Sygnia investigates Weaver Ant, a stealthy China-nexus threat actor targeting telecom providers. Learn how web shells enable persistence and espionage.
The hackers compromised home routers made by Zyxel to gain entry into a “major” telecommunications company's environment.
orums as part of our Threat Discovery Process.
Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks.
Target Technologies: Windows
Target Geography: France, USA.
Target Industry: Government, Manufacturing, Pharma.
Encrypted file extension: .vanhelsing
Observed First: 2025-03-16
Threat actor Communication mode: Tor
This critical vulnerability allowed attackers to bypass authentication implemented in the middleware layer. With the popularity of this framework on the internet and within our customers' attack surfaces, our Security Research team took a deeper look at the issue.
GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities CVE-2024-4879 (Critical), CVE-2024-5217 (Critical), and CVE-2024-5178 (Medium). These vulnerabilities reportedly may be chained together for full database access.
Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware.
Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
tj-actions/changed-files corrupted to run credential-stealing memory scraper.
Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us.
Next.js is a comprehensive javascript framework based on React, packed with numerous features — the perfect playground for diving into the intricacies of research. We set out, fueled by faith, curiosity, and resilience, to explore its lesser-known aspects, hunting for hidden treasures waiting to be found.
It didn’t take long before we uncovered a great discovery in the middleware. The impact is considerable, with all versions affected, and no preconditions for exploitability — as we’ll demonstrate shortly.
How to find Next.js on your network
Explore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]
This advisory describes an out-of-bounds write vulnerability in the Linux kernel that achieves local privilege escalation on Ubuntu 22.04 for active user sessions.
Credit
An independent security researcher working with SSD Secure Disclosure.
Vendor Response
Ubuntu has released the following advisory and fix: https://ubuntu.com/security/CVE-2025-0927
Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, Author: Johannes Ullrich
Cisco recently released an advisory for CVE-2024-20439 here. (nvd) Please note I did not discover this vulnerability, I just reverse engineered the vulnerability from the advisory
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process.
A Moscow-based disinformation network named “Pravda” — the Russian word for "truth" — is pursuing an ambitious strategy by deliberately infiltrating the retrieved data of artificial intelligence chatbots, publishing false claims and propaganda for the purpose of affecting the responses of AI models on topics in the news rather than by targeting human readers, NewsGuard has confirmed. By flooding search results and web crawlers with pro-Kremlin falsehoods, the network is distorting how large language models process and present news and information. The result: Massive amounts of Russian propaganda — 3,600,000 articles in 2024 — are now incorporated in the outputs of Western AI systems, infecting their responses with false claims and propaganda.
On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.
