Libraesva rolled out an emergency update for its Email Security Gateway (ESG) solution to fix a vulnerability exploited by threat actors believed to be state sponsored.
The email security product protects email systems from phishing, malware, spam, business email compromise, and spoofing, using a multi-layer protection architecture.
According to the vendor, Libraesva ESG is used by thousands of small and medium businesses as well as large enterprises worldwide, serving over 200,000 users.
A vulnerability in the American Archive of Public Broadcasting’s website allowed downloading of protected and private media for years, with the flaw quietly patched this month.
BleepingComputer was tipped about the flaw by a cybersecurity researcher who asked to remain anonymous, stating that the flaw has been exploited since at least 2021, even after the researcher previously reported it to the organization.
After contacting AAPB about the flaw, a spokesperson confirmed the issue, and the researcher validated that the fix was implemented within 48 hours.
The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries.
“Phishing-as-a-Service (PhaaS) deployments have risen significantly recently,” Netcraft said in a new report. “The PhaaS operators charge a monthly fee for phishing software with pre-installed templates impersonating, in some cases, hundreds of brands from countries around the world.”
Lucid was first documented by Swiss cybersecurity company PRODAFT earlier this April, detailing the phishing kit’s ability to send smishing messages via Apple iMessage and Rich Communication Services (RCS) for Android.