Cyber Security Weekly Briefing, 3 October
Active exploitation of critical flaw in Fortra's GoAnywhere MFT
Researchers at WatchTowr Labs have confirmed active exploitation of the critical vulnerability CVE-2025-10035 (CVSSv3 score of 10.0 according to the manufacturer) in Fortra's GoAnywhere MFT software, prior to the company publishing its advisory on September 18, 2025.
The flaw, a deserialization vulnerability in the License Servlet, allows remote command execution without authentication using a forged license response. Attackers have created hidden administrator accounts, deployed payloads such as zato_be.exe and jwunst.exe (the latter a legitimate SimpleHelp binary used for persistent access), and exfiltrated data such as user privileges.
It is recommended to update to the patched versions 7.8.4 or 7.6.3 and remove public exposure of the Admin Console. Fortra also suggests checking logs for errors with the SignedObject.getObject string.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
Akira ransomware compromises SonicWall VPN accounts protected with MFA
Since July 2025, Arctic Wolf Labs has detected an aggressive Akira ransomware campaign exploiting malicious access to SSL VPNs on SonicWall firewalls, even with OTP multi-factor authentication enabled.
The attack, linked to vulnerability CVE-2024-40766 (CVSSv3 of 9.3 according to CISA), allows threat actors to obtain valid credentials and deploy ransomware in less than an hour. They use tools such as Impacket for lateral movement, internal scanning, extraction of Veeam credentials using PowerShell scripts, and evasion techniques such as BYOVD to disable defenses. The affected sectors are multiple and global, with signs of massive opportunistic exploitation.
It is recommended to reset credentials on devices that have run vulnerable firmware, monitor access from VPS, and detect suspicious SMB activity to interrupt the attack in its early stages.
Vishing campaign against Salesforce environments enables massive data theft
The financially motivated UNC6040 threat group is conducting vishing campaigns to compromise Salesforce instances and exfiltrate large volumes of corporate data. According to Google, the attackers pose as technical support personnel on phone calls, getting employees to approve malicious connected applications, often fake versions of the Salesforce Data Loader.
With this access, actors gain credentials and privileges that allow them to extract sensitive data, as well as move laterally to other cloud platforms such as Okta and Microsoft 365. In some cases, extortion occurs months later, suggesting collaboration with other groups.
Google researchers recommend specific protective measures, such as robust identity verification in support requests, mandatory use of phishing-resistant MFA, restricted access from trusted devices and networks, and detailed monitoring of Salesforce logs for anomalous access and exfiltration.
Klopatra, a new banking Trojan targeting Spain and Italy
Researchers at Cleafy Labs have discovered a new banking Trojan for Android called Klopatra, linked to threat actors with roots in Turkey. This malware, still in active development, specializes in stealing banking credentials by overlaying fake screens, intercepting SMS messages, and manipulating push notifications.
At least three variants have been identified, suggesting an evolving operation. Klopatra has been used in campaigns targeting mainly financial institutions in Spain and Italy. In addition, the malware shares similarities with other Trojans such as Hook and Hydra, although it maintains its own infrastructure.
It is recommended to avoid installing apps from outside official stores, review accessibility permissions, keep the operating system up to date, and use mobile security solutions.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →