Monthly Archives: June 2025

Security

Quick Password Brute Forcing Evolution Statistics, (Tue, Jun 24th)

Leave a comment
This post was originally published on this site

We have collected SSH and telnet honeypot data in various forms for about 10 years. Yesterday's diaries, and looking at some new usernames attempted earlier today, made me wonder if botnets just add new usernames or remove old ones from their lists. So I pulled some data from our database to test this hypothesis. I didn't spend a lot of time on this, and this could use a more detailed analysis. But here is a preliminary result:

Security

Scans for Ichano AtHome IP Cameras, (Mon, Jun 23rd)

Leave a comment
This post was originally published on this site

Ichano's "AtHome Camera" is a bit of a different approach to home surveillance cameras [1]. Instead of a hardware camera solution, this product is a software solution that turns existing devices like computers and tablets into webcams. The software implements features we know from similar IP camera devices. It enabled streaming of images and remote access to features like motion detection and alerting.

Powershell

Announcing Microsoft Desired State Configuration v3.1.0

Leave a comment
This post was originally published on this site

We’re pleased to announce the General Availability of Microsoft’s Desired State Configuration (DSC)
version 3.1.0. This release marks a significant milestone in our effort to deliver cloud-native
configuration management for cross-platform environments. DSC is a declarative configuration and
orchestration platform that defines a standard way of exposing settings for applications and
services. DSC v3.1.0 is built on collaboration with key improvements driven by partner requests.
Special thanks to the Windows Package Manager (WinGet) team and the incredible support of the DSC
community.

For additional details about the initial DSC v3.0.0 release, see:

What’s New in DSC v3.1

This release continues our momentum by delivering features and improvements
driven by real world use, partner feedback, and community contributions.

DSC v3.1 includes updates and fixes across the platform. Here are some of the
most important improvements:

WinGet and partner-driven enhancements

  • Core infrastructure updates to enable DSC-based management in WinGet scenarios.
  • Extended resource invocation APIs, allowing for richer integration by external tools.
  • Increased flexibility for configuration refresh and reporting, driven by partner needs.

Resource authoring improvements

  • Improved handling and validation for resource schema files, with clearer error messages.
  • Fixed issues with module loading and path resolution that impacted PSDSC resources.
  • More robust handling of resources with required and optional properties.

Cross-Platform reliability and bug fixes

  • Fixed several Linux-specific issues in resource execution, state detection, and error
    reporting.
  • Improved Windows compatibility, particularly for recent versions and in mixed-OS
    environments.
  • Addressed inconsistencies in the application of ensure properties and desired state
    evaluation.

Performance and quality

  • Optimized configuration drift detection, resulting in faster and more reliable test
    operations.
  • Reduced occurrence of configuration runs left in an indeterminate or failed state.
  • Improved error handling for edge cases in set, test, and get operations.

Diagnostics and usability

  • Expanded logging and diagnostics, making it easier to trace resource behavior and
    configuration activity.
  • Improved the clarity and usefulness of error and warning messages across platforms.
  • More consistent reporting of operation outcomes in both interactive and automated
    scenarios.

For a full list of changes, see the DSC v3.1 changelog

Installing DSC

To get started, follow these steps to install DSC on your system:

On Windows, you can install DSC from the Microsoft Store using winget. By installing from the
Store or using winget, you get automatic updates for DSC.

Search for the latest version of DSC:

winget search DesiredStateConfiguration --source msstore
Name                              Id           Version Source
---------------------------------------------------------------
DesiredStateConfiguration         9NVTPZWRC6KQ Unknown msstore
DesiredStateConfiguration-Preview 9PCX3HX4HZ0Z Unknown msstore

Install DSC using the id parameter:

# Install latest stable
winget install --id 9NVTPZWRC6KQ --source msstore
# Install latest preview
winget install --id 9PCX3HX4HZ0Z --source msstore

On Linux and macOS, you can install DSC using the following steps:

  1. Download the latest release from the PowerShell/DSC repository.
  2. Expand the release archive.
  3. Add the folder containing the expanded archive contents to your PATH environment variable.

Support lifecycle

DSC follows semantic versioning.

The first release of DSC version 3.0.0 is a Stable release. DSC version 3.1.0 is the current Stable
release. Patch releases update the third digit of the semantic version number. For example, 3.1.1 is
a patch update to 3.1.0. Stable releases receive patches for critical bugs and security
vulnerabilities for three months after the next Stable release. For example, version 3.1.0 is
supported for three months after 3.2.0 is released.

Always update to the latest patch version of the release you’re using.

Call to action

For more information about Desired State Configuration v3.0 (DSC), see the DSC documentation.
We value your feedback. Stop by our GitHub repository and let us know of any issues you find.

Jason Helmick

Sr. Product Manager, PowerShell

The post Announcing Microsoft Desired State Configuration v3.1.0 appeared first on PowerShell Team.

Security

Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider

Leave a comment
This post was originally published on this site

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.

SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.1 Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.1 

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025.

CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.

Download the PDF version of this report:

AA25-163A Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
(PDF, 420.49 KB
)

Mitigations

CISA recommends organizations implement the mitigations below to respond to emerging ransomware activity exploiting SimpleHelp software. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.

Vulnerable Third-Party Vendors

If SimpleHelp is embedded or bundled in vendor-owned software or if a third-party service provider leverages SimpleHelp on a downstream customer’s network, then identify the SimpleHelp server version at the top of the file <file_path>/SimpleHelp/configuration/serverconfig.xml. If version 5.5.7 or prior is found or has been used since January 2025, third-party vendors should:

  1. Isolate the SimpleHelp server instance from the internet or stop the server process.
  2. Upgrade immediately to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerability advisory.2
  3. Contact your downstream customers to direct them to take actions to secure their endpoints and undertake threat hunting actions on their network.

Vulnerable Downstream Customers and End Users

Determine if the system is running an unpatched version of SimpleHelp RMM either directly or embedded in third-party software.

SimpleHelp Endpoints

Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment:

  • Windows: %APPDATA%JWrapper-Remote Access
  • Linux: /opt/JWrapper-Remote Access
  • MacOs: /Library/Application Support/JWrapper-Remote Access

If RAS installation is present and running, open the serviceconfig.xml file in <file_path>/JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. The lines starting with <ConnectTo indicate the server addresses where the service is registered.

SimpleHelp Server

Determine the version of any SimpleHelp server by performing an HTTP query against it. Add /allversions (e.g., https://simple-help.com/allversions) to query the URL for the version page. This page will list the running version.

If an unpatched SimpleHelp version 5.5.7 or earlier is confirmed on a system, organizations should conduct threat hunting actions for evidence of compromise and continuously monitor for unusual inbound and outbound traffic from the SimpleHelp server. Note: This is not an exhaustive list of indicators of compromise.

  1.  Refer to SimpleHelp’s guidance to determine compromise and next steps.3
  2. Isolate the SimpleHelp server instance from the internet or stop the server process.
  3. Search for any suspicious or anomalous executables with three alphabetic letter filenames (e.g., aaa.exe, bbb.exe, etc.) with a creation time after January 2025. Additionally, perform host and network vulnerability security scans via reputable scanning services to verify malware is not on the system.
  4. Even if there is no evidence of compromise, users should immediately upgrade to the latest SimpleHelp version in accordance with SimpleHelp’s security vulnerabilities advisory.4

If your organization is unable to immediately identify and patch vulnerable versions of SimpleHelp, apply appropriate workarounds. In this circumstance, CISA recommends using other vendor-provided mitigations when available. These non-patching workarounds should not be considered permanent fixes and organizations should apply the appropriate patch as soon as it is made available.

Encrypted Downstream Customers and End Users

If a system has been encrypted by ransomware:

  1. Disconnect the affected system from the internet.
  2. Use clean installation media (e.g., a bootable USD drive or DVD) to reinstall the operating system. Ensure the installation media is free from malware.
  3. Wipe the system and only restore data from a clean backup. Ensure data files are obtained from a protected environment to avoid reintroducing ransomware to the system.

CISA urges you to promptly report ransomware incidents to a local FBI Field Office, FBI’s Internet Crime Compliant Center (IC3), and CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

Proactive Mitigations to Reduce Risk

To reduce opportunities for intrusion and to strengthen response to ransomware activity, CISA recommends customers of vendors and managed service providers (MSPs) implement the following best practices:

  • Maintain a robust asset inventory and hardware list [CPG 1.A].
  • Maintain a clean, offline backup of the system to ensure encryption will not occur once reverted. Conduct a daily system backup on a separate, offline device, such as a flash drive or external hard drive. Remove the device from the computer after backup is complete [CPG 2.R].
  • Do not expose remote services such as Remote Desktop Protocol (RDP) on the web. If these services must be exposed, apply appropriate compensating controls to prevent common forms of abuse and exploitation. Disable unnecessary OS applications and network protocols on internet-facing assets [CPG 2.W].
  • Conduct a risk analysis for RMM software on the network. If RMM is required, ask third-party vendors what security controls are in place.
  • Establish and maintain open communication channels with third-party vendors to stay informed about their patch management process.
  • For software vendors, consider integrating a Software Bill of Materials (SBOM) into products to reduce the amount of time for vulnerability remediation.
    • An SBOM is a formal record of components used to build software. SBOMs enhance supply chain risk management by quickly identifying and avoiding known vulnerabilities, identifying security requirements, and managing mitigations for vulnerabilities. For more information, see CISA’s SBOM page.

Resources

Reporting

Your organization has no obligation to respond or provide information back to FBI in response to this advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

CISA and FBI do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

SimpleHelp users or vendors can contact support@simple-help.com for assistance with queries or concerns.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA.

Version History

June 12, 2025: Initial version.

Notes

1. Anthony Bradshaw, et. al., “DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP, Customers,” Sophos News, May 27, 2025, https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/.
2. For instructions for upgrading to the latest version of SimpleHelp, see SimpleHelp’s security vulnerability advisory.
3. To determine possibility of compromise and next steps, see SimpleHelp’s guidance.
4. For instructions for upgrading to the latest version of SimpleHelp, see SimpleHelp’s security vulnerability advisory.

Security

Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th)

Leave a comment
This post was originally published on this site

RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. This file is a second stage that is downloaded and launched from a simple script:

Security

Be Careful With Fake Zoom Client Downloads, (Thu, Jun 5th)

Leave a comment
This post was originally published on this site

Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), … became popular and must be regularly updated.Yesterday, I received an interesting email with a fake Zoom meeting invitation:

Security

vBulletin Exploits (CVE-2025-48827, CVE-2025-48828), (Tue, Jun 3rd)

Leave a comment
This post was originally published on this site

Last week, Ryan Dewhurst disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most common commercially supported platforms to create a bulletin board. The vulnerability is remarkable as it exemplifies some common issues with patching and keeping your software up to date.