Latest news with #RemoteDesktopProtocol
Techday NZ
24-07-2025
- Business
- Techday NZ
Digital attack surfaces expand as key exposures & risks double
ReliaQuest's latest Digital Risk Protection trends report reveals a significant rise in external cyber risks faced by organisations, as their digital footprints and corresponding attack surfaces continue to expand in the first half of 2025. Rising exposures The report analyses customer alerts across 38 types of external exposures comparing data from the second half of 2024 to the first half of 2025. It found a 27% increase in exposed ports, a 35% rise in exposed operational technology (OT) ports, and a doubling of exposed access keys. Alerts for exposed marked documents, including sensitive information such as customer data and network diagrams, jumped by over 10%. Typo-squatting, the creation of counterfeit domains mimicking legitimate organisations, has remained a persistent risk, with threat actors such as "Scattered Spider" targeting technology vendors to steal credentials. According to the report, typo-squatted domains are particularly effective, often facilitating phishing campaigns across multiple client organisations. CISOs must look beyond traditional security measures and address the external footprint - exposed credentials, open ports, and vulnerabilities. Proactively managing these exposures isn't just important; it's the frontline defense against external threats and a critical step in reducing the attack surface. Consistent risk landscape Throughout both late 2024 and the first half of 2025, the top five digital risks remained largely consistent. Exposed marked documents led with a steep increase to 37.8% of alerts, followed by impersonating domains (19.0%), impersonating subdomains (15.6%), exposed ports (7.1%), and credential exposure (4.6%). The report attributes some of the increase in exposed documents to accidental leaks on organisational websites. Such exposures are often sold on cybercriminal forums, with claims of company breaches potentially leading to regulatory action, lawsuits, and damage to brand reputation. Expanding attack vectors Enterprise organisations added an average of 28 new exposed ports per organisation in just six months, rising from 103 in the last half of 2024 to 131 in the first half of 2025. Increased exposures of FTP and SSH ports have provided a broader attack surface for threat actors. ReliaQuest reports that some attacks have occurred by exploiting Remote Desktop Protocol (RDP) logins, giving access to administrative accounts. While prompt detection and containment prevented escalation in one incident, the report underscores the importance of proactive management of exposed services. Among OT systems, the average number of exposed ports per organisation rose by 35%, with Modbus (port 502) identified as the most commonly exposed, posing risks of unauthorised commands and potential shutdowns of key devices. The exposure of Unitronics port 20256 surged by 160%. The report cites cases where attackers, such as the group "CyberAv3ngers," targeted industrial control systems during conflicts, exploiting weak or default passwords. Persistent vulnerabilities The number of vulnerabilities identified on public-facing assets more than doubled, rising from three per organisation in late 2024 to seven in early 2025. Critical vulnerabilities dating as far back as 2006 and 2008 still persist on unpatched systems, with proof-of-concept code readily available online, making exploitation accessible even to attackers with limited expertise. The report also references the continued threat posed by ransomware groups who exploit such weaknesses in internet-facing devices. Key exposures double Incidents involving exposed access keys, including cloud and API keys, doubled from late 2024 to early 2025. Exposed credentials can enable threat actors to enter environments as legitimate users, bypassing perimeter defenses. The report highlights that most exposures result from accidental code pushes to public repositories or leaks on criminal forums. The drop in credential access alerts is said to be linked to law enforcement actions against a major infostealer malware family, "Lumma," coupled with the temporary shutdown of the "BreachForums" marketplace. However, new malware strains have since begun to re-emerge, forcing security teams to continually adapt their defences. Future trends The report anticipates that attack surfaces will keep expanding due to increased adoption of Internet of Things (IoT) devices, projected to grow from 17.7 billion in 2024 to 31.2 billion by 2030. Security weaknesses in these devices remain a target for exploitation. The accelerating adoption of artificial intelligence likewise creates fresh risks, including prompt injection attacks and exposure of sensitive credentials during development processes. As on-premises systems become more difficult to breach with traditional methods, attackers are shifting toward the use of stolen credentials and the exploitation of internet-facing vulnerabilities, an evolution reflected in the tactics of ransomware and social engineering groups. The report concludes by highlighting the importance for organisations to proactively identify and address external risks such as exposed credentials, open ports, and vulnerabilities as part of a broader digital risk protection strategy.
Yahoo
23-07-2025
- Yahoo
ExpressVPN patches Windows bug that exposed remote desktop traffic
Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products. ExpressVPN has released a new patch for its Windows app to close a vulnerability that can leave remote desktop traffic unprotected. If you use ExpressVPN on Windows, download version 12.101.0.45 as soon as possible, especially if you use Remote Desktop Protocol (RDP) or any other traffic through TCP port 3389. ExpressVPN announced both the vulnerability and the fix in a blog post earlier this week. According to that post, an independent researcher going by Adam-X sent in a tip on April 25 to claim a reward from ExpressVPN's bug bounty program. Adam-X noticed that some internal debug code which left traffic on TCP port 3389 unprotected had mistakenly shipped to customers. ExpressVPN released the patch about five days later in version 12.101.0.45 for Windows. As ExpressVPN points out in its announcement of the patch, it's unlikely that the vulnerability was actually exploited. Any hypothetical hacker would not only have to be aware of the flaw, but would then have to trick their target into sending a web request over RDP or other traffic that uses port 3389. Even if all the dominos fell, the hacker could only see their target's real IP address, not any of the actual data they transmitted. Even if the danger was small, it's nice to see ExpressVPN responding proactively to flaws in its product — bug bounties are great, but a security product should protect its users with as many safeguards as possible. In addition to closing this vulnerability, they're also adding automated tests that check for debug code accidentally left in production builds. This, plus a successful independent privacy audit earlier in 2025, gives the strong impression of a provider that's on top of things.
Engadget
23-07-2025
- Engadget
ExpressVPN patches Windows bug that exposed remote desktop traffic
ExpressVPN has released a new patch for its Windows app to close a vulnerability that can leave remote desktop traffic unprotected. If you use ExpressVPN on Windows, download version 12.101.0.45 as soon as possible, especially if you use Remote Desktop Protocol (RDP) or any other traffic through TCP port 3389. ExpressVPN announced both the vulnerability and the fix in a blog post earlier this week. According to that post, an independent researcher going by Adam-X sent in a tip on April 25 to claim a reward from ExpressVPN's bug bounty program. Adam-X noticed that some internal debug code which left traffic on TCP port 3389 unprotected had mistakenly shipped to customers. ExpressVPN released the patch about five days later in version 12.101.0.45 for Windows. As ExpressVPN points out in its announcement of the patch, it's unlikely that the vulnerability was actually exploited. Any hypothetical hacker would not only have to be aware of the flaw, but would then have to trick their target into sending a web request over RDP or other traffic that uses port 3389. Even if all the dominos fell, the hacker could only see their target's real IP address, not any of the actual data they transmitted. Even if the danger was small, it's nice to see ExpressVPN responding proactively to flaws in its product — bug bounties are great, but a security product should protect its users with as many safeguards as possible. In addition to closing this vulnerability, they're also adding automated tests that check for debug code accidentally left in production builds. This, plus a successful independent privacy audit earlier in 2025, gives the strong impression of a provider that's on top of things. If you buy something through a link in this article, we may earn commission.
Tom's Guide
22-07-2025
- Tom's Guide
ExpressVPN fixes a bug which could have disclosed user IP addresses
(Image credit: Olemedia / Getty Images) ExpressVPN has updated its Windows app to patch a vulnerability which could have exposed a user's IP address to observers. As one of the best VPNs, ExpressVPN is very secure but mistakes can happen. The provider said in a blog post that code meant for internal testing "mistakenly made it into production builds." Only users in specific conditions were affected, but the bug meant traffic wasn't being routed through the VPN tunnel as expected – however encryption was not impacted. You may like ExpressVPN acted quickly to fix the vulnerability and is recommending all its Windows VPN users upgrade to the latest version of the app. The code meant for internal testing found its way into production build versions 12.97 to 12.101.0.2-beta. It was reported to ExpressVPN in April 2025 by security researcher Adam-X through the provider's bug bounty program – where security researchers can earn cash rewards for reporting vulnerabilities and flaws. ExpressVPN said its team confirmed and triaged the report within hours. The vulnerability centred around Remote Desktop Protocol (RDP). According to ExpressVPN there was only a risk when an RDP connection was in use or when other TCP traffic was routed over port 3389. ExpressVPN said "if a user established a connection using RDP, that traffic could bypass the VPN tunnel." "This did not affect encryption, but it meant that traffic from RDP connections wasn't routed through ExpressVPN as expected." It added that observers such as internet service providers could see that a user was connected to ExpressVPN and that they were using RDP to access remote servers – information that would ordinarily be protected. RDP is most commonly used in enterprise environments, and therefore most users were unaffected. However ExpressVPN said it considers "any risk to privacy unacceptable." A fix was released five days later in version 12.101.0.45. The researcher confirmed the issue was resolved and ExpressVPN closed the report at the end of June. (Image credit: SOPA Images / Getty Images) How severe could this have been? ExpressVPN analysed the issues and believed "the likelihood of real-world exploitation was extremely low." Given the fact a majority of ExpressVPN users are individuals as opposed to enterprise customers, the provider said "the number of affected users is likely small." For a hacker to exploit the vulnerability, they would've needed to be aware of the bug and find a way to route traffic over port 3389. This could've been done by tricking a user into clicking on a malicious link or compromising a popular website to launch a drive-by attack – all while the user was connected to the VPN. As demonstrated by Adam-X, a user's real IP address could've been revealed. But browsing activity couldn't have been seen and encryption was not compromised. ExpressVPN said it was grateful to its community for notifying it of potential issues and suggesting improvements. The provider will strengthen its internal safeguards to ensure this doesn't happen again.
Yahoo
08-07-2025
- Business
- Yahoo
Ingram Micro investigating ransomware attack
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Ingram Micro said Saturday that it is investigating a ransomware attack after discovering suspicious activity on its internal network. The Irvine, Calif.-based technology firm said it proactively took certain systems offline, notified law enforcement and retained outside forensic experts to help with the investigation. The company said it is working diligently to restore normal operations following the attack, which has affected its ability to process and ship orders. The SafePay ransomware group has reportedly claimed credit for the attack. Researchers have seen an uptick in activity from SafePay since May, according to Jamie Levy, director of adversary tactics at Huntress. The hacker group, first discovered in October 2024, has breached targeted companies using internet-exposed Remote Desktop Protocol as well as targeted virtual private networks. SafePay has been among the most active of all ransomware gangs, with 18% of attacks being linked to the group, according to Matt Hull, global head of threat intelligence at NCC. The group has been active since at least November 2024 and is believed to be a rebrand of other top ransomware gangs, possibly including LockBit, AlphV or INC. NCC recently responded to an attack linked to SafePay that involved the hackers gaining initial access through a misconfigured firewall and bypassing multifactor authentication, according to a March report. The hackers also used ScreenConnect to gain persistence inside of a network, according to NCC. Ingram Micro has not disclosed any details about how the attackers gained access to its systems. The company also has not estimated the hack's financial impact. It reported net sales of $12.3 billion on non-GAAP earnings of $144 million, or 61 cents a share, during the fiscal first quarter. The company's latest forecast calls for net sales of $11.7 billion to $12.2 billion in the fiscal second quarter, on earnings between 53 cents to 63 cents a share.
