The 2025 National Defense Authorization Act (NDAA) has been signed into law and it authorizes several cyber-related initiatives.
The post 2025 NDAA Provides $3 Billion Funding for FCC’s Rip-and-Replace Program appeared first on SecurityWeek.
SecurityWeek – Read More
American Addiction Centers says the personal information of more than 422,000 people was stolen in a data breach.
The post American Addiction Centers Data Breach Impacts 422,000 People appeared first on SecurityWeek.
SecurityWeek – Read More
Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.
“The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces,” the agencies said. “TraderTraitor activity is often characterized by targeted social
The Hacker News – Read More
Adobe has released patches for a high-severity ColdFusion vulnerability for which proof-of-concept (PoC) code exists.
The post Adobe Patches ColdFusion Flaw at High Risk of Exploitation appeared first on SecurityWeek.
SecurityWeek – Read More
Cyble’s December 19 IT vulnerability report to clients highlighted nine vulnerabilities at high risk of attack, including five under active discussion on dark web forums.
Cyble vulnerability intelligence and dark web researchers also noted threat actor claims of zero-day vulnerabilities for sale affecting Palo Alto Networks devices and Chrome and Edge browsers.
In total, Cyble researchers examined 13 vulnerabilities and 8 dark web exploits to arrive at the list of vulnerabilities that security teams should prioritize for patching. At-risk products include Apache Struts, Qualcomm digital signal processors (DSPs), a WordPress plugin, a Bluetooth flaw affecting Ubuntu, and more.
CVE-2024-53677: This file upload logic vulnerability in the Apache Struts web application framework has been rated 9.5 severity by the Apache Software Foundation but is still undergoing NVD analysis. An attacker could exploit the vulnerability to manipulate file upload parameters to enable path traversal and potentially upload a malicious file that could be used to perform remote code execution. Recently, researchers disclosed that threat actors are attempting to exploit the vulnerability using public proof-of-concept exploits to allow remote code execution, and exploitation has also been discussed on dark web forums. Cyble also published a separate blog on this vulnerability.
Cyble researchers noted that there are nearly 200,000 vulnerable Apache Struts instances exposed to the internet (image below):
CVE-2024-43047: This vulnerability affects Qualcomm’s Digital Signal Processor (DSP) service, which is utilized in many Android devices. It allows for privilege escalation and arbitrary code execution, posing significant risks to affected systems. Google Project Zero marked the vulnerability as actively exploited in October 2024 and received a fix on Android in November 2024. Researchers also observed that the Serbian government exploited Qualcomm zero-days, including CVE-2024-43047, to unlock and infect Android devices with a new spyware family named “NoviSpy.”
CVE-2024-11972: The CVE for this vulnerability has been reserved but has not yet been created. The flaw affects the Hunk Companion WordPress plugin, which is designed to enhance functionality and build visually appealing websites without extensive coding knowledge. The vulnerability allows attackers to perform unauthenticated plugin installation through unauthorized POST requests, enabling them to install and activate other plugins that may contain known vulnerabilities. According to researchers, attackers are exploiting the vulnerability to install outdated plugins with known flaws from the WordPress.org repository. This allows them to access vulnerabilities that can lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS), or the creation of backdoor admin accounts, posing significant risks to site security.
CVE-2023-45866: This medium-severity vulnerability affects Bluetooth HID Hosts in systems utilizing BlueZ, particularly in Ubuntu 22.04 LTS with the BlueZ 5.64-0ubuntu1 package. This vulnerability allows an unauthenticated peripheral HID device to initiate an encrypted connection, potentially enabling the injection of Human Interface Device (HID) messages without user interaction.
Cyble Research and Intelligence Labs (CRIL) researchers also identified the following exploits and vulnerabilities discussed on Telegram channels and cybercrime forums, raising the risk that they will be exploited in attacks.
CVE-2024-28059: This critical security vulnerability, which was identified in the MyQ Print Server in versions prior to 8.2 (patch 43), allows remote attackers to gain elevated privileges on the target server.
CVE-2024-38819: This high-severity path traversal vulnerability in the Spring Framework specifically affects applications that utilize WebMvc.fn or WebFlux.fn functional web frameworks.
CVE-2024-35250: This high-severity privilege escalation vulnerability in the Microsoft Windows operating system specifically affects the kernel-mode driver.
CVE-2024-40711: This critical vulnerability identified in Veeam Backup & Replication software allows for unauthenticated remote code execution (RCE) due to deserialization of untrusted data.
CVE-2023-27997: This heap-based buffer overflow vulnerability in certain FortiOS and FortiProxy versions may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests, specifically affecting SSL VPNs.
Threat actors were also observed offering a zero-day exploit weaponizing a vulnerability claimed to be present on Palo Alto Network’s PAN-OS VPN-supported devices (asking price: $60,000) and a zero-day exploit weaponizing a vulnerability allegedly present in Chrome and Edge (asking price: $100,000).
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in sensitive products and vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.
Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.
The post IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More appeared first on Cyble.
Blog – Cyble – Read More
Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability.
Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.
The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns.
Cyble detected fresh attacks on CVE-2024-7593, a critical authentication bypass vulnerability in the authentication algorithm implementation of Ivanti’s Virtual Traffic Manager (vTM), excluding versions 22.2R1 and 22.7R2. The 9.8-severity vulnerability can allow a remote, unauthenticated attacker to bypass admin panel authentication. It was added to CISA’s Known Exploited Vulnerabilities catalog in September, one of 11 Ivanti vulnerabilities CISA has added to the KEV catalog this year.
CVE-2024-4577 also remains under attack. The critical PHP vulnerability impacts CGI configurations and remains vulnerable in PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8. The 9.8-severity vulnerability enables attackers to execute arbitrary commands through specially crafted URL parameters.
CVE-2024-45409, a vulnerability in the Ruby SAML library designed for implementing the client side of SAML authorization, also remains a frequent target for hackers. In versions 1.12.2 and earlier, and 1.13.0 to 1.16.0, the library fails to verify the signature of SAML Responses properly. The flaw allows an unauthenticated attacker with access to a signed SAML document (issued by the IdP) to forge a SAML Response or Assertion with arbitrary contents, enabling unauthorized login as any user within the affected system. The issue has been resolved in versions 1.17.0 and 1.12.3.
Network and IoT devices remain particularly popular with threat actors, as they can provide entry points into networks as well as additional nodes in a botnet. With many devices with vulnerabilities from 2023 and earlier still unpatched, Cyble noted that the following network vulnerabilities remain particularly popular with attackers:
CVE-2023-20198, a 10.0-severity vulnerability in the web UI feature of the Cisco IOS XE operating system, is being chained with CVE-2023-20273 to gain root privileges in vulnerable devices.
CVE-2023-4966 is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateways when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVE-2023-1389 is a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface of TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
CVE-2023-46747 could allow undisclosed requests in F5 BIG-IP to bypass the configuration utility authentication, allowing an attacker with network access to the system through the management port and/or self-IP addresses to execute arbitrary system commands.
Vulnerabilities in real-time operating systems (RTOS) and embedded devices remain extremely popular with attackers, exposing operational technology (OT) networks with vulnerable devices to attack.
One last vulnerability hackers keep returning to is CVE-2023-47643, an unauthorized GraphQL Introspection vulnerability in the SuiteCRM Customer Relationship Management (CRM) system in versions before 8.4.2. The flaw allows an attacker to access the GraphQL schema without authentication, revealing all object types, arguments, functions, and sensitive fields such as UserHash. By understanding the exposed API attack surface, attackers can exploit this information to access sensitive data.
Linux systems remain continually under attack by CoinMiner, Mirai Botnet, and IRCBot malware, while hundreds of WannaCry ransomware samples continue to be detected each week in Windows 10, Windows Server 2016, and older systems vulnerable to CVE-2017-0147.
Remote access protocols, particularly VNC (port 5900), remain popular targets of brute-force attacks. Examining the ports most targeted by the top five attacker countries, attacks originating from the United States targeted ports 5900 (42%), 22 (36%), 3389 (14%), 80 (5%), and 23 (3%). Attacks originating from Russia targeted ports 5900 (81%), 445 (7%), 22 (5%), 23 (3%), and 1433 (3%). Netherlands, Jordan, and China majorly targeted ports 5900, 22, and 445.
Security analysts are advised to add security system blocks for frequently attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).
Cyble detected 277 new scam and phishing email addresses in the most recent weekly report. Here are six notable ones, including subject lines:
| E-mail Subject | Scammers Email ID | Scam Type | Description |
| Are you interested in investment | Dave@oig.com | Investment Scam | Unrealistic investment offers to steal funds or data |
| UN Compensation Fund. | zagranica@usa.com | Claim scam | Fake compensation fund claim |
| COMPENSATION FUND OF 5.5 MILLION DOLLARS. | Info@uba.org | Claim scam | Fake compensation fund email |
| Funding projects up to USD 5 Billion | noreply@order.eventbrite.com | Investment Scam | Unrealistic investment offers to steal funds or data |
| HOTEL AND REAL ESTATE INVESTMENTS | richardowenr928@gmail.com | Investment Scam | Fake hotel and real estate investment scam |
| My Donation | test@cinematajrobi.ir | Donation Scam | Fake donation mail to steal money |
Cyble researchers recommend the following security controls:
With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching wherever possible and applying mitigations where patching isn’t possible. The large number of brute-force attacks and phishing campaigns show that attackers remain active even heading into the holiday season.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.
The post Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More appeared first on Cyble.
Blog – Cyble – Read More
The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.
The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that
The Hacker News – Read More
The bill allocates $3 billion to a Federal Communications Commission program, commonly called “rip and replace,” to get rid of Chinese networking equipment due to national security concerns.
The Record from Recorded Future News – Read More
Relive the 90s web era! The Neuro Nostalgia Hackathon challenged teams to transform modern sites into retro masterpieces…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
The number of Non-Human Identities (NHIs) in many organizations has exploded. Key trends, drivers, and market landscape in this fast-developing area are explored.
darkreading – Read More