Cyberhelper
1 ConnectWise Breach by Nation-State Actor
On May 28, 2025, ConnectWise, a prominent IT management software provider, disclosed a cyberattack on its ScreenConnect platform, attributing the breach to a sophisticated nation-state actor.
🔍 Incident Overview
- Discovery: ConnectWise identified suspicious activity within its environment, impacting a limited number of ScreenConnect customers.
- Investigation: The company engaged cybersecurity firm Mandiant to conduct a comprehensive forensic investigation and notified all affected customers.
- Response Measures: ConnectWise implemented enhanced monitoring and security hardening across its systems. As of the latest reports, no further suspicious activity has been observed.
🛠️ Technical Details
- Potential Exploit: The breach is potentially linked to CVE-2025-3935, a high-severity vulnerability in ScreenConnect versions 25.2.3 and earlier. This flaw involves a ViewState code injection vulnerability in ASP.NET, which could allow remote code execution if attackers obtain the necessary machine keys.
- Patch Release: ConnectWise addressed this vulnerability in version 25.2.4, released in April 2025.
⚠️ Implications
The breach underscores the risks posed by vulnerabilities in remote access tools, especially those used by Managed Service Providers (MSPs). Exploitation of such tools can lead to widespread access across multiple client environments, facilitating data theft, ransomware deployment, or espionage activities.
✅ Recommendations
Organizations using ScreenConnect or similar remote access tools should:
- Update Software: Ensure all instances are updated to the latest patched versions.
- Audit Access Controls: Review administrative accounts and enforce least privilege principles.
- Implement Monitoring: Deploy continuous threat detection for abnormal remote sessions.
- Segment Networks: Restrict lateral movement by segmenting internal networks.
2 Everest Group Exploits SAP HR Software
In May 2025, the cybercriminal group known as Everest Group launched a series of targeted cyberattacks against global organizations by exploiting vulnerabilities in SAP’s SuccessFactors Human Capital Management (HCM) software. These attacks have resulted in significant data breaches and extortion attempts across multiple sectors and countries.
Attack Overview
Everest Group has been leveraging weaknesses in SAP SuccessFactors, a widely used cloud-based HR platform, to infiltrate corporate systems and exfiltrate sensitive employee data. The stolen information includes:
- Personal Identification Documents: Passports, visas, birth and marriage certificates
- Academic Credentials: University diplomas
- Employment Details: Identity cards, usernames, email addresses
- Health Information: Protected health information (PHI)
- Financial Records: Payroll details
The group has been using this data to extort organizations, threatening to release the information publicly if their demands are not met. They have even posted countdown timers on their leak sites to pressure victims into compliance.
Affected Organizations
Several high-profile entities have been targeted in these attacks:
DCTA (Dubai Culture and Arts Authority): Approximately 1,500 employee records, totaling 12GB of data, were compromised.
Kaefer: A CSV export of SuccessFactors’ user directory was leaked.
Coca-Cola: 959 SuccessFactors employee profiles in PDF format were exposed.
Mediclinic Southern Africa: 4GB of sensitive information, including personal details of approximately 1,000 employees, were exfiltrated.
Other affected regions include Abu Dhabi, Jordan, Namibia, South Africa, and Switzerland.
About Everest Group
Active since at least 2020, Everest Group is a sophisticated cybercriminal organization known for its data exfiltration and ransomware operations. The group has increasingly specialized as an Initial Access Broker (IAB), offering access to compromised networks to other threat actors. They have been known to recruit corporate insiders by offering financial incentives for access to vulnerable networks.
Recommendations
Organizations using SAP SuccessFactors or similar HR platforms should take the following steps:
- Immediate Actions:
- Update and Patch: Ensure all systems are updated with the latest security patches.
- Access Review: Audit user access controls and permissions.
- Monitor Systems: Implement continuous monitoring for unusual activities.
- Long-Term Strategies:
- Employee Training: Educate staff on cybersecurity best practices.
- Incident Response Plan: Develop and regularly update an incident response plan.
- Third-Party Risk Management: Assess and manage risks associated with third-party vendors and integrators.
3 Google Chrome Zero-Day Vulnerability Exploited
On June 2, 2025, Google released an emergency out-of-band security update to address a high-severity zero-day vulnerability in its Chrome browser, identified as CVE-2025-5419. This flaw was actively exploited in the wild, prompting immediate action from the company.
Vulnerability Details: CVE-2025-5419
- Type: Out-of-bounds read and write in the V8 JavaScript and WebAssembly engine
- Impact: Potential heap corruption leading to arbitrary code execution
- Affected Versions: Chrome versions prior to 137.0.7151.68
- Discovery: Reported on May 27, 2025, by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG)
- Patch Release: June 2, 2025, via Chrome version 137.0.7151.68/.69 for Windows and macOS, and 137.0.7151.68 for Linux
The vulnerability allows remote attackers to craft malicious HTML pages that exploit the flaw, potentially leading to heap corruption. This could enable attackers to execute arbitrary code on the victim’s machine. Google has acknowledged reports of active exploitation but has withheld specific details to prevent further abuse.
Recommendations for Users
To protect against potential threats:
- Update Chrome Immediately: Ensure your browser is updated to version 137.0.7151.68 or later.
- Restart the Browser: After updating, restart Chrome to apply the fixes.
- Enable Automatic Updates: Keep automatic updates enabled to receive future security patches promptly.
- Monitor for Unusual Activity: Be vigilant for any suspicious behavior or unexpected browser crashes.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also check for and apply available updates, as these browsers share the same underlying engine and may be affected.
Broader Context
This incident marks the second actively exploited Chrome zero-day vulnerability patched by Google in 2025, following CVE-2025-2783, which was associated with espionage campaigns targeting organizations in Russia. The recurrence of such vulnerabilities underscores the importance of timely updates and robust security practices
