CVE-2025-1701

CVE-2025-1701 affects MIM Admin Service prior to 7.2.13, 7.3.8, or 7.4.3. The issue allows a local attacker with access to the RMI interface (bound to 127.0.0.1) to send a specially crafted request and execute arbitrary code with the privileges of the MIM Admin service. The RMI surface is locally...

AlmaLinux 8 : mysql:8.0 (ALSA-2024:0894)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:0894 advisory. mysql: InnoDB unspecified vulnerability CPU Apr 2023 CVE-2023-21911 mysql: Server: DDL unspecified vulnerability CPU Apr 2023 CVE-2023-21919,...

Updated MATA attacks industrial companies in Eastern Europe

In early September 2022, we discovered several new malware samples belonging to the MATA cluster. As we were collecting and analyzing the relevant telemetry data, we realized the campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil an...

‘Elephant Beetle’ Lurks for Months in Networks

Researchers have identified a threat group that’s been quietly siphoning off millions of dollars from financial- and commerce-sector companies, spending months patiently studying their targets’ financial systems and slipping in fraudulent transactions amongst regular activity. The Sygnia Incident...

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. As we have shared previously, we have observed the threat actor using...

GHSA-9CHW-XRWX-F86J frames-compiler downloads Resources over HTTP

Affected versions of frames-compiler insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on th...

Downloads Resources over HTTP in ntfserver

Affected versions of ntfserver insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syst...

GHSA-WG5R-C793-W5W2 Downloads Resources over HTTP in mystem-wrapper

Affected versions of mystem-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP in arcanist

Affected versions of arcanist insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syste...

LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company

What happened? Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is sign...

GHSA-VCFP-PPQW-MF23 fis-sass-all downloads Resources over HTTP

Affected versions of fis-sass-all insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

GHSA-P65H-233C-JXVM Downloads Resources over HTTP in resourcehacker

Affected versions of resourcehacker insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

GHSA-8WG9-92FR-6J7V marionette-socket-host downloads Resources over HTTP

Affected versions of marionette-socket-host insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...

Monitoring Windows Console Activity (Part 1)

Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control C2 console tools...

Downloads Resources over HTTP

Overview Affected versions of redis-srvr insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution o...

Downloads Resources over HTTP

Overview Affected versions of haxe-dev insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on...

Researchers Uncover PinkStats APT Toolkit

The arsenal of tools that attack groups use to do their business is seemingly endless, and many of them remain unknown for years before they’re discovered. Often, it’s not until a tool has been compromised or sold on the open market that researchers get a close look at it, but that’s been changin...

Hacked Twitter account of The Associated Press posted bogus report of attack at White House

The Associated Press Twitter account has been hacked,and posted a bogus post about explosions at the White House and Barack Obama is injured. Within a few minutes, Twitter suspended the account, and Julie Pace, the chief White House correspondent for The A.P., announced at a White House briefing...

Hacked Twitter account of The Associated Press posted bogus report of attack at White House

The Associated Press Twitter account has been hacked,and posted a bogus post about explosions at the White House and Barack Obama is injured. Within a few minutes, Twitter suspended the account, and Julie Pace, the chief White House correspondent for The A.P., announced at a White House briefing...

Audit Report Shows Many Cracks in DigiNotar Security

A new report on the security of DigiNotar paints an ugly picture of the certificate authority’s safeguards and network infrastructure, showing that the company had all of its CA servers on one Windows domain and likely failed to separate the critical components on its network, making it easy for...