Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail - Related to partition, alarm, attacks, driver, actively

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows -.

CVE-2023-20118 (CVSS score: - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status).

(CVSS score: - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) CVE-2022-43939 (CVSS score: - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions and .

(CVSS score: - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions and CVE-2022-43769 (CVSS score: - A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution (Fixed in August 2024 with versions and .

(CVSS score: - A special element injection vulnerability in Hitachi Vantara Pentaho BA Server that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution (Fixed in August 2024 with versions and CVE-2018-8639 (CVSS score: - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and. Running arbitrary code in kernel mode (Fixed in December 2018).

(CVSS score: - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) CVE-2024-4885 (CVSS score: - A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version in June 2024).

In relation to this, there are little-to-no reports about how some of the aforementioned flaws are weaponized in the wild, but French cybersecurity firm Sekoia revealed last week that threat actors are abusing CVE-2023-20118 to rope susceptible routers into a botnet called PolarEdge.

As for CVE-2024-4885, the Shadowserver Foundation mentioned it has observed exploitation attempts against the flaw as of August 1, 2024. Data from GreyNoise reveals that as many as eight unique IP addresses from Hong Kong, Russia, Brazil, South Korea, and the United Kingdom are linked to the malicious exploitation of the vulnerability.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are urged to apply the necessary mitigations by March 24, 2025, to secure their networks.

The US Cybersecurity and. Infrastructure Security Agency says that media reports about it being directed to no longer follow or study on Russian cyber...

Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware ...

Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial in...

Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors have been exploiting a security vulnerability in Paragon Partition Manager's driver in ransomware attacks to escalate privileges and execute arbitrary code.

Building on these developments, the zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, (CERT/CC).

"These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability," CERT/CC noted.

In a hypothetical attack scenario, an adversary with local access to a Windows machine can exploit these shortcomings to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that "" is signed by Microsoft.

In relation to this, this could also pave the way for what's called a Bring Your Own Vulnerable Driver (BYOVD) attack on systems where the driver is not installed, thereby allowing the threat actors to obtain elevated privileges and execute malicious code.

The list of vulnerabilities. Which impact versions and , is as follows -.

CVE-2025-0285 - An arbitrary kernel memory mapping vulnerability in version caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges.

- An arbitrary kernel memory mapping vulnerability in version caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges. CVE-2025-0286 - An arbitrary kernel memory write vulnerability in version due to improper validation of user-supplied data lengths. This flaw can allow attackers to execute arbitrary code on the victim's machine.

- An arbitrary kernel memory write vulnerability in version due to improper validation of user-supplied data lengths. This flaw can allow attackers to execute arbitrary code on the victim's machine. CVE-2025-0287 - A null pointer dereference vulnerability in version caused by the absence of a valid MasterLrp structure in the input buffer. This allows an attacker to execute arbitrary kernel code, enabling privilege escalation.

- A null pointer dereference vulnerability in version caused by the absence of a valid MasterLrp structure in the input buffer. This allows an attacker to execute arbitrary kernel code, enabling privilege escalation. CVE-2025-0288 - An arbitrary kernel memory vulnerability in version caused by the memmove function, which fails to sanitize user-controlled input. This allows an attacker to write arbitrary kernel memory and achieve privilege escalation.

- An arbitrary kernel memory vulnerability in version caused by the memmove function. Which fails to sanitize user-controlled input. This allows an attacker to write arbitrary kernel memory and achieve privilege escalation. CVE-2025-0289 - An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. This allows attackers to compromise the affected service.

The vulnerabilities have since been addressed by Paragon Software with version of the driver, with the susceptible version of the driver added to Microsoft's driver blocklist.

The development comes days after Check Point revealed details of a large-scale malware campaign that leveraged another vulnerable Windows driver associated with Adlice's product suite ("") to bypass detection and deploy the Gh0st RAT malware.

Rubrik disclosed last month that one of its servers hosting log files was breached, causing the firm to rotate potentially leaked authentication ke...

Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial in...

Brazil, South Africa. Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malw...

Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, .

In relation to this, the cybersecurity firm is tracking the activity cluster under the name TGR-UNK-0011 (short for a threat group with unknown motivation). Which it noted overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to be active since 2019.

"The group focused historically on defacing websites," security researcher Margaret Kelley expressed. "In 2022, they pivoted to sending out phishing emails for financial gain."

It's worth noting that these attacks do not exploit any vulnerability in AWS. Rather, the threat actors take advantage of misconfigurations in victims' environments that expose their AWS access keys in order to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services.

In doing so, the modus operandi offers the benefit of not having to host or pay for their own infrastructure to carry out the malicious activity.

What's more, it enables the threat actor's phishing messages to sidestep email protections since the digital missives originate from a known entity from which the target organization has previously received emails.

"JavaGhost obtained exposed long-term access keys associated with identity and. Access management (IAM) people that allowed them to gain initial access to an AWS environment via the command-line interface (CLI)," Kelley explained.

"Between 2022-24, the group evolved their tactics to more advanced defense evasion techniques that attempt to obfuscate identities in the CloudTrail logs. This tactic has historically been exploited by Scattered Spider."

Once access to the organization's AWS account is confirmed, the attackers are known to generate temporary credentials and. A login URL to allow console access. This, Unit 42 noted, grants them the ability to obfuscate their identity and gain visibility into the resources within the AWS account.

Subsequently, the group has been observed utilizing SES and WorkMail to establish the phishing infrastructure, creating new SES and WorkMail clients, and. Setting up new SMTP credentials to send email messages.

"Throughout the time frame of the attacks, JavaGhost creates various IAM people, some they use during their attacks and others that they never use," Kelley noted. "The unused IAM people seem to serve as long-term persistence mechanisms."

Another notable aspect of the threat actor's modus operandi concerns the creation of a new IAM role with a trust policy attached, thereby permitting them to access the organization's AWS account from another AWS account under their control.

"The group continues to leave the same calling card in the middle of their attack by creating new Amazon Elastic Cloud Compute (EC2) security groups named Java_Ghost, with the group description 'We Are There But Not Visible,'" Unit 42 concluded.

"These security groups do not contain any security rules and. The group typically makes no attempt to attach these security groups to any resources. The creation of the security groups appear in the CloudTrail logs in the CreateSecurityGroup events."

In Zohocorps ADSelfService Plus können Angreifer eine Sicherheitslücke missbrauchen. Um Konten zu übernehmen. Aktualisierte Software stopft das Sicher...

CISA has warned US federal agencies to secure their systems against attacks exploiting vulnerabilities in Cisco and. Windows systems.

Vor zwei Sicherheitslücken in der Bedienoberfläche zu IBM Storage-Virtualize-Produkten warnt der Hersteller derzeit. Angreifer aus dem Netz können dad...