Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus

Key Takeaways


Cyble Research and Intelligence Labs (CRIL) identified a campaign called “ErrorFather” that utilized an undetected Cerberus Android Banking Trojan payload.

ErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native libraries, and encrypted payloads), complicating detection and removal efforts.

The campaign ramped up in activity in September and October 2024, with more samples and ongoing campaigns suggesting active targeting and scaling by the Threat Actors (TAs) behind the ErrorFather campaign.

The final payload employs keylogging, overlay attacks, VNC, and Domain Generation Algorithm (DGA) to perform malicious activities.

ErrorFather’s incorporation of a Domain Generation Algorithm (DGA) ensures resilience by enabling dynamic C&C server updates, keeping the malware operational even if primary servers are taken down.

The campaign highlights how repurposed malware from leaks can continue to pose significant threats years after its original appearance.

Overview

The Cerberus Android Banking Trojan initially emerged in 2019 and was available for rent on underground forums. It gained notoriety for its ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks, and incorporating VNC and keylogging features. Its widespread reach made it one of the most well-known banking trojans at the time.

In 2020, following the leak of Cerberus’ source code, a new variant called “Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, another banking trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting over 450 financial and social media apps.

At the beginning of 2024, a new threat known as the Phoenix Android Banking Trojan was discovered. Claiming to be a fresh botnet, Phoenix was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications.

Cyble Research and Intelligence Labs (CRIL) recently uncovered several malicious samples posing as Chrome and Play Store apps. These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging the Cerberus Banking Trojan.

The identified sample “0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a first-stage dropper application that drops and installs the final-signed.apk from assets, communicates with a Telegram Bot URL, and sends the device model, brand, and API version.

The Telegram Bot ID corresponds to the ErrorFather Bot, as shown in the figure below. Given the bot’s name and the recent updates to this variant (covered in the Technical Analysis section), we are referring to this campaign as ErrorFather.

We have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and their associated payloads. The first sample was detected in mid-September 2024, followed by a noticeable increase in samples during the first week of October 2024, with an active Command and Control (C&C) server suggesting ongoing campaigns.

The following section provides a technical analysis of the Cerberus malware used by the ErrorFather Campaign.

Technical Details

Multi-staged dropper

The primary APK is a session-based dropper that contains a second-stage APK file named “final-signed.apk” within the Assets folder. It uses the Google Play Store icon and employs a session-based installation technique to install the APK from the assets, bypassing restricted settings.

The second-stage dropper, “final-signed.apk,” has a manifest file that requests dangerous permissions and services, but the code implementation is missing, indicating that the malware is packed. It includes a native file, “libmcfae.so,” which is immediately loaded after installation to decrypt and execute the final payload.

The native file is responsible for handling the final payload. It uses the encrypted file “rbyypivsnw.png,” obtains the AES key and initialization vector (IV), performs decryption, and loads the “decrypted.dex” file at the location /data/data/suds.expend.affiliate.rising/code_cache/, as illustrated in the figure below.

The decrypted.dex file is the final payload, containing malicious functionalities such as keylogging, overlay attacks, VNC, PII collection, and the use of a Domain Generation Algorithm (DGA) to create a Command and Control (C&C) server. Notably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine.

Leveraging Cerberus code

Based on the detection count, initially, we suspected it to be a fresh banking trojan, but upon deeper analysis of the final payload, we discovered significant code similarities with Cerberus. The TA behind the ErrorFather campaign had modified variable names, used more obfuscation, and reorganized the code, effectively evading detection despite Cerberus being identified in 2019.

Comparing the Cerberus sample and the more recent Phoenix botnet, we noticed changes in this recent variant of Cerberus used in the ErrorFather campaign, particularly in its C&C structure. These differences suggest that the identified sample is a distinct malware variant.

Use of DGA

We observed the malware retrieving list of C&C servers using two methods. First, after installation and establishing a connection with the main C&C server, referred to by the TA as “PoisonConnect,” the malware receives a list of four additional C&C servers. It then stores these in the “ConnectGates” shared preferences setting, as shown in the figure below.

We observed a slight variation in the C&C communication. Samples from the ErrorFather campaign solely use RC4 encryption to send a full JSON payload, including the action type. In contrast, earlier Cerberus samples utilized Base64 encoding combined with RC4, with the action type sent unencrypted via separate parameters. The figure below illustrates the C&C communication for both the ErrorFather campaign and the earlier Cerberus samples.

Second, the malware incorporates a DGA (Domain Generation Algorithm) that utilizes the Istanbul timezone to obtain the current date and time. It then generates MD5 and passes the digest to SHA-1 hash, appending one of four extensions: “.click”, “.com”, “.homes”, and “.net”. These generated domains are stored in the same “ConnectGates” setting. The figure below demonstrates the DGA used in the ErrorFather campaign.

The figure below illustrates the malware connecting to domains generated by a DGA when the primary C&C server is unavailable.

In 2022, Alien was observed similarly implementing a DGA process. However, unlike the ErrorFather campaign, it did not maintain a list of domains, used only the “.xyz” extension, and did not rely on a specific timezone.

Actions used by malware

The TA has renamed the “Actions” to “Types,” as shown in Figure 11. These renamed types indicate the actions performed by the malware and the expected commands from the C&C server. Upon analysis, we observed that the actions carried out by this malware closely resemble those seen in earlier Cerberus variants, with the primary difference being the renaming of action identifiers. Below is a comprehensive list of actions performed by the malware.

Type of action
Description

checkAppList
Send the list of installed application package names

getFile
Sends the target application package name to receive the HTML injection file

getResponse
Retrieve the server’s response, and if it is “ok”, store the application log in the shared preferences file.

PrimeService
This action is used to send key logs of targeted application.

getBox
This action is used to send SMSs from the infected device.

fa2prime
Not Implemented

prContact
Used to send contacts to the server

listAppX
This action is similar to the “checkAppList” function, where the malware stores the list of installed application package names based on a command from the server; otherwise, the list remains empty. It will then send the list of installed application package names using this action name.

slService
Sends Accessibility logs

ErrorWatch
Sends error logs using this action type

device_status
Sends device status related to WebSocket connection

image
Sends captured images as a part of the VNC function

traverse
Sends accessibility node information

CheckDomain
This action is sent by DGA generated domain to validate domain

RegisterUser
Registers device and receives registration ID, it is similar to bot ID

CheckUser
Sends setting information and checks whether the user is registered or not

VNC implementation using MediaProjection

During our malware analysis, we identified two keywords related to VNC: “StatusVNC” and “StatusHVNC.” While HVNC implementation is absent in this campaign, it was previously present in the Phoenix botnet, a fork of Cerberus. VNC functionality is implemented using MediaProjection, along with a WebSocket connection to continuously transmit screen images and receive VNC actions from the Websocket response to interact with the device.

Overlay Attack

The overlay technique remains unchanged from the earlier Cerberus variant. The malware first sends the installed application package names list to identify potential targets. Once a target is identified, the server responds with the package names of the target applications. The malware then uses the “getFile” action to retrieve the HTML web injection page, as shown in the figure below.

When the victim interacts with the target application, the malware loads a fake phishing page over the legitimate app. This tricks the victim into entering their login credentials and credit card details on the fraudulent banking overlay page.

The Cerberus malware used in the ErrorFather campaign can carry out financial fraud through VNC, keylogging, and overlay attacks.

Conclusion

The Cerberus Android Banking Trojan, first identified in 2019, became a prominent tool for financial fraud using VNC, keylogging, and overlay attacks. Following the leak of its source code, various threat actors repurposed the Cerberus code to develop new banking trojans, including Alien, ERMAC, and Phoenix. The ErrorFather campaign is another example of this pattern. While the TA behind ErrorFather has slightly modified the malware, it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware.

In the ErrorFather campaign, the malware uses a multi-stage dropper to deploy its payload and leverages techniques such as VNC, keylogging, and HTML injection for fraudulent purposes. Notably, the campaign utilizes a Telegram bot named “ErrorFather” to communicate with the malware. Despite being an older malware strain, the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks.

The ErrorFather campaign exemplifies how cybercriminals continue to repurpose and exploit leaked malware source code, underscoring the persistent threat of Cerberus-based attacks even years after the original malware’s discovery.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:


Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distributing via phishing site

Execution (TA0041)
Native API (T1575)
Malware using native code to drop final payload

Defense Evasion (TA0030)
Masquerading: Match Legitimate Name or Location (T1655.001)
Malware pretending to be the Google Play Update and Chrome application

Defense Evasion (TA0030)
Application Discovery (T1418)
Collects installed application package name list to identify target

Defense Evasion (TA0030)
Indicator Removal on Host: Uninstall Malicious Application (T1630.001)  
Malware can uninstall itself

Defense Evasion (TA0030)
Input Injection (T1516)
Malware can mimic user interaction, perform clicks and various gestures, and input data

Collection (TA0035)
Input Capture: Keylogging (T1417.001)
Malware can capture keystrokes

Discovery (TA0032)
Software Discovery (T1418)
Malware collects installed application package list

Discovery (TA0032)
System Information Discovery (T1426)
The malware collects basic device information.

Collection (TA0035)
Screen Capture (T1513)
Malware can record screen content

Collection (TA0035)
Audio Capture (T1429)
Malware captures Audio recordings

Collection (TA0035)
Call Control (T1616)
Malware can make calls

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
Malware steals contacts

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Command and Control (TA0037)
Dynamic Resolution: Domain Generation Algorithms (T1637.001)
Malware has implemented DGA

Command and Control (TA0037)
Encrypted Channel: Symmetric Cryptography (T1521.001)
Malware uses RC4 for encrypting C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77
SHA256 SHA1 MD5
Session-based dropper

880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc cb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322f
SHA256 SHA1 MD5
Second-stage dropper

6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364
SHA256 SHA1 MD5
Final undetected Cerberus payload

hxxp://cmsspain[.homes hxxp://consulting-service-andro[.ru hxxp://cmscrocospain[.shop hxxp://cmsspain[.lol hxxp://cmsspain[.shop
URL
C&C server

hxxp://elstersecure-plus[.online hxxps://secure-plus[.online/ElsterSecure[.apk
URL
Distribution and phishing URL

hxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text=
URL
Telegram bot URL

4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e 8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6 c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14 a2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c 8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14 ee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0 136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11 5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49 befe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae 9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3
SHA256
Malicious First and second-stage files from the ErrorFather campaign

The post Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus appeared first on Cyble.

Blog – Cyble – ​Read More

Docusign-themed phishing emails | Kaspersky official blog

Phishers are forever devising new tricks and finding new services to exploit and impersonate in their phishing campaigns. Today we talk about phishing emails that appear to come from Docusign, the world’s most popular e-signature service.

How Docusign-themed phishing works

The attack begins with an email, typically designed to resemble a legitimate Docusign communication. In this particular scheme, phishers don’t generally bother meticulously forging or masking the sender address, because genuine Docusign emails can originate from any address due to the service’s customization options.

In most cases, the victim is notified that they need to electronically sign a document — usually a financial one — the exact purpose of which isn’t entirely clear from the text of the email.

Example of a phishing email supposedly from Docusign: in this case, the link to the phishing page is located right in the body of the email

In some cases, phishers employ an additional trick we’ve covered in a separate post before: the email contains a PDF attachment with a QR code inside.

Example of a phishing email supposedly from Docusign with a PDF attachment instead of a link

The victim is prompted to scan this QR code — supposedly to access the document for signing. In reality, the QR code leads to a phishing website. This method tricks users into opening the malicious link not on their computers, but on their smartphones — where phishing URLs are harder to detect, and security software might not be installed.

Sometimes the email doesn’t mention Docusign at all. In one version of the PDF-with-QR-code scam, which we recently discussed in a post about spearphishing techniques in mass emails, only inside the PDF is Docusign mentioned.

Another example of a phishing PDF attachment with a link hidden in a QR code

Sometimes the cybercriminals take care to replicate the appearance of a legitimate Docusign email — complete with a security code at the foot of the email:

High-quality fake Docusign email

In some cases, phishers mimic Docusign integration with Microsoft SharePoint:

Example of phishers mimicking Docusign integration with Microsoft SharePoint

And in other cases, scam emails have nothing in common with the genuine ones. Here, for instance, the phishers were too lazy even to add the Docusign logo:

This phishing email doesn’t even have the Docusign logo

In short, the tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works.

The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers.

Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces, and later used to attack organizations.

How e-signing with Docusign actually works

The actual process of signing a document with Docusign for the regular user is simplicity itself. You receive an email from the party requesting the signature — which contains an unmissable big yellow <em>Review Document</em> button.

A genuine Docusign email looks something like this. Source

Clicking this button redirects you through a unique link to the Docusign website (on the docusign.net domain). The page that opens displays a short message from the initiating party, flanked by a <em>Continue</em> button, similarly large and yellow.

Clicking the button in the email immediately opens the document-signing page at Docusign.com. Source

The document for signing is available immediately — without entering any passwords. You simply review it, maybe add some details (such as name, date, and so on) in the appropriate fields, apply your signature, and click the <em>Finish</em> button (which is — you guessed it — also big and yellow). All done. No further actions required.

Now for what Docusign will NEVER do:

Send a PDF attachment with a link to a document to be signed. Bona fide Docusign notifications have no attachments, and display the <em>Review Document</em> button directly in the body of the email.
Give you no choice but to scan a QR code. Docusign works on both mobile devices and computers, so a link is always provided to access the document — not a QR code.
Require you to enter work login credentials. All the information Docusign needs is contained within the unique link sent in the email, so regular users aren’t required to undergo authentication to sign a document.
Force you to register with or log in to Docusign. After you sign the document, Docusign might suggest creating an account, but it’s entirely optional.

Remember that the whole purpose of Docusign is to make it as easy as possible for companies and individuals to exchange electronically-signed documents.

Any additional steps or restrictions — such as creating an account, entering credentials, opening attachments, or using only a smartphone to sign — go against this principle. Therefore, Docusign asks for none of this and strives to make the signing process as quick and simple as possible.

How to guard against phishing

To protect your organization from phishing attacks that impersonate Docusign or other popular services, consider the following measures:

Filtering out suspicious and unwanted email at the gateway level — our comprehensive solution Kaspersky Security for Mail Servers will do this for you.
Protecting endpoints from phishing redirects with Kaspersky Small Office Security or Kaspersky Next — depending on the size of your organization.
Raising employee awareness of cyberthreats with specialized training. Such training is easy to deliver using our educational Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More

Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework

Key Takeaways


Cyble honeypot sensors detected several new cyberattacks in recent days, targeting vulnerabilities in the Ruby SAML library, D-Link NAS devices, the aiohttp client-server framework, a WordPress plugin, and more.

Cyble’s Vulnerability Intelligence unit also discovered new phishing campaigns and brute-force attacks.

Clients are urged to address the vulnerabilities identified in the report and apply best practices.

Overview

The Cyble Vulnerability Intelligence unit identified several new cyberattacks during the week of Oct. 2-8.

Among the targets are the Ruby SAML library, several D-Link NAS devices, the aiohttp client-server framework used for asyncio and Python, and a popular WordPress plugin used by restaurants and other businesses.

Cyble sensors also uncovered more than 350 new phishing email addresses and thousands of brute-force attacks.

Vulnerabilities Targeted by Threat Actors

The full report for clients looked at more than 40 vulnerabilities under active exploitation by threat actors. Here are four new attacks identified in the report.

Ruby SAML Improper Verification of Cryptographic Signature Vulnerability

The Ruby SAML library implements the client side of SAML authorization. Ruby-SAML in versions up to 1.12.2 and 1.13.0 up to 1.16.0 does not properly verify the signature of the SAML Response. By exploiting the 9.8-severity vulnerability CVE-2024-45409, an unauthenticated attacker with access to any signed SAML document (by the IdP) can forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The vulnerability is fixed in 1.17.0 and 1.12.3.

aiohttp Path Traversal

CVE-2024-23334 is a Path Traversal vulnerability in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option ‘follow_symlinks’ can be used to determine whether to follow symbolic links outside the static root directory. When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are recommended mitigations. Version 3.9.2 fixes this issue.

D-Link NAS Devices Hard-Coded Credentials Vulnerability

A 9.8-severity vulnerability, CVE-2024-3272, is being targeted in end-of-life D-Link NAS devices DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403. The issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely, and the exploit has been disclosed to the public. The associated identifier of this vulnerability is VDB-259283. The vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

PriceListo SQL Injection Vulnerability

CVE-2024-38793 is an improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in the PriceListo Best Restaurant Menu WordPress plugin, allowing for SQL Injection attacks. The issue affects Best Restaurant Menu by PriceListo through 1.4.1.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401) and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

Brute-Force Attacks

Cyble sensors also detected thousands of brute-force attacks. Among the top 5 attacker countries, Cyble researchers observed attacks originating from Vietnam targeting ports 22 (43%), 445 (32%), 23 (17%), and 3389 (8%). Attacks originating from Russia targeted ports 3389 (58%), 5900 (35%), 1433 (5%), 3306 (1%) and 445 (1%). Greece, Colombia, and Bulgaria majorly targeted ports 1433, 5900, and 445.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Identified

Cyble sensors also detected 351 new phishing email addresses. Below are six phishing scams of note identified by Cyble:

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Claim Directives 
info@szhualilian.com 
Claim Scam 
Fake refund against claims 

DEAR WINNER 
contact@wine.plala.or.jp 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

GOD BLESS YOU…. 
info@advanceairsystem.com 
Donation Scam 
Scammers posing as a Donor to donate money 

CHOSEN- EMAIL 
test@mps.elnusa.co.id 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Order 3038137699167518: cleared customs 
support@otm4n3-recrypto.to   
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Cyble Recommendations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework appeared first on Cyble.

Blog – Cyble – ​Read More

GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe

ESET research dives deep into a series of attacks that leveraged bespoke toolsets to compromise air-gapped systems belonging to governmental and diplomatic entities

WeLiveSecurity – ​Read More

Data Breach and DDoS Attacks Take Archive.org and Open Library Offline

Key Takeaways


The massive 57-petabyte Internet Archive has been hit by a data breach, website defacement, exfiltration and DDoS attacks in recent days.

The breach and DDoS attacks so far appear unconnected.

A copy of a user authentication database containing the email addresses and credentials of 31 million users has been provided to Have I Been Pwned.

The attackers have faced criticism for attacking a nonprofit whose goal is to preserve knowledge.

Questions have been raised about Archive’s handling of JavaScript, which appears central to the breach.

As of now, Archive.org and Open Library are offline, and recovery efforts are expected to take “days, not weeks.”

Overview

The Internet Archive has taken its Archive.org and OpenLibrary.org sites offline in response to a data breach and repeated DDoS attacks.

The breach of a user authentication database, which exposed the email addresses and credentials of 31 million users, likely occurred on Sept. 28, as that is the most recent date in a 6.4GB SQL file provided to Troy Hunt of Have I Been Pwned. Archive users did not become aware of the breach until two days ago, when a JavaScript alert appeared on the site that read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

Internet Archive founder Brewster Kahle confirmed the attacks and website defacement in a Tweet on October 9: “DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

The DDoS attacks returned yesterday, and Archive and Open Library were taken offline, opting for “being cautious and prioritizing keeping data safe at the expense of service availability.”

In an update today, Kahle said: “The data is safe. Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard. Estimated Timeline: days, not weeks.”

In the meantime, this notice appears on the Archive home page, and the Open Library site was down at the time of publication:

Breach and DDoS Attacks May Not Be Linked

Shortly after the breach became public, the DDoS attacks were launched by the threat actor group SN_BLACKMETA. In an alert to clients, Cyble said there is as of yet no evidence that the breach and DDoS attacks are related.

“There is no correlation whether the threat actor group SN_BLACKMETA who is behind the DDoS attacks is the same group that also breached Internet Archive,” Cyble said in the alert.

SN_BLACKMETA appears to misunderstand the nature of the non-governmental, non-profit Internet Archive, as the threat group stated as its motive for the attacks that “the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”.”

Commenters on Twitter and apparently even in the group’s own Telegram channel (now taken down) criticized targeting the Internet Archive, which has preserved a vast amount of data and records on a small budget. At last count, the Archive contained 57 petabytes of data and more than 866 billion web pages across four data centers in its mission to provide “universal access to all knowledge.”

On Mastodon, independent cybersecurity researcher Kevin Beaumont said, “that isn’t sticking it to some evil multinational, it’s attacking a genuinely great resource run on near nothing resource, sweat and tears. If you’re going to attack things – please aim better.”

Archive Website Security Questioned

In the wake of the attacks, questions are being raised about the Internet Archive’s website security, which allowed a breach, exfiltration, defacement and DDoS attacks within a short time period.

“A Website as large as archive.org should be able to isolate hashed passwords from public accessible Javascript,” one commenter noted. “Wikipedia makes extensive use of Javascript. As far as i know, Javascript is disabled on preferences pages and login Pages.”

The post Data Breach and DDoS Attacks Take Archive.org and Open Library Offline appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in Strava | Kaspersky official blog

In a previous post about the privacy of running apps in general, we explained why these apps are a goldmine of personal data for scammers and criminals of all kinds: unfortunately, by default they share sensitive data — including one’s precise location — with virtually anyone. As we mentioned, the consequences can be dire — from leaking the locations of secret facilities, to stalking and even assassination attempts.

In the mentioned previous we also shared detailed instructions on general smartphone settings to minimize these risks. In this and subsequent posts, we discuss specific privacy settings for the most popular running apps. Let’s start with Strava.

Strava (available for Android and iOS) is arguably the most popular app for tracking running, cycling, and hiking workouts. And it’s also the only one that has remained independent: all other major running apps have already been acquired by sportswear giants. Incidentally, Strava has been at the center of several data privacy controversies — including the famous heatmap incident that exposed the location of numerous secret military facilities.

Strava is also often criticized whenever questions arise about how users can track each other through fitness apps. Frankly, these criticisms are still valid: Strava’s default settings are far from private — the app actively encourages you to share your data with the entire internet.

Thankfully, this can be fixed: Strava offers a decent range of privacy settings. To access them, tap You in the bottom-right corner of the screen, then tap the gear icon in the top right corner, and in the window that opens, select Privacy Controls.

Where to find privacy settings in the Strava app: You → Settings → Privacy Controls

First, make your profile private by selecting Profile Page and changing its visibility to Followers. Next, go through the options Activities, Group Activities, Flybys, Local Legends, and Mentions — and set them all to either Followers or — even better — Only You or No One.

Now, we recommend going to Map Visibility and selecting one of the ways the app will hide your run/ride maps:

Hide the start and end points of activities that happen at specific address. This feature allows you to use an address and a radius around it in meters to define an area where your movements will be hidden. This way, you can mask your regular start and finish locations — such as your home address.
Hide the start and end points of activities no matter where they happen. Simply select a radius in meters, and any start and end points will automatically be hidden. This option is more convenient than the first one — and you won’t have to share your address with the app.
Hide your activity maps from others completely. If you choose this option, all location data from your future (but not past) workouts will only be visible to you.

How to hide your activity location data in the Strava app: You → Settings → Privacy Controls → Map Visibility

Keep in mind that, if you use Strava frequently, hiding only the start and end points might not be enough. A study published in late 2022 demonstrates a method for pinpointing hidden locations with 85% accuracy. Therefore, we recommend choosing the third option: Map Visibility → Hide your activity maps from others completely → Hide All Maps.

Note that the privacy settings in Strava aren’t retroactive. If you’ve previously recorded some workouts in the app, the hiding features won’t apply to them. To fix this, go to the Edit Past Activities section, tap Get Started, select Activity Visibility, and tap Next. In the next window, choose either Followers or Only You and tap Next again. After a while (not instantly), your past activities will be hidden.

How to hide past activities in the Strava app: You → Settings → Privacy Controls → Edit Past Activities

The next tip is for those who regularly exercise at sensitive locations and don’t want to accidentally expose them. Go to Aggregated Data Usage and toggle off Contribute your activity data to de-identified, aggregate data sets. After this, your runs won’t appear in places like Strava Metro, the Global Heatmap (the one that leaked the military base locations), Points of Interest, Start Points, or Community Generated Routes.

Go to Public Photos on Routes and disable Share photos with the community. If your profile is private and your activities are hidden from the public, photos you add to your runs shouldn’t be visible anyway. But just in case Strava decides to change things, it’s best to disable this feature explicitly.

Finally, go to Do Not Share My Personal Information and toggle on the switch. This will prevent Strava from selling your data to third parties for targeted advertising (or whatever else those parties might be up to).

Congratulations, you’ve now properly set up your privacy in Strava!

You can learn how to set up privacy in other apps — from social media to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy and protect you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog for more how-to guides and helpful articles to always stay one step ahead of scammers.

Kaspersky official blog – ​Read More

How to properly configure privacy in running apps | Kaspersky official blog

Fitness apps, by their very nature, have access to a wealth of personal data, especially data that tracks outdoor activities — primarily running. During tracking, they collect a ton of data — heart rate and other physical activity metrics, step count, distance covered, elevation changes, and, of course, geolocation — to give you a detailed analysis of your workout.

And people rarely jog in random locations; their routes usually repeat and are often close to home, work, school, military base… Essentially, places they go to often and, most likely, at regular times. What happens if this information falls into the wrong hands?

The consequences can be catastrophic. For instance, a few years ago, a map published by a certain running app revealed the locations of several secret military facilities. And in the summer of 2023, a hitman allegedly used this data to shoot to death Russian submarine commander Stanislav Rzhitsky during his run.

Of course, the leakage of geolocation data can be dangerous not only for military personnel. It’s easy to imagine scenarios where it could lead to trouble not only for obvious targets — such as celebrities, political figures, or top company executives — but for ordinary people too.

Once they’ve got their hands on your movement data, attackers can readily use it for blackmail and intimidation. If the victim hears that the criminal knows all their movements and where they live, they’re significantly more likely to get scared and comply with any demands.

In addition to direct threats, geolocation info complements perfectly data leaked from other apps, or collected through doxing — making targeted attacks much more potent. Don’t think that you’re not important enough for scammers to prepare a complex attack: anyone can become a victim, and the criminals’ end goal isn’t always financial gain.

But it’s not just geolocation data that running apps collect and analyze. Like all fitness apps, they monitor activity and physical condition, which can reveal a lot about a person’s health. This information can also be used in a social engineering attack — because the more an attacker knows about their victim, the more sophisticated and effective their actions can be.

So, it’s essential to take due care when choosing your running app and setting up its privacy — and our tips will help you do just that.

General tips for choosing a running app and configuring its privacy

The first thing you absolutely shouldn’t do is install every running tracker in existence and then choose the one you like best. This way, you’ll hand over your personal data to everyone, significantly increasing the risk of it falling into the wrong hands. The fewer apps you use, the lower the risk of a data leak — but remember, no company can guarantee 100% data security.

Some companies invest more in the security of their users than others, and preference should be given to those who take data protection and anonymization seriously. To ensure this, carefully read the privacy policy of your chosen app: responsible developers will specify what data the app collects, for what purpose, which data might be shared with third parties, and what rights users have regarding their personal data. It’s also worth searching online or asking an AI assistant if the app you’re interested in has been involved in any data leaks — simply type the app’s name plus “data breaches” or “data leak” into a search engine. And, of course, checking user reviews is also a must.

Once you’ve chosen and installed an app, the next thing to do is configure its privacy settings. Unfortunately, many running apps share collected data — including your geolocation — with the entire internet by default. You’ll find links to detailed instructions on how to set up privacy for the most popular running apps — Strava, Nike Run Club, MapMyRun, adidas Running, and ASICS Runkeeper — at the end of this post.

As with any other app, it’s a good idea to use your smartphone’s operating system features to minimize tracking. For example, on iOS, when you first launch the app, you can block it from tracking your activity in other apps. Don’t ignore this option.

In addition, don’t grant the running app access to data that it doesn’t need to function — such as photos, calls, messages, or contacts. To reduce the amount of location data collected, don’t allow fitness trackers (or most other apps, for that matter) to monitor your geolocation continuously — choose the “Only while using the app” option, available on iOS and the latest versions of Android. You can set this when you first launch the app, or later by reviewing all the app’s permissions in your smartphone’s settings or, for Android devices, in Kaspersky for Android.

In general, it’s a good idea to regularly check your smartphone’s privacy and security settings to see which apps have access to which data.

Keep in mind that privacy settings won’t protect you from being tracked if someone guesses your account password. Unfortunately, none of the most popular running apps currently support two-factor authentication — although they really should. Therefore, the best thing you can do to protect your account is to create a long and complex password — preferably at least 16 characters long. Of course, it should be unique. To ensure you don’t forget this combination of characters, save it in a password manager — which, by the way, can also generate a highly secure random password for you.

Privacy settings for popular running apps

We’ve selected the most popular jogging apps and prepared recommendations on how to set up privacy in each of them. Subscribe to our blog to make sure you don’t miss the instructions for your running tracker. As we publish the privacy setup guides, we’ll be updating this post with the relevant links. The following apps will be covered:

Strava
Nike Run Club
MapMyRun
adidas Running (formerly Runtastic)
ASICS Runkeeper

To learn how to set up privacy for other apps — from browsers and social networks to operating systems — visit our website Privacy Checker.

Kaspersky official blog – ​Read More

Telekopye transitions to targeting tourists via hotel booking scam

ESET Research shares new findings about Telekopye, a scam toolkit used to defraud people on online marketplaces, and newly on accommodation booking platforms

WeLiveSecurity – ​Read More

What NIST’s latest password standards mean, and why the old ones weren’t working

Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” 

The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.  

Here is a tl;dr version of what these proposed guidelines say: 

Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. CSPs should allow ASCII and Unicode characters to be included in passwords. Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”) 

Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone *has* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way. 

While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.  

And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.  

The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords. 

Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.  

The one big thing 

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.   

Why do I care? 

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.   

So now what? 

Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 – 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 – 301036 and 301041. 

Top security headlines of the week  

Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls. AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post

Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group. ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. “The Russian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials,” U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer

With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether. 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years.  However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider

Can’t get enough Talos? 

Cisco Talos: Advanced intelligence for global cyberthreats New MedusaLocker Ransomware Variant Deployed by Threat Actor MedusaLocker ransomware variant paired with ‘paid_memes’ toolkit Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project 

Upcoming events where you can find Talos

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

it-sa Expo & Congress (Oct. 22 – 24) 

Nuremberg, Germany

White Hat Desert Con (Nov. 14) 

Doha, Qatar

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: RF.Talos.80 

SHA 256: 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8 
MD5: b209df2951e29ab5eab4009579b10b8d
Typical Filename: FileZilla_3.67.1_win64_sponsored2-setup.exe 
Claimed Product: FileZilla 
Detection Name: W32.76491DF69A-95.SBX.TG

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a 
MD5: 3bc6d86fc4b3262137d8d33713ed6082 
Typical Filename: 8c556f0a.dll 
Claimed Product: N/A 
Detection Name: Gen:Variant.Lazy.605353 

SHA 256: f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3 
MD5: 0d849044612667362bc88780baa1c1b7 
Typical Filename: CryptX.dll 
Claimed Product: N/A  
Detection Name: Gen:Variant.Lazy.605353 

SHA 256: 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814 
MD5: f23b90fc9bc301baf3e399e189b6d2dc 
Typical Filename: B.dll 
Claimed Product: N/A   
Detection Name: Gen:Variant.Lazy.605353 

Cisco Talos Blog – ​Read More

Cyble Urges ICS Vulnerability Fixes for TEM, Mitsubishi, and Delta Electronics

Key Takeaways


Cyble researchers investigated vulnerabilities in five ICS/OT products this week and identified Mitsubishi Electric, TEM, and Delta Electronics products as top priorities for security teams.

TEM has been unresponsive to reports of vulnerabilities in Opera Plus FM Family Transmitters, version 35.45, so users are urged to take mitigation steps.

Mitsubishi Electric has no plans to fix vulnerabilities in MELSEC iQ-F FX5-OPC communication units and instead recommended mitigation steps.

Overview

Cyble researchers have identified vulnerabilities in three products used in critical infrastructure environments that merit high-priority attention from security teams.

Cyble’s weekly industrial control system/operational technology (ICS/OT) vulnerability report for Oct. 1-7 investigated 10 vulnerabilities in five ICS/OT products and identified products from Mitsubishi Electric, TEM, and Delta Electronics as top priorities for patching and mitigation.

TEM Opera Plus FM Family Transmitter Vulnerabilities

An attacker could target Opera Plus FM Family Transmitters (CVE-2024-41987 and CVE-2024-41988) by missing authentication for critical function and cross-site request forgery (CSRF) vulnerabilities, as a proof of concept (PoC) is publicly available.

CISA issued an advisory on the vulnerabilities on Oct. 3, 2024, and CVE records were created the same day. CISA notes that TEM has been unresponsive to requests to work with the agency on the vulnerability; the PoC developer, Gjoko Krstic, also reported a lack of response from the company.

The transmitters are used globally in the communications sector; version 35.45 is affected.

CISA recommends the following mitigations:


Minimize network exposure for all control system devices and systems, ensuring they are not internet-accessible.

Place control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use more secure methods such as VPNs, even though VPNs may have vulnerabilities and should be updated to the most current version. Connected devices must also be secure.

Mitsubishi Electric MELSEC iQ-F FX5-OPC

Mitsubishi Electric’s MELSEC iQ-F FX5-OPC communication units are affected by a NULL pointer dereference vulnerability (CVE-2024-0727) that malicious actors could exploit to create denial-of-service (DoS) conditions by getting a legitimate user to import a specially crafted PKCS#12 format certificate. The issue is caused by an OpenSSL vulnerability that the company detailed in an Oct. 1 advisory.

Mitsubishi Electric has no plans to fix the vulnerability and instead recommends the following mitigations:


Use within a LAN and block access from untrusted networks and hosts through firewalls.

Restrict physical access to the product and computers and network devices located within the same network.

Use a firewall or VPN to prevent unauthorized access when Internet access is required.

Use the IP filter function to block access from untrusted hosts. For details on the IP filter function, refer to the following manual: MELSEC iQ-F FX5 OPC UA Module User’s Manual “4.4 IP Filter”

Do not import untrusted certificates.

Delta Electronics DIAEnergie

SQL Injection vulnerabilities (CVE-2024-43699 and CVE-2024-42417) in Delta Electronics’ DIAEnergie industrial energy management system could allow an unauthenticated attacker to exploit the issue to obtain records contained in the targeted product.

Versions v1.10.01.008 and prior are affected, and Delta Electronics recommends that users upgrade to v1.10.01.009.

Optigo Networks and Subnet Solutions

Optigo Networks (CVE-2024-41925 and CVE-2024-45367) and Subnet Solutions PowerSYSTEM Center (CVE-2020-28168, CVE-2021-3749, and CVE-2023-45857) products were also the focus of recent security advisories. Cyble recommended patching the Optigo ONS-S8 Spectra Aggregation Switch vulnerabilities last week.

Recommendations and Mitigations

Cyble also offered general security guidelines for ICS and OT environments:


Keep track of security, patch advisories, and alerts issued by vendors and state authorities.

Follow a risk-based vulnerability management approach to reduce the risk of exploitation of assets and implement a Zero-Trust Policy.

Threat Intelligence Analysts should support the organizational patch management process by continuously monitoring and notifying critical vulnerabilities published in the KEV Catalog of CISA, actively exploited in the wild, or identified in mass exploitation attempts on the internet.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Implement proper network segmentation to prevent attackers from performing discovery and lateral movement and minimize exposure of critical assets.

Regular audits, vulnerability assessments, and pen-testing exercises are vital in finding security loopholes that attackers may exploit.

Continuous monitoring and logging can help in detecting network anomalies early.

Utilize Software Bill of Materials (SBOM) to gain more visibility into individual components, libraries, and their associated vulnerabilities.

Install physical controls to prevent unauthorized personnel from accessing your devices, components, peripheral equipment, and networks.

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

The post Cyble Urges ICS Vulnerability Fixes for TEM, Mitsubishi, and Delta Electronics appeared first on Cyble.

Blog – Cyble – ​Read More