Recently patched vulnerabilities in SimpleHelp RMM being exploited by threat actors
Threat actors are exploiting recently patched vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to gain initial access to networks.
The flaws, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to manipulate files and escalate privileges. Although researchers have observed an active campaign targeting SimpleHelp servers, they cannot confirm with certainty that these vulnerabilities are responsible. Attackers gain access by exploiting the flaws or using stolen credentials, then execute reconnaissance commands to gather system intelligence. Researchers reported detecting 580 exposed instances vulnerable to these flaws, with the majority (345) located in the United States.
SimpleHelp users should immediately upgrade to the latest patched versions or uninstall unused clients to minimize risk. Security updates and mitigation steps are detailed in SimpleHelp's official bulletin.
London-based Smiths Group’s attackers gain unauthorized access to their systems
Smiths Group, a London-based engineering giant with a reported annual revenue of $3.189 billion, has disclosed a cybersecurity breach after attackers gained unauthorized access to its systems.
The company, which operates in over 50 countries and serves industries like aerospace, defense and security, is investigating the incident. In a filing with the London Stock Exchange, Smiths stated that it swiftly isolated affected systems and activated business continuity plans.
While the company has committed to regulatory compliance and future updates, it has not disclosed when the breach was detected or if data was stolen. This incident follows recent cyberattacks on Conduent, Hewlett Packard Enterprise and Nominet.
"Script kiddies" duped by attackers with fake malware creation tool
Over 18,000 inexperienced hackers, or "script kiddies," were recently deceived into infecting their own systems.
Attackers distributed a Trojanized XWorm RAT builder, disguising it as a malware creation tool. The fake builder, spread via GitHub, Telegram, YouTube and other platforms, primarily affected users in Russia, the U.S., India, Ukraine and Turkey.
Once installed, it stole Discord tokens, system data and browser credentials while maintaining persistence. The attackers controlled infected machines through a Telegram-based C2 server, enabling keylogging, screen capture and file encryption. Researchers used the malware’s built-in kill switch to remove it from many systems, but some devices remained compromised.
macOS users targeted in new cyberattacks by “Fake DeepSeek Campaign” to spread Poseidon Stealer malware
A new cyberattack campaign, dubbed the "Fake DeepSeek Campaign," is targeting macOS users by exploiting the popularity of DeepSeek, a Chinese-developed AI chatbot. Threat actors are distributing the Poseidon Stealer malware through fake applications, phishing links and compromised websites to exfiltrate sensitive user data.
Researchers identified this campaign using trojanized applications that communicate with a command-and-control (C2) server. The malware establishes persistence by modifying macOS system files and exploits legitimate processes to evade detection. Indicators of compromise (IoCs) include suspicious plist files, unauthorized binaries with elevated privileges, and network traffic to the C2 server.
The rise of DeepSeek has fueled a surge in cyberthreats, with attackers launching phishing scams, malware campaigns and fake investment schemes exploiting its popularity. Cybercriminals create fraudulent websites mimicking DeepSeek to steal cryptocurrency wallets, distribute malware and deceive investors with fake pre-IPO offers.
FTC warns of malicious QR codes in unsolicited ‘gifts’ designed to steal identities
The FTC has warned Americans about a new scam involving unsolicited ‘gifts’ containing malicious QR codes, an evolution of traditional brushing schemes.
In these scams, fraudsters send packages to victims using stolen personal information to boost fake product reviews. Now, scammers include QR codes that, when scanned, lead to phishing sites that steal personal data or install malware. Victims may receive fake luxury items along with a note urging them to scan the code to learn more about the sender.
The FTC advises checking credit reports, monitoring financial statements and changing passwords if affected. Suspected identity theft should be reported to IdentityTheft.gov.
Given the risks associated with this scam, affected individuals should stay alert for potential fraud, regularly review their financial statements for suspicious activity, and avoid scanning unknown QR codes.
