Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 22-28 February
Vulnerabilities in Rsync expose millions of servers to possible attacks
Several critical vulnerabilities were recently discovered in Rsync, a popular file synchronization tool, exposing millions of servers to potential remote attacks. These flaws, present in version 3.2.7 and earlier, allow remote code execution, sensitive data leakage, and file system manipulation.
The vulnerabilities include a buffer overflow (CVE-2024-12084, CVSSv3 9.8), memory data leakage (CVE-2024-12085, CVSSv3 7.5), client file exfiltration (CVE-2024-12086, CVSSv3 6.1), directory escape via symbolic links (CVE-2024-12087, CVSSv3 6.5) and circumvention of the -safe-links security feature (CVE-2024-12088, CVSSv3 6.5).
Proof-of-concept (PoC) exploits exist for these vulnerabilities; therefore, it is recommended to update to version 3.2.8 or apply vendor patches, disable anonymous access, audit synchronization logs, and restrict the use of Rsync to trusted servers.
RCE vulnerability discovered in MITRE Caldera
A critical remote code execution (RCE) vulnerability affecting MITRE Caldera has recently been discovered. Identified as CVE-2025-27364 and with a maximum score of 10.0 on the CVSSv3 scale, this vulnerability allows remote code execution in all versions of Caldera except the most recent (5.1.0+ and the master source branch).
This adversary emulation platform, used by Blue Team and Red Team groups to simulate attacks and reinforce defenses, could be hijacked remotely. The flaw triggered in default configurations when Go, Python, and GCC are installed, which is very common.
The vulnerability relates to the deployment of the Manx and Sandcat agents, allowing an attacker to execute malicious operations without prior authentication using a specially designed HTTPS request. Although the developers were already aware of the risk of this API endpoint, Dawid Kulikowski, who discovered the flaw, shared incomplete proof-of-concept (PoC) code to prevent abuse.
The vulnerability has now been patched in the code base, so users are advised to update immediately to the latest version.
1.5 billion ByBit theft originated in Safe{Wallet} infrastructure
The North Korean group Lazarus stole $1.5 billion in cryptocurrency from Bybit after compromising a Safe{Wallet} developer's device.
According to investigations by Sygnia and Verichains, the attack originated from Safe{Wallet}'s infrastructure, injecting malicious JavaScript into its platform to access Bybit's funds. The attackers modified the code prior to the attack day and removed the evidence shortly after.
This is the largest cryptocurrency heist in history, with Lazarus linked to previous attacks. Bybit has restored its ETH reserves, and Safe{Wallet} has strengthened its security.
LockBit exploits vulnerability in Atlassian Confluence for rapid deployment of ransomware
An investigation by The DFIR Report revealed that the operators of LockBit ransomware carried out a highly coordinated attack by exploiting the critical vulnerability CVE-2023-22527 (CVSSv3 10.0 according to the manufacturer) in exposed Atlassian Confluence servers, allowing them to execute remote commands without authentication through malicious injections of Object-Graph Navigation Language (OGNL).
According to the report, after gaining initial access the threat actors performed a system reconnaissance, deployed AnyDesk for persistence and used Metasploit to establish command and control (C2) channels. In addition, they escalated privileges, disabled security defenses, and moved laterally across the network via RDP, targeting critical servers.
They also extracted credentials with Mimikatz, used Rclone to exfiltrate data to MEGA.io and covered their tracks by deleting records. Finally, they deployed LockBit ransomware using PDQ Deploy, managing to encrypt files across the entire network in just over two hours, demonstrating exceptional speed and precision.
Australia bans the use of Kaspersky products on its devices
The Australian government has banned all Kaspersky Lab web products and services from its systems and devices. This decision was made after an analysis that concluded that the company poses a significant risk to the country's security.
Stephanie Foster, Secretary of the Department of Home Affairs, justified the move by citing threats of foreign interference, espionage and sabotage.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
