Data from GreyNoise shows that while daily attack activity has slightly slowed, it remains extremely high. Attack volumes now average 300,000 to 400,000 attempts per day, confirming that exploitation is ongoing and well-organized.

Large-Scale and Global Exploitation

The attack campaign is spread across a wide infrastructure. Researchers observed activity coming from thousands of unique IP addresses, spanning over 1,000 networks and more than 100 countries.

Cloud platforms are being widely abused to support the attacks. A large portion of the traffic originates from major cloud providers, with Amazon Web Services accounting for a significant share. This approach helps attackers blend in with legitimate traffic and rotate infrastructure quickly.

How the Attacks Work

Most exploitation attempts follow a consistent pattern:

• Initial probes test whether commands can be executed on the target system
• If successful, attackers deliver encoded payloads
• Additional scripts are run using techniques designed to bypass security controls

Attackers continue to refine their methods, creating tens of thousands of unique payloads and using varied tools to avoid detection. This constant change makes static defenses like fixed IP blocklists ineffective.

What Organizations Should Do

Systems that remain unpatched are still at risk. Nearly half of the attacking infrastructure appeared only in recent months, showing that new resources are constantly being added.

To reduce exposure, organizations should:

• Patch affected React Server Components immediately
• Monitor for suspicious PowerShell activity and encoded commands
• Use dynamic threat intelligence rather than static blocklists
• Apply network-level protections to exposed services

React2Shell is not a short-lived threat. It remains an active and persistent attack vector that requires immediate attention and ongoing monitoring.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post React2Shell Vulnerability Under Mass Exploitation appeared first on First Hackers News.

By abusing weakly protected components such as kernel drivers and named pipes, a standard user account can be elevated to SYSTEM-level access. Kernel drivers are especially attractive targets when IOCTL handling lacks proper input validation.

Windows Kernel and Named Pipe Flaws

In some WDM drivers that use METHOD_BUFFERED mode, the I/O Manager creates a kernel buffer but does not properly check the data coming from user space. This missing validation becomes a serious security weakness.

Attackers can abuse this gap by sending specially crafted IOCTL requests. These requests include dangerous pointer and size values that the kernel mistakenly trusts and processes.

A typical attack starts by finding exposed device names, then reviewing IOCTL handling logic, and finally identifying weak input checks. Once found, attackers can force the driver to call unsafe kernel functions such as MmMapIoSpace.

This gives them arbitrary read and write access in kernel memory, which can be used to steal the SYSTEM process token and assign it to their own process, resulting in full privilege escalation.

Named pipes are widely used for communication between processes, especially by services running as SYSTEM. This makes them an attractive target for attackers.

While named pipes do not access memory directly like kernel drivers, many services trust incoming pipe messages without proper checks, creating another path for privilege escalation.

The attack begins by looking for SYSTEM-owned named pipes that have weak permissions, allowing any user to read from or write to them. Attackers then study how the pipe works by analyzing the service’s code.

In some cases, services accept pipe requests without properly checking who sent them. This lets a normal user ask the service to perform privileged actions.

Researchers have seen examples where this flaw allowed changes to sensitive HKLM registry keys. One real-world case involved a commercial antivirus product, where an insecure named pipe was abused to modify the registry without authorization.

This weakness can let attackers abuse Image File Execution Options (IFEO) to run their own code as SYSTEM.

To reduce risk, security teams should closely review third-party kernel drivers, limit IOCTL access, and ensure all user input is properly checked before it reaches the kernel. Named pipes also need strict permission checks and clear validation of every request.

Research published by Hackyboiz shows that many environments expose named pipes with overly broad permissions. Organizations should identify these pipes and disable or lock down the risky ones. As Windows systems continue to be targeted by advanced attackers, understanding these local privilege-escalation paths is critical for protecting enterprise environments.

The post Windows Kernel and Named Pipe Flaws Enable Privilege Escalation appeared first on First Hackers News.

With over 20,000 active installations, this popular plugin is utilized for content submissions created by users and is the brainchild of Plugin Planet.

All about the vulnerability :

The security researcher at Patchstack, Rafie Muhammad, brought attention to this vulnerability, and it has now been officially registered as CVE-2023-45603. According to the researcher, this vulnerability permits unauthorized file uploads.

The bug pertains to how the plugin manages uploaded files, specifically within the “usp_attach_images” function. Unauthenticated users could potentially exploit this vulnerability by uploading files containing embedded PHP code, which may subsequently execute on the server, potentially jeopardizing the security of the website.

The researcher elaborated that their team unearthed the vulnerability within the User Submitted Posts WordPress plugin in September 2023.

Plugin Planet promptly issued a patch just two days after its discovery. By October 10, 2023, the vulnerability had been officially documented in the Patchstack database.

“Since the main problem is that arbitrary file name extensions are allowed to be uploaded, the vendor decided to add a whitelist check before uploading the file to the server“, refers.

The matter has been resolved in the most recent release of the WordPress plugin, denoted as version 20230914. Users are strongly advised to promptly upgrade to safeguard their websites.

The researcher also emphasized, “Always scrutinize each $_FILES parameter in the plugin or theme code. Be sure to validate the file name and extension before proceeding with file uploads.”

Website owners are also encouraged to review their code for potential vulnerabilities and implement a whitelist of approved file extensions as a preventive measure against unauthorized file uploads.

Basic Safety Measures 

Administrators of a WordPress website should consider several fundamental security measures:

1. Employing robust and unique passwords for access.
2. Consistently updating the software to the latest versions.
3. Implementing a dedicated antivirus protection tool.
4. Periodically reviewing and enhancing the website’s security protocols.

Ensuring WordPress site security is paramount in safeguarding your website against threats. By deploying suitable security measures and maintaining regular software updates, you can fortify your website’s security and uphold a steadfast and trustworthy online presence.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post User Submitted Posts: Vulnerability found in WordPress plugin appeared first on First Hackers News.

“Aqua security researchers, including Mor Weinberger, Yakir Kadkoda, and Ilay Goldman, conveyed in a report to The Hacker News that these vulnerabilities lead to unavoidable typosquatting attacks in the registry and complicate users’ ability to discern package ownership.”

Vulnerabilities in PowerShell Gallery Enabling Supply Chain Attacks

Managed by Microsoft, PowerShell Gallery is a primary hub for distributing and obtaining PowerShell code, encompassing modules, scripts, and Desired State Configuration (DSC) resources. The registry hosts 11,829 unique packages and a total of 244,615 packages.

The cloud security company pinpointed concerns linked to the registry’s lenient package naming policy, which lacks safeguards against typosquatting attacks. This oversight empowers attackers to upload deceptive malicious PowerShell modules, fooling unsuspecting users.

Another issue involves a malicious individual being able to manipulate a module’s metadata, such as Author(s), Copyright, and Description fields. This manipulation makes the module seem more genuine, tricking unsuspecting users into installing it.

The researchers mentioned that users can only confirm the true author/owner by accessing the “Package Details” tab.

However, this leads only to the false author’s profile since attackers can freely choose any name while making a user on the PowerShell Gallery. Hence, identifying the true author of a PowerShell module in the PowerShell Gallery is challenging.

Another issue is a third vulnerability, exploitable by attackers to list all package names and versions, even those meant to be private. This exploit employs the PowerShell API “https://www.powershellgallery.com/api/v2/Packages?$skip=number,” granting unrestricted access to the entire PowerShell package database, along with its versions.

Aqua notified Microsoft about the issues in September 2022. Microsoft supposedly implemented reactive fixes by March 7, 2023. However, the problems can still be replicated.

The researchers emphasized, “As we rely more on open-source projects and registries, security risks become more noticeable.”

“The main responsibility for user security rests with the platform. It’s crucial for PowerShell Gallery and similar platforms to bolster their security measures.”

The post Researchers Detect Vulnerabilities in PowerShell Gallery Enabling Supply Chain Attacks appeared first on First Hackers News.

The findings come as a follow-up to Team Cymru’s previous malware infrastructure analysis, emerging just over two months after Lumen Black Lotus Labs disclosed that 25% of its C2 servers remain active for only a single day.

QakBot Malware

QakBot, also known as QBot, is a sophisticated banking Trojan malware that targets financial institutions and their customers. It steals sensitive information, creates botnets, and establishes a command-and-control network to control infected computers remotely.

The cybersecurity firm reported that QakBot has a consistent pattern of going on an extended break each summer and then resurfacing sometime in September. This year, its spamming activities halted around 22 June 2023.

QakBot’s C2 network has a tiered architecture similar to Emotet and IcedID. The C2 nodes communicate with Tier 2 (T2) C2 nodes hosted on VPS providers in Russia.

Most of the bot C2 servers, which communicate with victim hosts, are in India and the U.S. The outbound T2 connections lead to IP addresses primarily based in the U.S., India, Mexico, and Venezuela.

Additionally, there is a BackConnect (BC) server alongside the C2s and Tier 2 C2s, which turns the infected bots into proxies for other malicious activities.

Team Cymru’s latest research shows a significant decrease in the number of C2s communicating with the T2 layer, leaving only eight remaining. This reduction was partly due to Black Lotus Labs’ null-routing of the higher-tier infrastructure in May 2023.

An analysis of NetFlow data reveals a pattern where increased outbound T2 connections often follow spikes in inbound bot C2 connections. Conversely, spikes in outbound T2 connections coincide with a decline in bot C2 activity.

Team Cymru explained that QakBot’s strategy of using victims as C2 infrastructure with T2 communication results in double harm to users – first in the initial compromise and then in the risk of being publicly identified as malicious.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post QakBot Malware Operators Ramp Up C2 Network with 15 New Servers appeared first on First Hackers News.

MOVEit Transfer

The software at the center of the recent massive Clop ransomware breach, MOVEit Transfer, has been updated to address a critical SQL injection bug along with two additional vulnerabilities of lesser severity.

The SQL injection vulnerabilities enable attackers to manipulate queries in order to gain unauthorized access to a database or manipulate its contents by executing malicious code. These attacks exploit the absence of adequate input/output data sanitization in the targeted application.

The two SQL injection security issues impact various versions of MOVEit Transfer, including:

• Versions 12.1.10 and earlier
• Versions 13.0.8 and earlier
• Versions 13.1.6 and earlier
• Versions 14.0.6 and earlier
• Versions 14.1.7 and earlier
• Versions 15.0.3 and older.

The second SQL injection flaw, identified as CVE-2023-36932, received a high severity rating because an attacker could exploit it after authentication.

A third vulnerability addressed by this patch is CVE-2023-36933, a high severity issue that allows attackers to cause an unexpected program termination.

In response to the significant impact of the security incident, the American software company has made the decision to implement a proactive measure by introducing monthly security updates known as “Service Packs.”

This new approach enhances the software upgrade process, enabling MOVEit Transfer administrators to apply fixes more efficiently and promptly than previous methods.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post MOVEit Transfer customers are being warned to fix a new, critical flaw appeared first on First Hackers News.

Below are the two vulnerabilities :

CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1.

CVE-2023-33010: Another buffer overflow vulnerability in the ID processing function in the same Zyxel firmware versions.The flaw could once again allow an unauthenticated attacker to cause “conditions DoS” or remotely execute code on an affected device. Both issues are classified as “critical” vulnerabilities, with a severity score of 9,8.

How to install updates

Login to your ZLD appliance and go to Configuration → Licensing → Registration → Service and click the Service License Refresh button.  This must be done before you can access your myZyxel account to download new firmware patches. This will sync necessary info with the myZyxel server (info like running firmware version, MAC Address, S/N, etc.).

Open an internet browser and go to URL: https://portal.myzyxel.com/ and login to your account.

Once in your account dashboard, find the ZLD router you wish to download firmware for and click on the Download button under the “Firmware Update” column.

The post Zyxel firewalls are affected by two security flaws appeared first on First Hackers News.

CVE-2022-45359 Vulnerability

The CVE-2022-45359 vulnerability allows unauthenticated attackers to upload executables to vulnerable e-commerce websites, as well as install backdoors, obtain remote code execution, and take control of the website for further compromise. 

The bug is being weaponized to full access to a vulnerable website to sites running the YITH WooCommerce Gift Cards Premium plugin, WordPress security company Wordfence noted.

According to reports, Wordfence was able to reverse-engineer the exploit using attack data and a copy of the vulnerable plugin, and they are now disclosing details about its operation.Sending a request to /wp-admin/admin-post.php as an unauthenticated attacker will cause functions that run on admin init to be activated because admin init runs for any page in the /wp-admin/ directory.

The issue was discovered on November 22, 2022, and was addressed with the release of version 3.20.0.

Below are some files uploaded by threat actors in attacks analyzed by Wordfence:

• kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com)
• b.php – this file is a simple uploader
• admin.php – this file is a password-protected backdoor

The vulnerability has been exploited in attacks, with the following IP addresses accounting for the vast majority of exploitation attempts: 

• 103.138.108[.]15 
• 188.66.0[.]135 

Mitigation

Users of the WooCommerce Gift Cards plugin must update to version 3.20.0 or higher to avoid the vulnerability. 

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post RCE Vulnerability (CVE-2022-45359) in Yith WooCommerce Gift Cards Plugin Exploited in Attacks appeared first on First Hackers News.

CVE-2022-40259 and CVE-2022-40242 vulnerabilities have CVSS scores of 9.8, while the CVE-2022-2827 vulnerability has a CVSS score of 7.5 on the National Vulnerability Database (NVD).

MegaRAC is a BMC software implementation developed by American Megatrends (AMI), which is also one of the largest providers of UEFI/BIOS firmware for computers. Manufacturers known to have used MegaRAC BMC in at least some of their products include AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, NVidia, Qualcomm, Quanta, and Tyan.

CVE-2022-40259 (CVSS 9.5) – an arbitrary code execution vulnerability in the Redfish API implementation. A specially crafted exploit from an attacker with minimum access to the target device could trigger the flaw.

CVE-2022-40242 (CVSS 8.3) – Default credentials for UID = 0 shell via SSH. The researchers stated that they found “a hash in etc/shadow for the sysadmin user,” cracking, which made them reach the default credentials. Exploiting this vulnerability merely requires an attacker to have remote access to the target device.

CVE-2022-2827 (CVSS 7.5) – when resetting the password, one of the parameters could allow an adversary to discover various user accounts by querying possible usernames. It then allows the attacker to perform credential stuffing or brute force attacks against those accounts.

These vulnerabilities pose a serious risk because they could lead to supply chain attacks. Many server manufacturers, including NVidia, AMD, Asus, Huawei, Lenovo, Quanta, and Dell EMC, use MegaRAC BMC. 

Versions Affected

Mitigations for the MegaRAC BMC vulnerabilities

• Make sure critical firmware and remote server management subsystems (like MegaRAC, iDRAC, iLO, etc.) are covered in vulnerability assessments. 
• Server owners should also review the default configurations on their BMCs and disable default accounts or change default passwords. 
• Make sure the software is up-to-date and remove unnecessary remote access.

The post MegaRAC flaws, IP leak impact multiple server brands appeared first on First Hackers News.

OpenSSL said it had lowered the severity rating for the latter bug after they were given technical feedback about its details and spent the last week working with several organizations to test the issue. 

Two High Severity Vulnerabilities

The first vulnerability, CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow), is an arbitrary 4-byte stack buffer overflow that might trigger crashes or lead to remote code execution (RCE). CVE-2022-3602 is the vulnerability assessed as critical in the announcement.

According to the OpenSSL Blog, it became evident that certain Linux distributions were immune to the buffer overflow, therefore, to the crash and the RCE.

The second vulnerability, CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow), can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.

The company noted that the number of hosts running a 3.0.0 version of OpenSSL has slowly grown over the past few months from about 3,000 in August. 

The vulnerabilities affect the OpenSSL version 3.0.0 – 3.0.6. Any platform that uses earlier versions is not affected by these vulnerabilities.

Mitigation

The vulnerabilities only affect the OpenSSL version 3.0.0 – 3.06, which is around 1.5% of the OpenSSL users, according to Wiz.io. Any platform that uses earlier versions is safe. The affected platforms should be upgraded as soon as possible to version 3.0.7.

As a mitigation, users can disable the TLS client authentication until they can apply the fix.

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post OpenSSL Announced Two High-Severity Vulnerabilities Are Fixed appeared first on First Hackers News.