Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed FileTransfer vulnerability - https://www.redpacketsecurity.com/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-filetransfer-vulnerability/
#threatintel
#CVE-2025-10035
#GoAnywhere MFT
#Deserialization vulnerability
#Storm-1175
#Medusa ransomware
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed FileTransfer vulnerability - https://www.redpacketsecurity.com/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-filetransfer-vulnerability/
#threatintel
#CVE-2025-10035
#GoAnywhere MFT
#Deserialization vulnerability
#Storm-1175
#Medusa ransomware
π₯ Latest issue of my curated #cybersecurity and #infosec list of resources for week #41/2025 is out!
β It includes the following and much more:
π± 13-Year #Redis Flaw Exposed: CVSS 10.0 Vulnerability Lets Attackers Run Code Remotely;
π©Ή #Google #DeepMindβs New #AI Agent Finds and Fixes Vulnerabilities;
π¬ 5.5 Million People Impacted in #Discord Breach;
π―π΅ πΊ Qilin #ransomware says it attacked Japanβs Asahi;
πΊπΈ Microsoft says the Storm-1175 cybercrime group exploited a zero-day in #GoAnywhere MFT;
π The Cl0p ransomware group stole data from Oracle E-Business Suite customers;
π₯ 𧱠#SonicWall admits attacker accessed all customer firewall configurations stored on #cloud portal;
--
π NEVER MISS my curations and updates on information security and cybersecurity news and challenges π¨ Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end β¬οΈ
https://infosec-mashup.santolaria.net/p/infosec-mashup-41-2025
π₯ CRITICAL: CVE-2025-10035 in GoAnywhere MFT (7.6.xβ7.8.x) enables unauthenticated remote command injectionβactively exploited for ransomware (Medusa). Restrict admin console access, patch now, and monitor for IOCs. Details: https://radar.offseq.com/threat/from-detection-to-patch-fortra-reveals-full-timeli-d569181c #OffSeq #vuln #GoAnywhere #BlueTeam
Medusa ransomware is exploiting CRITICAL vuln (CVE-2025-10035) in Fortra GoAnywhere MFT. Private key compromise enables data breaches & ransomware. Audit key management, monitor access, & apply vendor updates. https://radar.offseq.com/threat/medusa-ransomware-actors-exploit-critical-fortra-g-c90501d0 #OffSeq #GoAnywhere #Ransomware #Infosec
#GoAnywhere #MFT zero-day used by Storm-1175 in #Medusa #ransomware campaigns
https://securityaffairs.com/183075/hacking/goanywhere-mft-zero-day-used-by-storm-1175-in-medusa-ransomware-campaigns.html
#securityaffairs #Fortra
π Microsoft confirms Medusa ransomware is actively exploiting a CVSS 10.0 deserialization flaw in Fortraβs #GoAnywhere MFT. If your GoAnywhere instance is internet-exposed, patch immediately.
Read: https://hackread.com/medusa-ransomware-goanywhere-mft-flaw-microsoft/
β οΈ Microsoft warns of critical GoAnywhere flaw under attack A zero-day in Fortraβs GoAnywhere MFT (CVE-2024-0204) is being actively exploited to steal data and deploy ransomware. Microsoft links the activity to Lace Tempest, known for CL0P ransomware. ππ» patch immediately. #ransomNews #GoAnywhere
β οΈ Una grave falla in #GoAnywhere mette a rischio milioni di PC Windows di essere compromessi - protegge le tue informazioni! #CyberSecurity
π https://www.tomshw.it/business/microsoft-accusa-medusa-per-exploit-goanywhere-2025-10-07
π¨ CRITICAL GoAnywhere MFT bug is being exploited for ransomware. Remote code execution with no user interaction puts European orgs at high risk. Patch ASAP, restrict access, and monitor logs. No CVE yet. Details: https://radar.offseq.com/threat/microsoft-critical-goanywhere-bug-exploited-in-ran-c18f5ff1 #OffSeq #Ransomware #GoAnywhere #CyberAlert
One overlooked bug in GoAnywhere MFT sparked a wave of ransomware attacks on over 500 systems. How did cybercriminals hide in plain sight using legit IT tools? Find out the tactics behind the chaos.
#goanywhere
#ransomware
#storm1175
#cve202510035
#cyberattack
#medusaransomware
#remotemanagement
#databreach
#patchmanagement
CVE Alert: CVE-2025-10035 - Fortra - GoAnywhere MFT - https://www.redpacketsecurity.com/cve-alert-cve-2025-10035-fortra-goanywhere-mft/
#OSINT #ThreatIntel #CyberSecurity #cve-2025-10035 #fortra #goanywhere-mft
π¨ Zero-day exploited in GoAnywhere MFT (CVE-2025-10035)
β οΈ Exploitation began before vendor disclosure
β οΈ Attackers gained RCE, created admin-go backdoor, uploaded payloads
β οΈ Persistence through SimpleHelp abuse
Admins: patch immediately, restrict console exposure, check logs for SignedObject.getObject.
π¬ How should the industry handle vendors who delay advisories when exploitation is already in the wild?
Follow @technadu for real-time infosec updates.
#Infosec #Cybersecurity #ZeroDay #GoAnywhere #RCE #ThreatIntel
Hackers exploit #Fortra #GoAnywhere flaw before public alert
https://securityaffairs.com/182647/hacking/hackers-exploit-fortra-goanywhere-flaw-before-public-alert.html
#securityaffairs #hacking
GoAnywhere MFT's single zero-day flaw has already unleashed widespread breaches and exposed sensitive dataβare we ready for what's next in the cybersecurity arms race?
#goanywhere
#zeroday
#cve202510035
#databreach
#cybersecurity
#vulnerabilitymanagement
#infosec
#threatdetection
#sqlinjection
#regulatorycompliance
β οΈ Critical CVSS 10 flaw in Fortraβs GoAnywhere MFT (CVE-2025-10035) lets attackers inject commands and take over sensitive systems. Patch to v7.8.4 now.
Read: https://hackread.com/critical-cvss-10-flaw-goanywhere-file-transfer/
Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)
https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
#HackerNews #IsThisBad #ThisFeelsBad #Fortra #GoAnywhere #CVE2025 #10035 #Cybersecurity
A critical 10.0 CVSS vulnerability (CVE-2025-10035) puts Fortra's GoAnywhere MFT servers at risk of full compromise. Immediate action is required. Here are the simple steps to secure your data. #Cybersecurity #GoAnywhere #Infosec #Vulnerability
https://pupuweb.com/what-simple-steps-can-i-take-to-secure-goanywhere-mft-server/
It's been a packed 24 hours in the cyber world! We've got major arrests, critical vulnerabilities, nation-state activity, and a deep dive into AI's evolving role in both defence and attack. Let's get into it:
Scattered Spider Takedown & TfL Attack Details π·οΈ
- UK law enforcement, in coordination with the US DOJ, has arrested two teens, Thalha Jubair (19) and Owen Flowers (18), linked to the notorious Scattered Spider group.
- Jubair is charged with involvement in at least 120 network intrusions, extorting over $115 million from 47 US entities, including a breach of the US federal court system.
- Investigators traced Jubair's activities through cryptocurrency transactions used for gaming gift cards and food deliveries to his apartment, highlighting operational security failures.
π° The Hacker News | https://thehackernews.com/2025/09/uk-arrest-two-teen-scattered-spider.html
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/scattered_spider_teen_cuffed/
ποΈ The Record | https://therecord.media/scattered-spider-unsealed-charges-115million-extortion-breached-courts-system
Russian Airport Website Hacked βοΈ
- Pulkovo Airport in St. Petersburg, Russia's second-largest air hub, reported its website was knocked offline due to a cyberattack.
- While airport operations remained unaffected, this incident follows other disruptions in Russia's aviation sector, including a system failure at KrasAvia and a major Aeroflot outage claimed by pro-Ukrainian groups.
- The attack highlights ongoing cyber warfare targeting Russian critical infrastructure since the 2022 invasion of Ukraine.
ποΈ The Record | https://therecord.media/russia-pulkovo-airport-st-petersburg-website-hacked
Russian APTs Turla and Gamaredon Collaborate in Ukraine π·πΊ
- ESET researchers have documented the first technical evidence of collaboration between two Russian FSB-linked APTs, Gamaredon and Turla, in attacks against Ukrainian entities.
- Gamaredon's tools (PteroGraphin, PteroOdd) were observed deploying Turla's sophisticated Kazuar backdoor, with Gamaredon potentially providing initial access for Turla's targeted espionage.
- This convergence suggests a strategic alignment, likely intensified by the ongoing conflict, focusing on high-value targets within Ukraine's defence sector.
π° The Hacker News | https://thehackernews.com/2025/09/russian-hackers-gamaredon-and-turla.html
ποΈ The Record | https://therecord.media/russian-spy-groups-turla-gamaredon-target-ukraine
Iranian UNC1549 Targets Telecoms via LinkedIn Lures π£
- The Iran-nexus cyber espionage group UNC1549 (aka Subtle Snail) has infiltrated 34 devices across 11 telecommunications firms in Europe, Canada, UAE, UK, and US.
- The group uses sophisticated LinkedIn job lures, posing as HR reps, to build trust and deliver the MINIBIKE backdoor via DLL side-loading from fraudulent domains.
- MINIBIKE is a modular backdoor capable of extensive reconnaissance, credential theft (including Outlook and browser data), and persistence, with C2 traffic proxied through Azure cloud services for stealth.
π° The Hacker News | https://thehackernews.com/2025/09/unc1549-hacks-34-devices-in-11-telecom-firms-via-linkedin-job-lures-and-minibike-malware/
Global PhaaS Surge: Lighthouse & Lucid Campaigns π
- The Phishing-as-a-Service (PhaaS) platforms Lighthouse and Lucid are linked to over 17,500 phishing domains, targeting 316 brands across 74 countries.
- These Chinese-speaking threat actors (XinXin group) use advanced techniques like homoglyph attacks (e.g., Japanese Hiragana character 'γ' to mimic '/') and specific User-Agent/proxy country checks to evade detection.
- Phishing infrastructure is shifting, with a 25% increase in email-based credential harvesting, moving away from Telegram, and leveraging services like EmailJS to bypass self-hosted infrastructure.
π° The Hacker News | https://thehackernews.com/2025/09/17500-phishing-domains-target-316-brands-across-74-countries-in-global-phaas-surge/
Max Severity Flaw in GoAnywhere MFT (CVE-2025-10035) β οΈ
- Fortra has patched a maximum-severity deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT's License Servlet, allowing potential command injection.
- This flaw is "virtually identical" to CVE-2023-0669, a zero-day exploited by the Clop ransomware gang two years ago, affecting over 100 organisations.
- While no active exploitation is confirmed yet, researchers anticipate it, urging immediate patching or ensuring the Admin Console is not publicly exposed to the internet.
π€« CyberScoop | https://cyberscoop.com/goanywhere-file-transfer-service-vulnerability-september-2025/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortra-warns-of-max-severity-flaw-in-goanywhere-mfts-license-servlet/
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/gortra_goanywhere_bug/
Ivanti EPMM Zero-Days Under Active Exploitation (CVE-2025-4427, CVE-2025-4428) π¨
- CISA has detailed two malware strains actively exploiting Ivanti EPMM zero-days (CVE-2025-4427, authentication bypass; CVE-2025-4428, RCE) chained together.
- Exploitation was observed around May 15, 2025, following PoC publication, with suspected China-nexus espionage groups leveraging the flaws to deploy malicious Java class listeners.
- These listeners enable arbitrary code execution, data exfiltration, and persistence, delivered in segmented, Base64-encoded chunks to evade detection. Immediate patching and treating MDM systems as high-value assets are critical.
π° The Hacker News | https://thehackernews.com/2025/09/cisa-warns-of-two-malware-strains.html
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks/
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/cisa_ivanti_bugs_exploited/
Critical Entra ID Flaw (CVE-2025-55241) Could Grant Global Admin Access π
- A researcher discovered a critical flaw (CVE-2025-55241) in Microsoft Entra ID that could have allowed access to almost every tenant worldwide via undocumented "Actor tokens."
- The vulnerability in the legacy Azure Active Directory Graph API failed to validate originating tenants, enabling cross-tenant authentication as any user, including Global Admins, without logging.
- Microsoft has swiftly mitigated the issue, confirming no abuse was detected, but the potential impact underscores the severity of identity-related vulnerabilities in cloud environments.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/microsoft_entra_id_bug/
ChatGPT "ShadowLeak" Bug Exfiltrated Gmail Secrets π§
- OpenAI patched a critical "ShadowLeak" flaw in ChatGPT's Deep Research assistant that allowed attackers to steal Gmail secrets with a single, maliciously crafted email.
- The attack hid instructions in white-on-white text or CSS within an email, which the AI agent would dutifully follow when summarising the inbox, exfiltrating sensitive data to an attacker-controlled server.
- This server-side execution bypasses traditional security controls, highlighting new risks with AI agents accessing private data and the need for robust input sanitisation and agent access controls.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/openai_shadowleak_bug/
China's GoLaxy AI Persona Army for Information Warfare π¨π³
- Leaked documents from Chinese company GoLaxy reveal a chilling new approach to information warfare: an army of AI personas designed for intimate, surgical persuasion.
- These aren't crude bots but highly realistic, adaptable digital identities, crafted using scraped social data and generative AI (DeepSeek) to build psychological profiles and shape narratives.
- The documents show dossiers on 2,000 American public figures and thousands of influencers, with operations already active in Hong Kong and Taiwan, signalling a new frontier in cognitive warfare.
ποΈ The Record | https://therecord.media/golaxy-china-artificial-intelligence-papers
FBI Warns of Fake Crime Reporting Portals π‘οΈ
- The FBI has issued a warning about cybercriminals impersonating its Internet Crime Complaint Center (IC3) website to conduct financial scams and steal personal information.
- These spoofed sites often use slightly altered domains (e.g., icc3[.]live) and may even display legitimate-looking warnings to trick victims.
- The FBI advises users to always manually type www.ic3.gov, avoid clicking sponsored search results, and never share personal info or send money to individuals claiming to be from the FBI or IC3.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fbi-crime-complaint-portals-used-for-cybercrime/
ChatGPT Can Now Solve CAPTCHAs with Prompt Engineering π€
- Researchers have demonstrated that ChatGPT-4o can be tricked into solving complex, image-based CAPTCHAs by using cleverly worded prompts and "staged consent."
- This bypasses the chatbot's policy prohibitions, raising serious questions about the long-term reliability of CAPTCHAs as a human-proving security mechanism against increasingly capable AI systems.
- The technique involved initially "training" the LLM on "fake" CAPTCHAs in one chat, then transferring that context to an agent chat to solve real ones, highlighting the evolving threat of prompt injection.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/how_to_trick_chatgpt_agents/
Future of CVE Program in Limbo Amidst CISA Debate π
- The future governance of the globally critical CVE Program is being debated, with CISA asserting its leadership role following a recent funding scare.
- CISA released documents outlining its vision for a CISA-led, vendor-neutral program, arguing against privatisation due to potential conflicts of interest and national security risks.
- However, CVE Program board members have formed the CVE Foundation, advocating for a globally supported, collaborative model with CISA as one of many contributors, questioning CISA's historical role and financial transparency.
ποΈ The Record | https://therecord.media/cve-program-future-limbo-cisa
MI6 Launches Dark Web Portal "Silent Courier" for Spy Recruitment π¬π§
- The UK's Secret Intelligence Service (MI6) has launched "Silent Courier," an upgraded dark web portal on the Tor network, to securely recruit foreign informants globally.
- The initiative aims to attract individuals with sensitive information on global instability or hostile intelligence activity, providing anonymous direct contact with MI6.
- Instructions are available in eight languages via YouTube, advising potential sources on secure access methods, including using clean devices and VPNs where Tor is blocked.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/mi6_darkweb_portal_upgrade/
ποΈ The Record | https://therecord.media/mi6-darkweb-portal-recruit-foreign-spies
Automating Alert Triage with AI Agents and Confluence SOPs π€
- Tines has released a pre-built workflow that automates security alert triage by leveraging AI agents and Confluence SOPs, aiming to reduce MTTR and analyst fatigue.
- The workflow uses AI to classify alerts, automatically retrieves relevant SOPs from Confluence, creates structured case records, and orchestrates remediation actions across various security tools.
- This solution integrates with platforms like CrowdStrike, AbuseIPDB, Okta, and Slack, providing consistent handling of alerts and automated notifications to on-call teams.
π° The Hacker News | https://thehackernews.com/2025/09/how-to-automate-alert-triage-with-ai.html
#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #APT #Ransomware #ScatteredSpider #Ivanti #GoAnywhere #EntraID #ChatGPT #AI #Phishing #PhaaS #DataPrivacy #COPPA #OnlineSafetyAct #CVE #QuantumComputing #InfoSec #CyberAttack #IncidentResponse
Critical alert: A flaw in GoAnywhere MFT now makes it shockingly easy for attackers to hijack your file transfers. Are you sure your data's safe? Read on to get ahead of the threat.
#cve202510035
#goanywhere
#vulnerability
#cybersecurity
#databreach
