Vulnerabilities
Mirai botnet variants exploit multiple flaws
Two different Mirai botnet variants are exploiting a critical vulnerability (CVSS score of 9.9 out of 10) in the Wazur Server. The flaw, tracked as CVE-2025-24016, allows for remote code execution on Wazuh servers, and affects all versions of the server software including 4.4.0 and above. It was addressed in February 2025 with the release of version 4.9.1, with proof-of-concept (POC) publicly disclosed around the same time.
If you are running Wazur Server prior to version 4.9.1, patch immediately.
Researchers are also reporting that one of the Mirai variants is exploiting vulnerable digital video recording (DVR) devices from TBK Vision. Threat actors are reportedly taking advantage of a proof-of-concept exploit that was published in 2024 for a medium-severity flaw (CVSS: 6.3), tracked as CVE-2024-3721. It's unknown whether TBK Vision patched the flaw or if it remains unpatched.
TBK DVR devices can be managed remotely and may allow remote execution of malicious commands. The devices are used by many manufacturers and may appear under different brands. As there are no public details on the patch, it would be prudent to email your DVR provider and ensure your systems are secured.
Exploits published for Windows Kernel flaws
Researchers published POC exploits for two flaws in the Windows Kernel Transaction Manager driver tm.sys.
The flaws, tracked as CVE-2024-43570 and CVE-2024-43535, allow for elevation of privileges on an already compromised machine, and are rated with medium severity. Such flaws could be leveraged in an exploit chain to obtain access to sensitive internal data, which could result in changes to system settings or installation of malware.
The POC was demonstrated on Windows 11 Pro 23H2 226321.4169 (September Patch Tuesday Update) Virtual Machine during the OffensiveCon25 conference earlier this year.
If you have the latest Windows updates, there is no action required. For those with outdated Windows, review the list of impacted systems for CVE-2024-43570 and CVE-2024-43535, and apply the latest updates.
Threat actors
Proofpoint links TA397 to Indian State
Researchers at Proofpoint reported on activity of TA397 (aka Bitter), an espionage group with a history of targeting South Asian entities. The report establishes TA397 as an "espionage-focused, state-backed threat actor, tasked with intelligence gathering in the interests of the Indian state".
Some evidence of that is that its operations aligning with the standard working hours of the Indian Standard Time (IST) time zone and are consistent with activity that is in the intelligence interests of the Indian state.
The report also highlights that the threat actor targets a much wider range of regions than previously documented, including European entities, China, and South America.
India is a rising cyber actor and we’ll be observing the activity by this actor more closely.
