A group focused on Exchange vulnerabilities indicted

The US Department of Justice indicted in absentia a Yemenite hacker behind the BlackKingdom ransomware. In 2021-23, the threat actor compromised over 1,500 Microsoft Exchange servers in the US, through the exploitation of ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857/58, CVE-2021-27065). Among the victims were a medical billing services company, a ski resort, a school district and a health clinic.

‍

‍

Iranian hackers maintained persistence for two years

The infamous Iranian state actor Parisite (aka Lemon Sandstorm) maintained a two-years long persistence in a critical infrastructure of a Middle Eastern country. Initial access was obtained via stolen SSL VPN credentials. After being detected in December 2024, the attacker exploited vulnerabilities in Biotime on prem servers (CVE-2023-38950/51/52), which manage web applications, in order to exfiltrate new credentials and re-enter the network.

‍

Did the FBI hack BreachForums?

The notorious hacking marketplace BreachForums has failed to relaunch, after an attack compromising its admin panel. The operation, probably led by a law enforcement agency, was performed via the exploitation of a PHP zero-day in an unpatched MyBB forum software. The site has been previously shut down in early April following a DDoS attack from the pro-Palestinian hacktivist group Dark Storm, leading its administrator “Anastasia” to quit and offer the forum’s database for only 2,000 USD. Furthermore, online rumors are circulating about the arrest of IntelBroker, BreachForum’s most prominent hacker and former administrator.

‍

‍

4Chan deeply compromised via a PHP exploitation

In mid-April, an unidentified attacker exploited a decade old PHP vulnerability in one of 4chan’s servers, triggered via a malicious PDF file. The hacker was provided access to the database and administrative dashboard, and during a few hours it exfiltrated most of 4chan’s databases and source code. 4chan is a popular anonymous imageboard website, criticized for fostering racism, misogyny and conspiracy theories. The website’s administrators have been accused of neglecting servers’ upgrade due to budget cuts. The attack has been described as “catastrophic” and followed by rumors about an eventual shut down of the platform.

‍

‍

‍

A CLFS flaw exploited as a zero-day by two ransomwares

Play Ransomware abused Cisco ASA firewalls to access an American organization, then moved to a Windows machine in which it exploited a Windows CLFS zero-day (CVE-2025-29824) for privilege escalation. The exploitation resulted in the upload of malicious files mimicking Palo Alto software in the Music folder. Last March, the same zero-day has been used by Storm-2460 against the IT and real estate sectors – even though the two incidents seem unrelated. Play is a well-known double extortion group, usually skilled in exploiting Exchange and FortiOS known vulnerabilities.

‍

‍

A flaw in Sentinel One upgrade process

A threat actor leveraged a vulnerability in the upgrade process of Sentinel One’s agents, to disable protections and evade detection. Initial access to the compromised servers was gained via a vulnerability in an application found in runtime.

‍

‍