Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.

The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.

The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.

Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.

"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.

The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.

Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system.

SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks.

The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections.

The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks.

Sophos has shared IOCs related to this attack to help organizations better defend their networks.

MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya.

This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.

The Bumblebee malware SEO poisoning campaign uncovered earlier this week aimpersonating RVTools is using more typosquatting domainsi mimicking other popular open-source projects to infect devices used by IT staff.

BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility.

Both of these tools are commonly used by IT staff to diagnose or analyze network traffic, requiring administrative privileges for some of the features to work This makes users of these tools prime targets for threat actors looking to breach corporate networks and spread laterally to other devices.

The Bumblebee malware loader has been pushed through at least two domains - zenmap[.]pro and winmtr[.]org. While the latter is currently offline, the former is still online and shows a fake blog page about Zenmap when visited directly.

When users are redirected to zenmap[.]pro from from search results, though, it shows a clone of the legitimate website for the nmap (Network Mapper) utility:

The two sites received traffic through SEO poisoning and rank high in Google and Bing search results for the associated terms.

Bleepingcolputer's tests show that if you visit the fake Zenmap site directly, it shows several AI-generated articles instead, as seen in the image below:

The payloads delivered through the download section ‘zenmap-7.97.msi’ and ‘WinMTR.msi, and they both evade detection from most antivirus engines on VirusTotal [1, 2].

The installers deliver the promised application along with a malicious DLL, as in the case of RVTools, which drops a Bumblebee loader on users' devices.

From there, the backdoor can be used to profile the victim and introduce additional payloads, which may include infostealers, ransomware, and other types of malware.

Apart from the open-source tools mentioned above, BleepingComputer has also seen the same campaign targeting users looking for Hanwha security camera management software WisenetViewer.

Cyjax’s researcher Joe Wrieden also spotted a trojanized version of the video management software Milestone XProtect being part of the same campaign, the malicious installers being delivered ‘milestonesys[.]org’ (online).

Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations.
The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations.

"We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson.

"Due to the safety measures initiated as a result of the incident, production was temporarily affected."

Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries.

The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide.

The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week.

"Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected."

Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases.

"We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson.

BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time.

Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.

Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.

Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes.

The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000.

When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number.

Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users.

Valve did not respond to our requests for a comment on the threat actor's claims.

Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio.

MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.

During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.
The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.

Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.

Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape.

In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.

On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days.

​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.

​Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability.

Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration.

As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks.

"Customers who have followed Ivanti's guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment," Ivanti said.

"Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ."

Ivanti added that CVE-2025-22462 only impacts on-premises instances running versions 2023.4, 2024.2, 2024.3, and earlier, and said that it found no evidence that the vulnerability is being exploited to target customers.

Product Name Affected Version(s) Resolved Version(s)
Ivanti Neurons for ITSM (on-prem only) 2023.4, 2024.2, and 2024.3 2023.4 May 2025 Security Patch
2024.2 May 2025 Security Patch
2024.3 May 2025 Security Patch
The company also urged customers today to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA) that can let local authenticated attackers escalate privileges on vulnerable systems.

While this vulnerability isn't exploited in the wild either, Ivanti warned that the patch won't be applied correctly after installing today's security updates and asked admins to reinstall from scratch or use these mitigation steps to ensure their network is protected from potential attacks.

A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.

ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.

These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.

However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.

ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.

The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.

The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.

All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."

LockBit dark web site defaced with link to database
As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.

From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:

A 'btc_addresses' table that contains 59,975 unique bitcoin addresses.
A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.
A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.
A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.
Affiliate panel 'chats' table
Affiliate panel 'chats' table
A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.
In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.

Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.

It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.

​Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022.

Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users.

The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States.

"In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday.

"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."

A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.

The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.

Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.

Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.

An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.

The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.

“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket

The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy

Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.

The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom.

In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online.

"On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

"We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.

Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.

In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.

Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's

MITRE Vice President Yosry Barsoum has warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires today, which could lead to widespread disruption across the global cybersecurity industry.

In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet's customers and detained at least five individuals.

EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.