Active Exploitation of Microsoft SharePoint Vulnerabilities Unit 42 is tracking ongoing threat activity targeting on-premises Microsoft SharePoint servers, particularly within government, schools, healthcare, and large enterprises. Multiple vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) allow unauthenticated attackers to access restricted functionality and execute arbitrary commands. Active exploitation has been observed, with attackers bypassing identity controls, exfiltrating data, deploying backdoors, and stealing cryptographic keys. Affected organizations are urged to immediately disconnect vulnerable servers, apply patches, rotate cryptographic material, and engage professional incident response. The vulnerabilities impact SharePoint Enterprise Server 2016 and 2019, with some also affecting SharePoint Server Subscription Edition. Cloud-based SharePoint is not affected. Date: 2025-07-22 08:31:03
Active Exploitation of CVE-2025-5394 in Alone WordPress Theme A critical arbitrary file-upload vulnerability (CVE-2025-5394) in the Alone - Charity Multipurpose Non-profit WordPress theme versions 7.8.3 and earlier is being actively exploited. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to upload malicious ZIP archives containing PHP backdoors, resulting in remote code execution and full site takeover. The vulnerability stems from a missing authorization check in the alone_import_pack_install_plugin() AJAX handler. Attackers can exploit this to upload web shells, execute commands, deploy file managers, and create rogue admin accounts. Several IP addresses have been identified as sources of attacks. Website owners are urged to update to version 7.8.5 or later, verify site integrity, strengthen access controls, and enhance detection and monitoring measures. Date: 2025-08-01 15:39:43
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chain involves OAuth app creation, redirects to malicious URLs, and the use of attacker-in-the-middle phishing kits, predominantly Tycoon. This technique has been observed in email campaigns with over 50 impersonated applications, targeting multiple industries. The campaign's goal is to gain access to Microsoft 365 accounts, potentially for information gathering, lateral movement, malware installation, or further phishing attacks. Date: 2025-08-01 15:39:43
Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed A sophisticated mobile banking trojan, DoubleTrouble, has evolved in distribution methods and capabilities. Initially spread through phishing websites impersonating European banks, it now utilizes Discord channels for distribution. The malware employs advanced obfuscation techniques, abuses Android's Accessibility Services, and features screen capture, keylogging, and application blocking capabilities. It uses fake overlays to steal credentials and leverages sophisticated screen recording techniques. The trojan can block specific applications, implement a highly advanced keylogger, and execute a wide range of commands received from its Command and Control server. The malware's extensive functionalities enable credential theft, device manipulation, and persistent control over infected devices. Date: 2025-08-01 14:03:28
Indian Infrastructure Targeted with Desktop Lures and Poseidon Backdoor APT36, a Pakistan-linked threat group, has expanded its operations to target Indian government and civilian infrastructure, including railways, oil & gas, and the Ministry of External Affairs. The group employs sophisticated phishing techniques and novel payload strategies, using .desktop files disguised as PDF documents to execute malicious scripts. Two attack variants were identified, utilizing single and redundant command and control server setups. The Poseidon backdoor, built on the Mythic framework, is deployed for persistent access and lateral movement. Over 100 phishing domains impersonating Indian government organizations were discovered, primarily hosted by AlexHost. The campaign, active since early July 2025, poses a significant threat to Indian public sector and critical infrastructure. Date: 2025-08-01 12:31:23
