CyberVeille.chApr 20

📢 Exploitation active de Bomgar RMM via CVE-2026-1731 : déploiement de LockBit et accès MSP
📝 ## 🔍 Contexte

Publié le 19 avril 2026 par Huntress, cet article de threat intelligence documente une recrudescence d'incidents liés à l'expl...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-19-exploitation-active-de-bomgar-rmm-via-cve-2026-1731-deploiement-de-lockbit-et-acces-msp/
🌐 source : https://www.huntress.com/blog/uptick-bomgar-exploitation
#AnyDesk #Atera #Cyberveille

Exploitation active de Bomgar RMM via CVE-2026-1731 : déploiement de LockBit et accès MSP

🔍 Contexte Publié le 19 avril 2026 par Huntress, cet article de threat intelligence documente une recrudescence d’incidents liés à l’exploitation de Bomgar RMM (rebaptisé BeyondTrust Remote Support), observée par le SOC Huntress depuis début avril 2026. 🛡️ Vulnérabilité exploitée La faille CVE-2026-1731, de sévérité critique, permet à un attaquant non authentifié d’exécuter du code à distance sur des instances Bomgar. BeyondTrust a publié un correctif le 6 février 2026 (version 25.3.2 pour Remote Support, version 25.1 pour Privileged Remote Access). Les organisations impactées utilisaient des versions obsolètes, notamment la version 21.1.3.

CyberVeille
fyrMay 9, 2025

I noticed a (minor but abusable) data leak in the RMM/PSA tool Atera a while ago, reported it and it's now fixed. I think it's somewhat interesting so I wrote it up.

https://fyr.io/post/atera-leaked-their-customers-to-mailinator

Tldr: if you tested your SMTP settings, it used a public mailbox on mailinator, allowing anyone to watch for (and respond to, if you're so inclined) mail. Phishing opportunity!

#infosec #atera #privacy #dataleak #mailinator #writeup #phishing #netsec

A Year Of Eggs

It's been one year since our chickens laid their first eggs and they're still going strong

Show threadKasionApr 23, 2024
@acrypthash How you liking #ninjaone? We just moved from #connectwise automate to #atera and never been happier.
🛡 [email protected]/:~# Jul 25, 2023

"⚠️ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ⚠️"

Zero-day vulnerabilities in Windows Installers for the Atera software could lead to privilege escalation attacks. Patch now!

Source: [The Hacker News](https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html)

Tags: #Atera #Windows #ZeroDay #PrivilegeEscalation #CyberSecurity 🚨🔓🌐

Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks

Zero-day vulnerabilities found in Atera remote monitoring software's Windows Installers can lead to privilege escalation attacks

The Hacker News
Show threadSophos X-OpsApr 27, 2023

The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

4/6

Show threadSophos X-OpsApr 27, 2023

Post-exploitation activity targeting #PaperCut often results in #PowerShell commands being executed by the pc-app.exe parent process. We've collected logs of the affected system downloading #Atera remote monitoring software to the victim. (Atera is, of course, legitimate software, being abused by the attackers in this situation.)

Different threat groups are abusing PowerShell in different ways. One group calls PowerShell commands directly, as shown here. This particular attacker delivered a ransomware binary that was hosted on the ephemeral file host #tmpfiles (files hosted there are deleted from the server after 60 minutes):

3/6

Show threadPatrick LabbettNov 17, 2022
Thank you for contacting #Atera #support. We are currently experiencing issues with Windows #Defender #flagging the Atera agents as #malicious.
This is to let you know that we are currently investigating and trying to find a solution for this issue.
Patrick LabbettNov 17, 2022
Well #atera got #flagged globally by #defender and it's going to be a long fucking day.