or less common browsers. However, in 2024, it was sold to Chinese CDN provider Funnull, along with its domain and GitHub account — and this is where the trouble began.

Over the years, Polyfill.io became very popular. Even at the time of the incident, more than 100 000 websites worldwide — including many high-profile ones — were still using polyfills, even though they’re no longer needed. Following the attack, the original creator of Polyfill.io advised users to stop using the service. However, the script is currently still present on tens of thousands of websites.

July 2024: trojanized jQuery version found on npm, GitHub, and jsDelivr

In July, a trojanized version of jQuery — the popular JavaScript library used to simplify interaction with the HTML Document Object Model (DOM) — was discovered. Over the course of several months, the attackers managed to publish dozens of infected packages to the npm registry. The trojanized jQuery was also found on other platforms, including GitHub, and even jsDelivr n — a CDN service for delivering JavaScript code.

Despite being compromised, the trojanized versions of jQuery remained fully functional. The main difference from the original library was the inclusion of malicious code designed to capture all user data entered into forms on infected pages and then send it to an attacker-controlled address.

August 2024: infected plug-in for the multi-protocol messenger Pidgin

At the end of August, one of the plug-ins published on the official Pidgin messenger page was found distributing DarkGate — a multi-functional malware that gives attackers remote access to infected systems where they can install additional malware.

Pidgin is an open-source “all-in-one” messenger, allowing users to communicate across multiple messaging systems and protocols without installing separate applications. Although Pidgin’s peak popularity has long passed, it remains widely used among tech enthusiasts and open-source software advocates.

The infected ss-otr (ScreenShareOTR) plug-in was designed for screen sharing over the Off-The-Record (OTR) protocol — a cryptographic protocol for secure instant messaging. This means the attackers specifically targeted users who prioritize privacy and secure communication.

September 2024: hijacking deleted projects on PyPI

In September, researchers published a study exploring the theoretical possibility of hijacking deleted PyPI projects — or rather, their names. The issue arises because after a package is deleted, nothing prevents anyone from creating a new project with the same name. As a result, developers who request updates for the deleted package end up downloading a fake, malicious version instead.

PyPI is aware of this risk, and issues a warning when you try to delete a project:

In total, the researchers found over 22 000 PyPI projects vulnerable to this attack. Moreover, they discovered that the threat is not just theoretical — this attack method was already observed “in the wild”.

To protect some of the most obvious high-risk targets, the researchers registered the names of certain popular deleted projects under a secure account they created.

October 2024: malicious script in the LottieFiles Lottie-Player

In late October, a supply-chain attack targeted the LottieFiles Lottie-Player, a JSON-based library for playing lightweight animations used in mobile and web applications. The attackers simultaneously published multiple versions of Lottie-Player (2.0.5, 2.0.6, and 2.0.7) containing malicious code. As a result, a cryptodrainer appeared on sites thar used this library.

At least one major crypto-theft has been confirmed, with the victim losing nearly 10 bitcoins (over US$700 000 at the time of the incident).

November 2024: JarkaStealer found in the PyPI repository

In November, our experts from the Global Research and Analysis Team (GReAT) discovered two malicious packages in the PyPI repository: claudeai-eng and gptplus. These packages had been available on PyPI for over a year — downloaded over 1700 times by users across 30+ countries.

The packages posed as libraries for interacting with popular AI chatbots. However, in reality, claudeai-eng and gptplus only imitated their declared functions using a demo version of ChatGPT. Their real purpose was to install the JarkaStealer malware.

As you might guess from the name, this is an infostealer. It steals passwords and saves browser data, extracts session tokens from popular apps (Telegram, Discord, Steam), gathers system information, and takes screenshots.

December 2024: infected Ultralytics YOLO11 AI model in PyPI

In December, another AI-themed supply-chain attack was carried out via the PyPI repository. This time, the attack targeted the popular package, Ultralytics YOLO11 (You Only Look Once) — an advanced AI model for real-time object recognition in video streams.

Users who installed the Ultralytics YOLO11 library, whether directly or as a dependency, also unknowingly installed the cryptominer XMRig Miner.

How to protect against supply-chain attacks

For detailed recommendations on preventing supply-chain attacks, check out our dedicated guide. Here are the main tips:

• Always carefully review any code used in your projects.
• Maintain a Software Bill of Materials (SBOM) to track dependencies and components.
• Monitor suspicious activity in your corporate network using an XDR-class security solution.
• If your internal security team lacks sufficient resources, consider using an external service for timely threat detection and response.

Kaspersky official blog – ​Read More

Getting married is certainly one of the most important events in anyone’s life. And in many cultures, it’s customary to invite hundreds of guests to the celebration — including some you barely know. Cybervillains take advantage of such traditions, using wedding invitations as bait to launch attacks on Android smartphone users.

Here’s what threat actors have come up with this time, and how to defeat it.

How weddings and APKs are linked

You may already know about our global threat intelligence network — Kaspersky Security Network (KSN). In 2024, we spotted several suspicious and clearly malicious APK samples circulating in both Malaysia and Brunei. At the same time, social networks were buzzing with Android users of those same countries complaining about having their WhatsApp accounts hacked, or receiving suspicious APKs through WhatsApp or other messenger apps.

Connecting the dots, we deduced that cybercriminals were sending Android users in Brunei and Malaysia wedding invitations in the form of an APK, which victims were urged to install on their own devices themselves. In the message, the attacker begins by apologizing for inviting the recipient to such an important event through WhatsApp rather than in person, then suggests that the user find the time and place of the celebration in the attached file — which turned out to be the same malicious APK that we found in KSN.

The scheme uses two versions of the same stealer (one appeared in March 2024, the other with added functionality in August), which we’ve called Tria — after the name of the user who appears to be responsible for supporting or even conducting the entire campaign.

What the Tria stealer does

The malware primarily harvests data from text and email messages, but also reads call and message logs that it later sends to the C2 server through various Telegram bots. Naturally, the attackers don’t do this out of their love of reading other people’s correspondence. All stolen data is used to hack victims’ Telegram, WhatsApp, and other accounts, and then message their contacts asking for money. However, an even more unpleasant scenario is possible: attackers could gain access to the victim’s online banking accounts by requesting and intercepting OTP codes needed for login.

To disguise itself, the stealer employs social engineering tactics: hiding behind a gear icon, it mimics a system application to get the permissions it needs from the user. The malware needs ten permissions in total, including access to network activity and sending/reading text messages. For details on what other permissions Tria requests and how exactly the stealer works, see the full post on our Securelist blog.

It’s known at present that the attacks were limited to users in Malaysia and Brunei, and not targeted at any specific individuals; however, the cybervillains may decide to expand their reach going forward. And when it comes to the bogus invitation that leads to installing the APK, the scope isn’t limited to weddings — future attacks could exploit religious ceremonies, birthdays… you name it. So be vigilant, arm yourself with reliable protection, and read our tips on how to combat this stealer and other malware for Android.

How to guard against the Tria stealer

The simple method of distribution makes it fairly easy to protect yourself against:

• Never respond to strangers in messenger apps — especially if they ask you to download and install something. Be wary of such messages even if they come from people in your contact list.
• Never open APKs downloaded from untrusted sources. If you need to install something on your smartphone, always use official app stores (though even these aren’t immune to malware) or developer websites.
• Install Kaspersky for Android on your smartphone to protect it from Tria.
• Don’t grant apps more permissions than they need. Be wary of new apps that are permission-hungry.
• Harden your accounts in other messenger apps and social networks. You can find in-depth guides to privacy settings at the Privacy Checker

At the end of any scam-themed post, we usually recommend setting up two-factor authentication (2FA) for all applications and services where it’s possible. However, in the fight against Tria, as well as many other Trojans, 2FA with OTP by text isn’t much help: this malware can intercept incoming messages, extract codes from them, and even delete such messages so you never notice anything.

As such, we advise using an authenticator app to generate 2FA codes. Kaspersky Password Manager is the perfect solution — it securely generates OTPs and reliably stores passwords and confidential documents, with the option to sync them across all your devices.

It’s worth noting that stealers are particularly fond of hijacking Telegram accounts. To avoid losing yours, we recommend setting up a Telegram cloud password this very instant, using Kaspersky Password Manager to create and store it. To find out how to configure 2FA, refer to our What to do if your Telegram account is hacked post.

Kaspersky official blog – ​Read More

Overview

Cyble’s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.

Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall’s SMA1000 appliances.

In this week’s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti’s Cloud Services Appliance, and issues within RealHome’s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.

Weekly Vulnerability Insights

1. CVE-2025-23006 – SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)

A severe deserialization vulnerability in SonicWall’s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.

This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.

2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)

Three vulnerabilities were discovered in SimpleHelp’s remote support software, used by IT professionals for remote customer assistance. These flaws include:

1. CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
2. CVE-2024-57727: A path traversal vulnerability that could expose sensitive configuration files, including those containing hashed passwords.
3. CVE-2024-57728: An arbitrary code execution vulnerability that can be exploited by attackers with administrative access to upload malicious files to the server.

These vulnerabilities pose considerable risks to users of SimpleHelp, potentially leading to unauthorized access or full system compromise. The vulnerabilities have been confirmed to be actively exploited, with proof-of-concept code already circulating in underground forums.

3. CVE-2024-8963 – Ivanti Cloud Services Appliance (Critical Administrative Bypass)

Ivanti’s Cloud Services Appliance (CSA) suffers from multiple vulnerabilities that have been chained by threat actors to gain initial access and implant malicious code. The most critical issue is CVE-2024-8963, an administrative bypass flaw that allows unauthenticated attackers to exploit other vulnerabilities in the appliance. Other related flaws include:

1. CVE-2024-9379: SQL injection vulnerability that permits remote attackers to execute arbitrary SQL commands.
2. CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities, allowing attackers to run arbitrary code on vulnerable systems.

The severity of these vulnerabilities has prompted both CISA and the FBI to issue warnings about their active exploitation. Despite patches being available since September 2024, the ongoing exploitation of these vulnerabilities highlights the urgency of updating and patching vulnerable systems.

4. CVE-2024-32444 – RealHome WordPress Theme (Critical Privilege Escalation)

A critical privilege escalation vulnerability in the RealHome WordPress theme allows attackers to register as administrators on affected sites. This flaw enables them to take full control over websites, compromising sensitive data and content. As of January 2025, no patch has been released for this vulnerability, leaving many WordPress sites exposed.

5. CVE-2025-24085 – Apple iOS and macOS (Use-After-Free Zero-Day Vulnerability)

Apple’s iOS and macOS systems are affected by a use-after-free vulnerability in the Core Media component. This zero-day flaw, which has a CVSS score of 7.8, could allow attackers to execute arbitrary code with elevated privileges on affected devices running versions prior to iOS 17.2. While no public exploit code has been observed, the vulnerability remains a serious risk for iOS and macOS users.

Vulnerabilities Under Active Exploitation

Several vulnerabilities continue to be actively exploited, especially in high-value systems used by organizations worldwide. Among them are:

• CVE-2024-38063: A critical Remote Code Execution (RCE) vulnerability in Windows TCP/IP, triggered by a flaw in IPv6 packet handling. This issue allows attackers to execute arbitrary code remotely, with no user interaction required, making it a “zero-click” vulnerability.
• CVE-2024-55591: A critical authentication bypass vulnerability affecting FortiOS and FortiProxy versions 7.0.0 through 7.2.12. Attackers exploiting this flaw can bypass authentication mechanisms and gain unauthorized access to affected systems.
• CVE-2023-32315: This vulnerability affects Ignite Realtime’s Openfire server, allowing unauthenticated attackers to perform path traversal and gain access to sensitive server files.

Cyble also noted a significant incident involving CVE-2025-0411, a critical vulnerability in 7-Zip that allows remote attackers to execute arbitrary code. Proof of concept for this flaw was shared on deep web forums, signaling increased interest among cyber criminals.

Underground Activity and Exploitation Trends

Cyble Research tracked discussions of known vulnerabilities across underground forums and Telegram channels. The most notable trends include:

• CVE-2025-0411 (7-Zip): This flaw has been weaponized and is being sold on underground forums. Attackers can use it to execute arbitrary code on vulnerable systems.
• CVE-2024-38063 (Windows TCP/IP): Exploit code for this vulnerability has circulated among threat actors, enabling them to remotely execute code on systems with vulnerable TCP/IP stacks.
• CVE-2023-32315 (Openfire Server): Malicious actors are actively discussing how to exploit this path traversal flaw to gain unauthorized access to server environments.

Recommendations for Mitigating Exploitation Risks

To mitigate the risks posed by these vulnerabilities, Cyble offers the following recommendations:

1. Regularly update all software and hardware systems with the latest patches from official vendors. Immediate patching of known exploited vulnerabilities, such as those listed in the KEV catalog, is critical.
2. Use network segmentation to limit the exposure of critical systems to the internet. This reduces the potential attack surface and helps contain breaches if they occur.
3. Implement a robust incident response plan, testing it regularly to ensure it aligns with emerging threats. Ensure that your organization is prepared to act quickly in the event of an attack.
4. Educate employees and administrators on the latest phishing and social engineering tactics and how to recognize malicious activities on their networks.
5. Enforce MFA across all sensitive systems to add an extra layer of protection against unauthorized access.

Conclusion

This week’s Weekly Vulnerability Insights report highlights the continued risks associated with high-severity vulnerabilities and emphasizes the importance of patching, monitoring, and threat intelligence sharing. Organizations must remain vigilant and ensure their systems are protected from known exploited vulnerabilities and emerging zero-day threats. Cyble’s AI-driven platforms, like Cyble Vision and Cyble Hawk, help organizations stay ahead of evolving threats. Book a free demo today and strengthen your defense against cyber adversaries with Cyble’s cutting-edge cybersecurity solutions.

To access full IT vulnerability and other reports from Cyble, click here.

The post Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered appeared first on Cyble.

Blog – Cyble – ​Read More