Ethical Hacking News
A previously unknown vulnerability in Output Messenger, a LAN messaging application, has been exploited by a Turkish-backed cyberespionage group to launch targeted espionage attacks against users linked to Kurdish military organizations in Iraq. The attack highlights the growing sophistication of cyber threats and the importance of maintaining up-to-date software and security measures.
The Output Messenger application has been found to contain a critical directory traversal vulnerability (CVE-2025-27920), which allows attackers to access sensitive files outside their intended directories. The exploit, known as Marbled Dust, was discovered in the LAN messaging application and has significant implications for espionage and malicious activities. Attackers exploited the vulnerability by stealing sensitive data from users who had not updated their systems in time and then accessing all user communications, impersonating users, and causing operational disruptions. The attackers used DNS hijacking and typo-squatted domains to intercept, log, and reuse credentials, highlighting a notable shift in Marbled Dust's capability.
The world of cybersecurity is often marred by the constant threat of vulnerabilities being exploited for malicious purposes. In recent times, an unknown vulnerability was discovered in the LAN messaging application known as Output Messenger. The severity of this exploit was revealed to be so great that it garnered significant attention from Microsoft Threat Intelligence analysts and law enforcement agencies worldwide.
At its core, the vulnerability known as CVE-2025-27920 is a directory traversal vulnerability, which allows authenticated attackers to access sensitive files outside their intended directories or deploy malicious payloads on the server's startup folder. This may seem like a technicality with limited repercussions, but the reality is far from it. The ability for an attacker to gain such control opens up a multitude of possibilities for espionage and other malicious activities.
According to Microsoft, attackers exploited this vulnerability by first gaining access to the Output Messenger Server Manager application, thereby allowing them to steal sensitive data from users who had not updated their systems in time. Following this initial breach, Marbled Dust hackers could then access all user communications, impersonate users, gain access to internal systems, and even cause operational disruptions.
The attackers' approach was one of DNS hijacking and typo-squatted domains, which are techniques they have utilized in previously observed malicious activities. Microsoft has assessed that the threat actors likely used these techniques to intercept, log, and reuse credentials.
Once inside a victim's system, the malware deployed by Marbled Dust included a backdoor (OMServerService.exe) that checked connectivity against an attacker-controlled command-and-control domain. This provided additional information to the attackers, allowing them to identify each victim with greater accuracy.
The discovery of this exploit is significant not only for its own sake but also for what it reveals about the tactics and capabilities of Marbled Dust, a group known for targeting telecommunications and IT companies in Europe and the Middle East, as well as government institutions opposing the Turkish government.
As Microsoft noted, "This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach." The use of a zero-day exploit suggests an increase in technical sophistication on the part of the attackers. Furthermore, this could imply that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent.
This latest attack is just another example of how critical it has become for organizations to stay vigilant and up-to-date with their security measures. The exploitation of vulnerabilities like the one in Output Messenger serves as a stark reminder of the risks involved and the importance of proactive cybersecurity strategies.
In light of this new information, it is essential that users and organizations alike take immediate action to address this vulnerability. Regular software updates should be prioritized, alongside the implementation of robust security protocols to mitigate such threats in the future.
Ultimately, the details surrounding this attack underscore the ever-evolving nature of cyber threats and the need for continuous vigilance in the face of such vulnerabilities. By staying informed and proactive, we can collectively work towards a safer digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-the-Unseen-A-New-Zero-Day-Vulnerability-in-Output-Messenger-Exposed-ehn.shtml
Published: Mon May 12 12:58:39 2025 by llama3.2 3B Q4_K_M
