Latest news with #QualysThreatResearchUnit
Techday NZ
19 hours ago
- Techday NZ
SharePoint flaw sparks urgent patch call amid new RCE threat
Cybersecurity experts are urging organisations to take immediate action following the disclosure of a critical vulnerability in Microsoft SharePoint, as highlighted in the latest Patch Tuesday security update. This newly identified issue, designated CVE-2025-49712, is raising alarms given its potential to facilitate remote code execution (RCE) when combined with other known flaws. Saeed Abbasi, Senior Manager of Security Research at Qualys Threat Research Unit, described the vulnerability as a significant threat, especially coming on the heels of last month's "ToolShell" zero-day attacks. Abbasi commented, "This RCE demands authentication but pairs dangerously with known authentication bypasses. Attackers chaining this with prior flaws could achieve full server compromise, and data exfiltration." He added that while there have been no reports of exploitation in the wild so far, experience suggests such gaps can be closed rapidly as threat actors adapt their techniques. Abbasi urged organisations to "prioritise and patch all SharePoint updates, rotate keys, and eliminate internet exposure," stressing that delaying mitigation efforts could trigger both regulatory scrutiny and significant data breaches. "SharePoint's exploit streak isn't over," Abbasi warned, underscoring the need for proactive management of the platform's security posture. The August Patch Tuesday update from Microsoft addressed a total of 107 Common Vulnerabilities and Exposures (CVEs). Of these, 13 were rated critical and 91 as important. Elevation of privilege (EoP) vulnerabilities accounted for 39.3% of the fixes, while remote code execution issues made up 32.7% - a pattern consistent with trends observed in previous months. Satnam Narang, Senior Staff Research Engineer at Tenable, noted that "this month's release highlights an upward trend in post-compromise vulnerabilities over code execution bugs. For the second consecutive month, elevation of privilege vulnerabilities represented the bulk of CVEs patched this month." Narang referred to the patch for CVE-2025-53779, a privilege escalation flaw known as BadSuccessor, describing its immediate impact as limited due to the specific prerequisites needed for exploitation. "An attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise," he explained, making it a targeted rather than broad-based risk. SharePoint vulnerabilities continued to receive particular attention, with Narang observing, "It might seem like déjà vu because Microsoft patched two more SharePoint vulnerabilities this month: a remote code execution flaw (CVE-2025-49712) and an elevation of privilege bug (CVE-2025-53760). After the chaos that ensued with the exploitation of the ToolShell vulnerabilities, any new SharePoint vulnerabilities understandably raise concerns." Since 2022, Microsoft has patched an average of 21.7 SharePoint vulnerabilities annually, with 2023 seeing a high of 25. With 20 already addressed in the current year, the record may soon be exceeded, according to Narang. Despite this volume of patches, he noted, "only three were exploited in the wild (CVE-2023-29357, CVE-2023-24955, CVE-2024-38094) in addition to the three ToolShell vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770)," though another, CVE-2025-53771, may also have been exploited based on emerging reports. Security practitioners highlight the recurring threat presented by SharePoint vulnerabilities, which can serve as gateways for lateral movement and deeper network compromise if not promptly addressed. With a rising tally of disclosed flaws and only a handful exploited so far, experts are calling for continued vigilance, patching discipline, and the hardening of exposed enterprise collaboration systems.
Techday NZ
2 days ago
- Techday NZ
TRU wins top honours for OpenSSH vulnerability research at Pwnie Awards
The Qualys Threat Research Unit (TRU) has received two awards at the Pwnie Awards in recognition of its recent threat research concerning vulnerabilities in OpenSSH and FreeBSD. Recognition at Pwnie Awards The TRU was acknowledged for its discovery of major cybersecurity vulnerabilities, earning the titles 'Epic Achievement' and 'Best Remote Code Execution (RCE)' at the event. These accolades commend the team's work in both regression discovery and the responsible disclosure of high-impact security flaws. The Pwnie Awards are recognised within the cybersecurity research community as a benchmark for outstanding accomplishments related to the identification and resolution of security vulnerabilities. The dual recognition for TRU underscores the significance of the team's recent findings in the wider industry. Uncovered vulnerabilities The Epic Achievement award was given for the uncovering of two notable vulnerabilities within OpenSSH: CVE-2024-6387, informally known as 'regreSSHion', identified as the first pre-authentication RCE vulnerability in OpenSSH in almost two decades. CVE-2025-26465, a machine-in-the-middle vulnerability affecting OpenSSH's client, which resulted in FreeBSD systems being vulnerable by default for close to ten years. TRU was also recognised in the Best RCE category for CVE-2024-6387 ('regreSSHion'). This rare vulnerability involved a signal handler race condition in the OpenSSH server's default configuration, potentially enabling exploitable heap corruption. The identification of this flaw has broad significance due to the wide adoption and longstanding reputation of OpenSSH in secure communications. Company and leadership commentary "Qualys has a rich legacy of groundbreaking vulnerability research that sets us apart, delivering genuine expertise in a crowded market," said Sumedh Thakar, president and CEO of Qualys. "I'm proud to see our TRU team recognised for their vital role in discovering critical vulnerabilities in widely used applications, such as OpenSSH. This work strengthens the security community through responsible disclosure and gives customers a critical edge. It provides premium research that helps security teams understand exploit impacts faster and defend more effectively." The TRU has consistently collaborated with software vendors on the responsible disclosure of vulnerabilities. This commitment to swift and effective resolution contributes not only to the company's user base but also to broader improvements in cybersecurity standards. Over the last five years, TRU has accumulated 14 Pwnie Award nominations, winning four, evidence of its continued impact in the field. "These high-impact vulnerabilities in a core technology like OpenSSH affect millions of devices worldwide highlighting the importance of meticulous research and responsible disclosure," said Bharat Jogi, Senior Director, Vulnerability and Threat Research, Qualys TRU. "Our collaboration with open-source maintainers and the security community were key to rapid patches and strengthening security baselines. We're grateful to the Pwnie Award organisers and judges for recognising this work, which reflects not only our team's efforts, but a shared commitment to a safer internet." Broader implications The impact of these discoveries is notable given OpenSSH's prevalence as a core security technology. The vulnerabilities exposed by TRU, particularly the regreSSHion flaw, could have affected millions of devices. The subsequent collaboration and rapid patch development involved both open-source maintainers and wider industry stakeholders. The awards also reinforce the necessity of ongoing research and prompt disclosure in ensuring software remains resilient against emerging threats. By making research findings publicly available and liaising with affected parties, TRU demonstrates a model of effective engagement in the cybersecurity community. Follow us on: Share on:
Forbes
22-04-2025
- Forbes
2FA Is Under Attack — New And Dangerous Infostealer Update Warning
Beware the Lumma Stealer threat. getty Can the infostealer threat ever be stopped? That's a question that is haunting me right now, to be honest, and a new malware analysis report is doing little to lift my mood. As if things weren't bad enough already, with 800 million compromised passwords listed in criminal forums, a million Windows devices recently infected by the malicious curse and even the tech giants falling victim. Whether it is your passwords, 2FA codes or other data, infostealer malware can strike in as little as 10 seconds flat. Now, researchers have warned that one of the biggest culprits, Lumma Stealer, is increasingly difficult to detect. Predicting a surge in Lumma Stealer attacks will continue throughout 2025, Mayuresh Dani, security research manager at the Qualys Threat Research Unit, warned that the malware 'recently underwent updates where, rather than stealing information all at once, the stealer now assembles and exfiltrates each piece of information as it is obtained.' This makes Lumma far stealthier and hence more resilient against detection. What's more, Dani explained, other infostealers, such as the notorious Redline Stealer, have been out of action since late last year, which has resulted in 'threat actors turning towards Lumma Stealer.' Once you understand that Lumma Stealer has a myriad of information-stealing capabilities, including the targeting of cryptocurrency wallets, user credentials, and 2FA codes, the release of an April 21 report from Trellix analysts is all the more concerning. Lumma Stealer 'constantly adapts its TTPs and payloads to bypass security defenses,' Mohideen Abdul Khader, a security researcher at the Trellix Advanced Research Center and author of the report, said. Lumma is designed to detect virtual and sandbox environments, Khader explained, allowing it to avoid detection by security systems. The latest updated versions employ code flow obfuscation, and anyone with a technical leaning is advised to read the full report for the details. A second report, this time authored by Mathias Sigrist, a senior detection engineer on the threat detection team at Ontinue, has explored ways to help automate detection of the threat. While focusing on Ontinue detection platforms, the report is still an interesting read for anyone wanting to know more about the infostealer threat. 'One of the biggest reasons for the surge in Lumma Stealer malware attacks is that it is pressing on a weakness in the cybersecurity industry's approach to detection engineering,' John Bambenek, president at Bambenek Consulting, said. Bembenek is referring to the fact that writing detections on single events or log entries is an insufficient default. 'Defenders need to start looking at multiple events to create alerts or they'll simply be missing attacks,' Bambenek concluded, neatly rounding upon just why the infostealer threat is likely to get worse, much worse, before it gets better.
