TrendResearch has detected an operation where attackers exploited a Cisco Simple Network Management Protocol (SNMP) vulnerability to install a rootkit on vulnerable network devices.
The SNMP exploit referenced in Cisco’s latest advisory is CVE-2025-20352, which affects both 32-bit and 64-bit switch builds and can result in remote code execution (RCE). The operation targeted victims running older Linux systems that do not have endpoint detection response solutions, where they deployed Linux rootkits to hide activity and evade blue-team investigation and detection. Trend Research investigation also found that attackers used spoofed IPs and Mac email addresses in their attacks.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Kadokawa confirms data leak of 254,000 people due to cyberattack
August 6, 2024
Japanese publisher Kadokawa has confirmed a data leak affecting 254,241 people due to a cyberattack. The finding, announced Monday, is based on an investigation by third-party experts. Of the leaked data, information of 186,269 people was related to Kadokawa Dwango Educational Institute, including N High School, a correspondence school. Kadokawa reported the investigation results to the ...
- SonicWall Discovers Second Critical Apache OFBiz Zero-Day Vulnerability
August 5, 2024
The SonicWall Capture Labs threat research team has discovered a pre-authentication remote code execution vulnerability in Apache OFBiz being tracked as CVE-2024-38856 with a CVSS score of 9.8. This is the second major flaw SonicWall has discovered in Apache OFBiz in recent months, the first coming in December 2023. This time, a flaw in the override ...
- Chinese hackers hijacked an ISP software update to spread malware
August 5, 2024
Windows and macOS machines alike have been hit by malware after notorious Chinese hacker group StormBamboo used a compromised internet service provider (ISP) to target organizations with poisoned DNS responses. StormBamboo used altered DNS query responses tied to automatic update mechanisms to target organizations that used insecure update mechanisms that did not properly validate the digital ...
- Beware of Fake WinRar Websites: Malware Hosted on GitHub
August 5, 2024
A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. The initial malware then leads to a slew of ...
- Chinese cyber attack sparks alert over six year old MS vuln
August 5, 2024
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft vulnerability dating back to 2018 to its Known Exploited Vulnerabilities (KEV) catalogue after evidence emerged that it is being used in an attack chain by the China-backed APT41 advanced persistent threat group. CVE-2018-0824 was first addressed by Microsoft in the May 2018 Patch ...
- LianSpy: new Android spyware targeting Russian users
August 5, 2024
In March 2024, Kaspersky researchers discovered a campaign targeting individuals in Russia with previously unseen Android spyware they dubbed LianSpy. Kaspersky analysis indicates that the malware has been active since July 2021. This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists. The malicious actor behind LianSpy employs multiple ...