Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 24-30 May
Critical vulnerability in WSO2 allows account hijacking via SOAP services
A critical vulnerability identified as CVE-2024-6914 (CVSSv3 9.8) affects multiple WSO2 products, allowing malicious actors to take control of user accounts, including those with elevated privileges. The flaw originates from an authorization error in the SOAP administration service related to account recovery, accessible via the "/services" path.
By exploiting this vulnerability, an attacker can reset passwords for any account without prior authentication, posing a significant security risk to organizations using these products. Organizations are recommended to implement the fixes provided by WSO2 and restrict access to administrative SOAP services from untrusted networks, following the security guidelines for production deployments.
Analysis of the DOUBLELOADER malware
Elastic Security Labs has identified a new malware family called DOUBLELOADER, used in conjunction with the Rhadamantys infostealer and protected by ALCATRAZ, an open-source obfuscator that is being widely used by malicious actors. Originally developed in the game hacking community, ALCATRAZ applies advanced techniques such as flow control flattening, instruction mutation and anti-disassembly, making malware analysis more difficult.
Moreover, DOUBLELOADER stands out for injecting malicious code into explorer.exe via system calls and maintaining communication with a C2 server. In addition, its “.0Dev” section links it directly to ALCATRAZ. Researchers have developed IDA Python scripts, YARA rules and specialized plugins to help analysts identify these threats.
DragonForce compromises MSPs through SimpleHelp bugs
The ransomware group DragonForce has exploited vulnerabilities in SimpleHelp, a remote management tool used by managed service providers (MSPs), to compromise multiple customer networks. According to a report published by Sophos, the group leveraged the security flaws CVE-2024-57726 (CVSSv3 9.8), CVE-2024-57727 (CVSSv3 7.5), and CVE-2024-57728 (CVSSv3 7.2) to gain access to systems, conduct reconnaissance, steal data, and deploy ransomware.
DragonForce has recently gained notoriety for attacks on UK retailers such as Marks & Spencer and Co-op. Researchers also note that DragonForce's strategy is characterized by its effort to expand influence through a Ransomware-as-a-Service model, offering white-label encryptors that affiliates can customize.
Fixed critical backdoor flaw in NETGEAR DGND3700v2 routers
An authentication bypass vulnerability has been observed in NETGEAR DGND3700v2 wireless routers, for which a PoC of the exploit has also been published. The flaw (CVE-2025-4978, CVSSv4 9.3 according to VulnDB) originates from a hidden backdoor mechanism in the router firmware and affects versions V1.1.00.15_1.00.15NA. An unauthenticated attacker could gain full administrative control over affected devices, including credential theft, malware deployment and traffic interception
The flaw resides in the router's mini_http server, a lightweight HTTP daemon responsible for handling administrative interface requests. The flaw can be triggered by accessing the vulnerable /BRS_top.html endpoint, which sets an internal flag “start_in_blankstate = 1”. This disables HTTP basic authentication checks in function sub_404930, bypassing login credentials. NETGEAR has patched the firmware to version V1.1.00.26, recommending immediate upgrade.
Void Blizzard: new Russian group targets critical sectors in Europe and North America
Microsoft has identified a new cyberespionage actor called Void Blizzard (also known as LAUNDRY BEAR), linked to the Russian government. Active since at least April 2024, it has targeted government entities, defense, transportation, media, NGOs and healthcare in Europe and North America. Initially focused on using compromised credentials obtained in underground marketplaces, the group has evolved into customized spear phishing techniques to compromise corporate accounts.
Once access is gained, Void Blizzard exfiltrates sensitive emails and documents through tools such as rclone and uses command and control servers hosted on legitimate services to evade detection. The campaign is notable for its tailoring to each victim and use of customized infrastructure and targeted emails written with credible information to increase its success rate.
Microsoft is working in collaboration with Dutch intelligence services and the FBI to disrupt these operations and protect affected organizations.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
