Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

According to the Hacker News

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider.

"This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory.

Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution.

The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider's SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot to other downstream customers.

CISA said that SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, and that the ransomware crews are exploiting it to access downstream customers' unpatched SimpleHelp instances for double extortion attacks.

The agency has outlined the below mitigations that organizations, including third-party service providers that make use of SimpleHelp to connect to downstream customers, can implement to better respond to the ransomware activity -

• Identify and isolate SimpleHelp server instances from the internet and update them to the latest version
• Notify downstream customers and instruct them to take actions to secure their endpoints
• Conduct threat hunting actions for indicators of compromise and monitor for unusual inbound and outbound traffic from the SimpleHelp server (for downstream customers)
• Disconnect affected systems from the internet if they have been encrypted by ransomware, reinstall the operating system, and restore data from a clean backup
• Maintain periodic clean, offline backups
• Refrain from exposing remote services such as Remote Desktop Protocol (RDP) on the web

CISA said it does not encourage victims to pay ransoms as there is no guarantee that the decryptor provided by the threat actors will help recover the files.

"Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," CISA added.

Fog Ransomware Attack Deploys Employee Monitoring Software#

The development comes as Broadcom-owned Symantec detailed a Fog ransomware attack targeting an unnamed financial institution in Asia with a combination of dual-use and open-source pentesting tools not observed in other ransomware-related intrusions.

Fog is a ransomware variant first detected in May 2024. Like other ransomware operations, the financially motivated crew employs compromised virtual private network (VPN) credentials and system vulnerabilities to gain access to an organization's network and encrypt data, but not before exfiltrating it.

Alternate infection sequences have employed Windows shortcut (LNK) files contained within ZIP archives, which are then distributed via email and phishing attacks. Executing the LNK file leads to the download of a PowerShell script that's responsible for dropping a ransomware loader containing the Fog locker payload.

The attacks are also characterized by the use of advanced techniques to escalate privileges and evade detection by deploying malicious code directly in memory and disabling security tools. Fog is capable of targeting both Windows and Linux endpoints.

According to Trend Micro, as of April 2025, the Fog threat actors have claimed 100 victims on its data leak site since the start of the year, with a majority of the victims associated with technology, education, manufacturing, and transportation sectors.

"The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual," Symantec said. "They also deployed several open-source pen-testing tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware attacks."

While the exact initial access vector used in the incident is unknown, the threat actors have been found to use Stowaway, a proxy tool widely used by Chinese hacking groups, to deliver Syteca. It's worth noting that GC2 has been used in attacks carried out by the Chinese state-sponsored hacking group APT41 in 2023.

Also downloaded were legitimate programs like 7-Zip, Freefilesync, and MegaSync to create compressed data archives for data exfiltration.

Another interesting aspect of the attacks is that the attackers created a service to establish persistence on the network, several days after the ransomware was deployed. The threat actors are said to have spent about two weeks before dropping the ransomware.

"This is an unusual step to see in a ransomware attack, with malicious activity usually ceasing on a network once the attackers have exfiltrated data and deployed the ransomware, but the attackers in this incident appeared to wish to retain access to the victim's network," Symantec and Carbon Black researchers said.

The uncommon tactics have raised the possibility that the company may have been targeted for espionage reasons, and that the threat actors deployed the Fog ransomware either as a distraction to mask their true goals or to make some quick money on the side.

LockBit Panel Leak Reveals China Among Most Targeted#

The findings also coincide with revelations that the LockBit ransomware-as-a-service (RaaS) scheme netted around $2.3 million within the last six months, indicating that the e-crime group continues to operate despite several setbacks.

What's more, Trellix's analysis of LockBit's geographic targeting from December 2024 to April 2025 based on the May 2025 admin panel leak has uncovered China to be one of the most heavily targeted countries by affiliates Iofikdis, PiotrBond, and JamesCraig. Other prominent targets include Taiwan, Brazil, and Turkey.

"The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector," security researcher Jambul Tologonov said.

"Unlike Black Basta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach."

The leak of the affiliate panel has also prompted LockBit to announce a monetary reward for verifiable information about "xoxo from Prague," an anonymous actor who claimed responsibility for the leak.

On top of that, LockBit appears to have benefitted from the sudden discontinuation of RansomHub towards the end of March 2025, causing some of the latter's affiliates, including BaleyBeach and GuillaumeAtkinson, to transition to LockBit and compel it to reactivate its operations amid ongoing efforts to develop the next version of the ransomware, LockBit 5.0.

"What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While profitable, it's far from the perfectly orchestrated, massively lucrative operation they'd like the world to believe it is," Tologonov concluded.

Original post:

https://thehackernews.com/2025/06/ransomware-gangs-exploit-unpatched.html

Leveling Up: Why IAM Still Matters in 2025 and Beyond

Today, I’m proud to share a milestone on my journey to becoming the best cybersecurity professional I can be: I’ve just completed the Identity and Access Management (IAM) course on TryHackMe!

In a world where digital threats evolve daily, IAM remains one of the most critical pillars of cybersecurity. It’s not just about controlling who gets access to what—it’s about protecting trust in every system we build and use.

Why IAM Still Matters

Even in 2025, IAM is more relevant than ever. With the rise of cloud computing, remote work, and interconnected systems, the attack surface has expanded dramatically. Every identity—whether human or machine—represents a potential entry point. Without strong IAM practices, even the most advanced security infrastructure can be compromised.

IAM is about:

• Ensuring the right people have the right access at the right time
• Minimizing risk through least privilege and zero trust principles
• Auditing and monitoring access to detect anomalies before they become breaches

My Commitment to Growth

This course wasn’t just a checkbox—it was a deep dive into the mechanics of secure identity management. From authentication protocols to access control models, I’ve strengthened my foundation in a skill that every cybersecurity expert must master.

I’m sharing this not just to celebrate, but to inspire. If you’re on your own cybersecurity journey, know this: every step you take, every skill you build, brings you closer to making a real impact in this field.

Let’s keep learning, keep growing, and keep defending.

#CyberSecurity #IAM #TryHackMe #ProfessionalGrowth #NeverStopLearning

https://tryhackme.com/room/iaaaidm

 

🔧 Just earned the "Friday Fixer" badge on TryHackMe!
Excited to keep sharpening my skills one challenge at a time. Always learning, always improving.

Check out my progress here: https://tryhackme.com/p/Abdulrazzaq?show_achievement_badge=friday-fixer

#CyberSecurity #TryHackMe #FridayFixer #BlueTeam #CTF #LearningByDoing #InfoSec

-- In a Pledge to keep learning and developing--

I proud to say that with the help of UnixGuy and his guidance and many other friends I have earned one in a series of many Badges to come in the near future from learning and practising live cybersecurity analysis and Skill elevating SOC level 1 - Skill Navigator Badge 🎉🎉🎉🎉🎉🎉

TRYHACKMY - Skill Navigator Badge Check it out

Leveraging Employee Education as a Strategic Business Investment

In today's rapidly evolving corporate landscape, businesses are witnessing a significant shift in the way they perceive and approach employee education. Beyond traditional benefits and monetary compensations, top talent seeks employers who prioritize continuous learning and professional growth opportunities. According to a recent LinkedIn report, 94 percent of employees would consider staying longer at a company if provided with enhanced access to educational resources.

A thought-provoking article by Rocio Alvarez on InStride's platform sheds light on the changing dynamics of employee education and why it's becoming increasingly crucial for businesses to view it as a strategic investment rather than just a perk.

Reference: InStride Article: "Why employee education should be a priority for every business leader" by Rocio Alvarez

Benefits of Employee Education

Alvarez's piece emphasizes the multifaceted advantages that employee education offers, extending from personal growth to organizational and societal impacts. Notably, it highlights several pivotal benefits:

• Advancing Diversity, Equity, and Inclusion (DEI): Education programs help level the playing field for underserved demographics, fostering a more diverse talent pipeline and creating an inclusive workplace.

• Attracting and Retaining Talent: Businesses that invest in their employees' ongoing education tend to attract and retain top talent by demonstrating a commitment to professional development.

• Elevating Business Agility: In an ever-evolving business landscape, education equips employees with the necessary skills to keep companies competitive amidst digital transformations and market changes.

Distinguishing Employee Education from Training

Alvarez discerns between employee education and training, underlining that education embodies a broader, long-term initiative aimed at upskilling and advancing employee expertise, while training typically targets specific short-term skill development.

Types of Employee Education Programs

The article also delves into various types of employee education initiatives, ranging from mentorship programs and certification courses to training sessions and tuition reimbursement programs. Each serves as a valuable tool for employee development, catering to different learning needs within organizations.

Strategic Business Initiative

A crucial aspect emphasized in Alvarez's article is the need for businesses to view employee education as a strategic investment aligned with their overall goals. Successful organizations consider education programs not merely as perks but as measurable investments designed to meet the learning needs of their workforce.

Conclusion

In conclusion, the piece by Rocio Alvarez on InStride's platform underscores the pivotal role of employee education in driving organizational success and fostering a supportive workplace culture. It encourages businesses to view education not as a standalone benefit but as a cornerstone of their strategic vision for growth and talent development.

For those interested in crafting impactful education programs aligned with their business objectives, consulting with experts like those at InStride could pave the way for transformative initiatives.

By acknowledging the significance of employee education and embracing it as a strategic asset, businesses can empower their workforce, foster innovation, and achieve sustainable growth.

---

For more information visit: https://instride.com/insights/employee-education/

Nmap Basics: Port Scanning Tutorial

Amazing Video tutorial that actually shows how to scan ports and network vulnerabilities using Nmap!

https://youtu.be/BHESuhyrGg4?si=DCqNPecEicLSAx-z

In this video, I demonstrate how to scan networks for open ports using Nmap. I first explain how the Nmap port scanning process works I then walk through several examples and share my 7 tips for scanning larger networks. Here are the examples I go over in this video. 1. Scan top 1000 ports 2. Scan a single target system 3. Scan an entire network or IP range. 4. Scan top 100 ports 5. Scan specific TCP ports 6. How to scan a range or ports 7. How to scan UDP ports Port Scanning Tips 1. Disable DNS lookups 2. Disable Host Discovery 3. Display progress 4. Use packet trace option 5. Display reason 6. Run ping scan first 7. Save output to text file. You can use scanme.nmap.org to run tests scans. Do not run Nmap scans on production systems or networks without permission. By default Nmap will do a host discovery process on target systems. Firewalls can block these packets which results in Nmap skipping the port scan. You might need to use the -Pn command to treat all hosts online to force a port scan. I go over this in detail in the video. Written instructions & examples https://networkverge.com/port-scanning More network and Nmap Tutorials https://networkverge.com

New 5G Modems Flaws impact mobile phones and more!

 So, you know how everyone's been excited about 5G, right? Well, it turns out there's a bit of a spooky situation going on. There are these big problems—like, serious security flaws—in the way 5G tech works in a bunch of smartphones and other gadgets.

They've called these issues "5Ghoul" (pretty scary name, huh?), and they're a big deal. See, about 14 major problems have been found in the stuff that makes 5G work, especially in the modems from companies like MediaTek and Qualcomm. Out of these, 10 flaws affect these 5G modems, and three are especially bad—they could do some serious damage.

Now, what's really concerning is how these flaws could mess things up. They might mess with your connection, making it drop all the time, freeze up so you'd have to restart your device manually, or even knock your super-fast 5G down to slower, less secure 4G.

The scary part? These problems affect a ton of smartphones—like 714 models from big brands such as Samsung, Apple, Google, Xiaomi, and loads more. So, basically, a bunch of us might be at risk here.

It's not just about inconvenience, though. These flaws could mean serious trouble—think compromised data, messed-up networks, and even attacks on important stuff that relies on these networks.

The good news is that people are on it. They're urging the companies that make the tech, the ones that build our phones, and the folks who create the software to work together and fix these issues ASAP. We all need to stay sharp and update our devices whenever those security fixes come out. Plus, everyone—companies, regulators, all of us—needs to step up to make sure our digital world is safer from these kinds of threats.

This whole 5Ghoul thing is a wake-up call. It shows how important it is to keep an eye on security stuff and work together to keep our tech safe. For more information visit the Hacker news on the link below:

New 5G Modems Flaws Affect iOS Devices and Android Models from Major Brands (thehackernews.com)

Your IP address is no secret.

A lot of people worry that their IP address might reveal their name, home address, age, what they look at online, and more. That's just not the case. Sure, they might find out some interesting information, but nothing revealing.

Let's explore what you can discover by running a real IP address through an IP Lookup website like this one.

Uses:

1. There are a handful of practical reasons people use IP Lookup, even with its limitations:

• 2. Law enforcement and fraud investigators use online tools to see what ISP is hosting a spammer.

• 3. Blacklist databases use it to find spammers or other violators and block their access to email servers.

• 4. Retailers often use IP Lookup to make sure someone charging thousands of dollars is at the mailing address linked to the card...and not actually overseas with a stolen credit account.

• You can use it to verify that someone who tells you in an email that they're across town isn't really in an abandoned warehouse in another country.

Useful tools

 Try This tool to check if your emails have been breached!

this is one of the useful tools

Have I Been Pwned: Check if your email has been compromised in a data breach