Government Sector Bears the Brunt of Cyberattacks in Ukraine: Report 

Cybe Inc | ukrain-cyberthreat

Overview 

Ukraine’s fight against cyberthreats has reached new heights, with its top cybersecurity agency releasing the 2024 annual cyberthreat landscape report detailing its efforts to protect critical infrastructure and government systems.  

The report, prepared by the State Cyber Defense Center under the State Service for Special Communications and Information Protection, outlines key findings, incident statistics, and strategies employed to counteract persistent cyber threats. 

Key Findings 

Ukraine processed a staggering 3 million security events in 2024, a reflection of the heightened activity in its cyber domain. Of these, over 1,000 incidents were confirmed as direct cyberthreats.  

The year saw a surge in advanced persistent threats (APTs) and state-sponsored cyber espionage campaigns, with attackers leveraging legitimate services to obfuscate their malicious activities. 

  • Malware Dominance: Over 58% of incidents involved malicious software, ranging from ransomware to spyware designed for prolonged infiltration. These attacks targeted data exfiltration and operational disruption. 

  • Sectoral Breakdown: Government agencies accounted for 90% of reported incidents, making them a primary target for the year. The energy sector, critical to Ukraine’s resilience, and the defense sector, pivotal in ongoing geopolitical conflicts, also faced significant threats. 

  • Primary Attack Vectors: Phishing campaigns remained the predominant method of attack. Threat actors exploited spear-phishing emails laden with malicious attachments or links, leveraging human error as an entry point. 

The Major Threat Clusters 

Ukraine identified three major threat actor clusters, each with distinct methodologies and objectives that remained most active in the year gone by: 

  1. UAC-0010 (Gamaredon/Trident Ursa): 

  • Activity: Conducted over 270 documented incidents in 2024. 
  • Tactics: Utilized tailored malware delivery mechanisms, including infected removable media and phishing emails. 
  • Targets: Government institutions, military organizations, and diplomatic entities. 
  • Objective: Cyber espionage aimed at gathering intelligence on Ukraine’s governance and defense. 

  1. UAC-0006: 

  • Activity: Responsible for 174 attacks, particularly in the financial sector. 
  • Tactics: Employed SmokeLoader malware to infiltrate systems and extract sensitive data. 
  • Objective: Financial gain through data theft and subsequent ransom demands. 

  1. UAC-0050: 

  • Activity: Linked to 99 incidents with a mix of espionage and sabotage. 
  • Tactics: Relied heavily on phishing and malware propagation via compromised email accounts. 
  • Objective: Espionage with a secondary focus on spreading disinformation. 

Advanced Tools and Techniques 

To combat increasingly sophisticated threats, Ukraine’s SOC deployed a range of advanced tools and methodologies: 

  • Network Detection and Response (NDR): SOC teams monitored anomalies in traffic patterns across 69 sensors strategically placed in critical networks. These sensors facilitated early detection of intrusions. 
  • Endpoint Detection and Response (EDR): Secured over 28,000 devices, providing a critical layer of defense against endpoint-based attacks. 
  • Attack Surface Management (ASM): Regular scans of over 1,200 assets enabled the identification and mitigation of vulnerabilities before they could be exploited. 
  • SOAR and AI Integration: The integration of Security Orchestration, Automation, and Response (SOAR) with AI algorithms streamlined incident response processes, reducing detection-to-remediation times significantly. 

Sector Specific Insights 

Ukraine’s cyber agency’s analysis provides a granular view of the sectors most impacted by cyber threats

  • Government Agencies: As the backbone of Ukraine’s operational and strategic initiatives, government networks faced relentless attacks. Over 90% of incidents were concentrated here, ranging from attempts to steal classified information to disruptions in communication systems. 
  • Energy Sector: With Ukraine’s energy infrastructure being a critical target, adversaries focused on disrupting power grids and supply chains, aiming to weaken national stability. 
  • Defense Sector: Sophisticated attacks aimed to infiltrate military communications and logistics systems, compromising national security. 

Recommendations for Enhanced Cyber Resilience 

Ukraine’s cyberthreat landscape suggests a multi-layered approach to cybersecurity, advocating for the following measures: 

  1. Regular Software Updates: Ensure that all systems, software, and firmware are updated promptly to address known vulnerabilities. 
  2. Advanced Email Security: Deploy filters to detect and block phishing attempts, and train employees to recognize suspicious communications. 
  3. Comprehensive Endpoint Protection: Utilize advanced antivirus and EDR solutions to secure devices against malware and unauthorized access. 
  4. Network Segmentation: Isolate critical systems from less secure areas to limit the scope of potential breaches. 
  5. Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to bolster identity verification processes. 
  6. Incident Response Plans: Develop and regularly test robust incident response protocols to ensure rapid recovery from cyber events. 
  7. Continuous Monitoring: Leverage SIEM tools and log analysis to detect and respond to anomalies in real-time. 

The Path Forward 

Ukraine’s annual cyberthreat landscape report 2024 shows the dynamic and persistent nature of cyberthreats that the country is facing. The integration of advanced technologies and proactive collaboration with international allies has significantly enhanced the nation’s cyber defense capabilities. However, the evolving tactics of adversaries demand an equally adaptive and forward-looking approach. 

As Ukraine continues to navigate its geopolitical challenges, the role of cybersecurity in safeguarding national sovereignty and infrastructure remains paramount. By fostering a culture of resilience and collaboration, Ukraine is setting an example for global cybersecurity efforts, proving that even under relentless attack, robust defenses can prevail. 

References: 

https://scpc.gov.ua/api/files/72e13298-4d02-40bf-b436-46d927c88006
https://www.cip.gov.ua/ua/news/sistema-viyavlennya-vrazlivostei-i-reaguvannya-na-kiberincidenti-ta-kiberataki-dckz-dopomogla-viyaviti-ta-opracyuvati-1042-kiberincidenti-u-2024-roci

The post Government Sector Bears the Brunt of Cyberattacks in Ukraine: Report  appeared first on Cyble.

Blog – Cyble – ​Read More

ICS Vulnerability Report: Hitachi Energy Network Management Flaw Scores a Perfect 10

Cybe Inc | ics-vulnerability

Overview 

Critical vulnerabilities in Hitachi Energy UNEM Network Management Systems were among the highlights in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report, which also examined flaws in products from Delta Electronics, Schneider Electric and other ICS vendors. 

Cyble Research & Intelligence Labs (CRIL) examined 16 vulnerabilities in the report for clients – half of which affect Hitachi Energy FOXMAN-UN products – based on ICS alerts by the Cybersecurity and Infrastructure Security Agency (CISA) between January 8-14. 

Of the 16 vulnerabilities, two are critical, nine are high severity, and five are medium severity. They span Communication, Critical Manufacturing, Chemical, Energy, Wastewater Systems and Commercial Facilities, and could lead to operational disruption, data compromise, and unauthorized access or exploitation of key functionality in power supply systems, which are foundational to numerous industries. 

Hitachi Energy Vulnerabilities 

The Hitachi Energy vulnerabilities include improper authentication, buffer overflow, excessive authentication attempts, hard-coded passwords, and cleartext storage of sensitive information, underscoring the systems’ complexity and potential attack surfaces. 

CVE-2024-2013, a 10.0-severity authentication bypass vulnerability in FOXMAN-UN, UNEM servers and API Gateways, could allow attackers without credentials to access the services and the post-authentication attack surface. 

CVE-2024-2012, a 9.8-severity authentication bypass vulnerability in the network management products, could allow attackers to execute commands or code on UNEM servers, potentially allowing sensitive data to be accessed or changed. 

The vulnerabilities were first reported in June 2024, but were the subject of a CISA advisory this week that cited the vulnerabilities’ low complexity and ability to be exploited remotely. CISA also cited six additional Hitachi Energy vulnerabilities, with CVSS v3 scores ranging from 4.1 to 8.6. 

While some of the affected products can be patched with updates, Hitachi Energy notes that UNEM R16A and UNEM R15A are end of life (EOL) and recommends that users upgrade to UNEM R16B PC4 or R15B PC5 in addition to applying recommended mitigations. 

Schneider Electric and Delta Electronics Vulnerabilities 

Schneider Electric’s vulnerabilities, primarily in HMI and control system software, highlight the challenges in securing operational technology (OT) interfaces.  

CVE-2024-11999 is an 8.7-rated Use of Unmaintained Third-Party Components vulnerability in Harmony HMI and Pro-face HMI automation components that could allow complete control of the device if an authenticated user installs malicious code into the HMI product. 

CVE-2024-10511 is an Improper Authentication vulnerability in PowerChute Serial Shutdown UPS management software. 

CVE-2024-8306 is an Improper Privilege Management vulnerability in Vijeo Designer HMI Configuration Software that could allow unauthorized access when non-admin authenticated users try to perform privilege escalation by tampering with the binaries. 

CVE-2024-8401is a Cross-site Scripting (XSS) vulnerability in EcoStruxure power monitoring and operation products. 

The three Delta Electronics vulnerabilities are all high-severity Remote Code Execution flaws tied to its DRASimuCAD design software: CVE-2024-12834, CVE-2024-12835 and CVE-2024-12836

Recommendations for Mitigating ICS Vulnerabilities  

Cyble recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post ICS Vulnerability Report: Hitachi Energy Network Management Flaw Scores a Perfect 10 appeared first on Cyble.

Blog – Cyble – ​Read More

New gadgets unveiled at CES 2025, and their impact on security | Kaspersky official blog

One of the world’s premier tech events traditionally takes place every year in Las Vegas in early January. Sure, the Consumer Electronics Show (CES) pays attention to cybersecurity, but by no means is it top of the agenda. Looking for a giant monitor or AI washing machine? You’re in luck! Smart home protection against hackers? Might have to shop around a bit…

We’ve picked out the top trending announcements at CES 2025, with a focus on what new cyberthreats to expect as the latest innovations hit the shelves.

NVIDIA Project DIGITS: your own mini supercomputer for running AI locally

NVIDIA founder Jensen Huang unveiled the company’s Mac-Mini-sized supercomputer to CES visitors. Powered by the GB10 Grace Blackwell “superchip” with a minimum 128 GB of memory, the device is capable of running large language models (LLMs) with 200 billion parameters. Connect two such computers, and you can run even larger models with up to 400 billion parameters! However, the US$3000 price tag will limit the buyer audience.

Cybersecurity aspect: running LLMs locally stops confidential information from leaking to OpenAI, Google Cloud, and other such services. Until now, this wasn’t very practical: on offer were either greatly simplified models that struggled to run on gaming computers, or solutions deployed on powerful servers in private clouds. “NVIDIA Project DIGITS” now made it easier for both small companies and wealthy hobbyists to run powerful local LLMs.

The GB10 Grace Blackwell superchip, 128 GB of RAM, and 4 TB of SSD storage make this NVIDIA offer a decent platform for a local neural network.

The GB10 Grace Blackwell superchip, 128 GB of RAM, and 4 TB of SSD storage make this NVIDIA offer a decent platform for a local neural network. Source

Roborock Saros Z70: a “handy” vacuum cleaner

The inability of robot vacuum cleaners to cope with stairs and other obstacles, including things lying around, greatly limits their usefulness. Roborock’s new model solves the latter issue with an extensible arm that picks up small and light objects from the floor.

Cybersecurity aspect: the Saros Z70’s object-rearranging ability is very limited, and Roborock has not been involved in any major cybersecurity scandals. So we’re unlikely to see any game-changing risks compared to existing vacuum cleaners. But later models or competitors’ products can theoretically be used in cyberphysical attacks such as burglary. For instance, researchers recently showed how to hack Ecovacs robot vacuums.

But the Saros Z70 is notable for more than just its mechanical hand. Another of its officially announced features is video surveillance. The vendor claims that camera footage never leaves the device, but we’ll believe that when we see it. After all, you’ll probably at least need a separate device to view the footage. The StarSight 2.0 system, due with a later software update, will let you train the robot to recognize specific household objects (for example, favorite toys) so that it can show where it last saw them on a map of your home. As to whether this handy feature works entirely on the device — or data about things in your home gets fed to the cloud — press releases are maintaining a tactful silence.

The Roborock Saros Z70 can lift and carry objects weighing up to 300 grams.

The Roborock Saros Z70 can lift and carry objects weighing up to 300 grams. Source

Bosch Revol: preying on parental fear

How did a baby rocker manage to take home the “Least private” mock award for gadgets at CES 2025, as judged by Electronic Frontier Foundation and iFixIt? The Bosch Revol Smart Crib not only automatically rocks the crib, but continuously collects video and audio data, while simultaneously scanning the baby’s pulse and breathing rate using millimeter-wave radar. It also monitors temperature, humidity and fine-particle pollution levels. The camera is equipped with object recognition to detect toys, blankets and other potentially dangerous objects near the infant’s face. All data is instantly streamed to a parental smartphone and to the cloud, where it remains.

Cybersecurity aspect: other vendors’ video baby monitors have been dogged by scandals, and hacked to conduct nasty pranks and spy on parents. In the case of the Revol, not only video, but medical data could end up in cybercriminal hands. When it comes to child and health-related tech, a cloud-free setup as part of a well-protected smart home is the way to go.

TP-Link Tapo DL130: in the same vein?

Among the many smart locks unveiled at CES 2025, it was TP-Link’s model that stood out for a feature that’s still quite rare — biometrics based not only on face/fingerprint recognition, but also on palm veins matching. Simply wave your hand in front of the sensor, and the system will identify you as the owner with high accuracy. Unlike more common biometric factors, this method doesn’t depend on lighting conditions, and works well even with wet and dirty hands. Plus, it’s more difficult to fake.

Cybersecurity aspect: smart locks can be integrated into your home network and interact with your smart home (such as Alexa or Google Home), which creates a wide cyberattack surface. Given the numerous critical vulnerabilities in other TP-Link equipment, there’s a risk that flaws in smart locks will allow attackers to open them in unconventional ways.

Security researchers are sure to put TP-Link's smart lock under the microscope once it goes on sale.

Security researchers are sure to put TP-Link’s smart lock under the microscope once it goes on sale. Source

Google Home + Matter: a cloud-free sky home

A major update to Google’s smart home hubs means they can now control curtains, sockets, light bulbs and other devices via the Matter protocol without connecting to a cloud server. At the heart of your smart home can be a Google Nest — an Android 14 smart TV or even a Chromecast device. Tell Google Assistant to “switch on the bedroom light”, and the command will be carried out even without an internet connection, and with minimal delay.

If a staunch advocate of a cloud-based future like Google has implemented such offline scenarios, the demand for such functionality must be huge.

Cybersecurity aspect: local control of your smart home reduces the risk of compromise and improves privacy — less data about what goes on in your home will leak to equipment vendors.

Halliday Glasses: improve your AI-sight

We chose Halliday AR glasses for the innovative image projection system that makes them lighter and more compact — though our takeaways also apply to dozens of other smart glasses presented at CES 2025. While some models address a simple and specific issue — such as combining glasses with a hearing aid or serving as a near-eye display for computer users on board a plane — quite a few of them come equipped with an AI assistant, camera, ChatGPT integration, and other features that potentially can be used to spy on you. They’re used for live translation, teleprompting and other productivity-boosting tasks.

Cybersecurity aspect: all AI features involve shifting large amounts of data to the makers’ servers for processing, so local AI in glasses is still a long way off. But unlike with computers and smartphones, the voices, photos and videos of all those around you will be included in the information flow generated by the glasses. From an ethical or legal standpoint, wearers of such glasses may have to continuously ask permission from everyone around to record them. And those who don’t want to pose for Sam Altman should look out for wearers of smart glasses among their peers.

Sony Honda AFEELA: I feel it’s going to be driving by subscription

This luxury electric car from two Japanese giants is available to preorder — but only to California residents and with rollout scheduled for 2026 or later. Nevertheless, the Japanese vision could become the envy even of Google: the price of the vehicle includes a “complimentary three-year subscription” to a variety of in-car features, including Level 2+ ADAS driver-assist and an AI-powered personal assistant, and a choice of interactive car design and entertainment features such as augmented reality and “virtual worlds”.

At the CES 2025 demonstration, the car was summoned onstage by the voice command “Come on out, Afeela” — but it remains unclear whether this handy feature will be available to drivers.

Cybersecurity aspect: we’ve spotlighted the risks and vulnerabilities of “connected” cars many times. Whether manufacturers will be able to keep the security bar high, not only for vehicles, but also for telematics systems (especially critical if smart driving becomes subscription-based), is a big question for the future. Those who don’t like the idea of their car suddenly turning into an iron pumpkin pending a software update or after a cyberattack are advised to refrain from splashing out… at least for another decade or so.

BenjiLock: a biometric padlock

Now you can lock up your bike (or barn or whatever) without memorizing a code or carrying around a key. As the name suggests, the BenjiLock Outdoor Fingerprint Padlock is a padlock that stores and recognizes fingerprints — up to ten of them. No smartphone or Wi-Fi required, all the magic happens inside the lock itself. The device is resistant to both moisture and dust, and (according to the manufacturer) works on one charge for up to a year.

Cybersecurity aspect: only real-world tests can prove resistance to old-school lock picking and inexpensive fingerprint faking. Smart locks are often vulnerable to both.

Kaspersky official blog – ​Read More

Malware Trends Overview Report: 2024

2024 has been an eventful year in the world of cybersecurity, with new trends emerging and malware families evolving at an alarming rate. Our analysis highlights the most prevalent malware families, types, and TTPs of the year, giving you a snapshot of the changing threat landscape. 

The number of sandbox sessions in ANY.RUN has grown by 33% in 2024

This report is based on the analysis of 4,001,036 public sessions conducted by ANY.RUN’s community inside the Interactive Sandbox over the last 12 months, which is 1 million more than the 2,991,551 sessions in 2023. Of these, 790,549 were tagged as malicious and 211,517 as suspicious, reflecting a rise in suspicious activity compared to the 148,124 suspicious sessions identified in 2023. 

ANY.RUN identified an astonishing 1,872,273,168 IOCs in 2024—nearly three times more than the 640,158,713 IOCs uncovered in 2023. This sharp growth highlights not only the expanding use of the platform but also the improved threat coverage and detection capabilities of ANY.RUN

Top Malware Types in 2024 

In 2024, Stealers dominated with 51,291 detections, marking a significant rise compared to 2023, when they were in second place with just 18,290 detections. This highlights their growing popularity among attackers for data theft. 

Loaders moved to second place in 2024 with 28,754 detections, a slight increase from their leading position in 2023, where they accounted for 24,136 detections. Despite the shift, Loaders remain a critical component in delivering malware payloads. 

RATs (Remote Access Trojans) maintained their third position but saw an increase from 17,431 detections in 2023 to 24,430 detections in 2024, reflecting their continued importance in providing attackers remote control over compromised systems. 

Stealers made a jump from the second spot in 2023 to being the most common malware type in 2024
# Type Detections
1 Stealer 51,291
2 Loader 28,754
3 RAT 24,430
4 Ransomware 21,434
5 Keylogger 8,119
6 Trojan 6,156
7 Miner 5,803
8 Adware 4,591
9 Exploit 4,271
10 Backdoor 2,808

To collect fresh threat intelligence on emerging cyber threats, make sure to use TI Lookup, a service that lets you search ANY.RUN’s vast database of the latest threat data.

Search results in TI Lookup for RAT malware targeting users in Colombia

It features over 40 search parameters, including IPs, mutexes, and even YARA rules, allowing you to pin the tiniest artifacts to specific malware and phishing attacks and enrich your TI with additional context and actionable indicators.

Learn more about Threat Intelligence Lookup →


Enrich your threat knowledge with TI Lookup

Enrich your threat knowledge with TI Lookup

Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security



Top Malware Families in 2024 

In 2024, Lumma Stealer jumped straight to the top with 12,655 detections, taking over the ranking from nowhere as it wasn’t seen in the 2023 report. Its rapid rise shows how quickly cybercriminals have adopted it. 

Agent Tesla moved up to second place in 2024 with 8,443 detections, compared to 4,215 detections in 2023 when it was in third place. Its continued presence shows it remains a go-to choice for attackers. 

AsyncRAT claimed third place in 2024 with 8,257 detections, while in 2023, Redline was the most popular malware family with 9,205 detections, and Remcos followed with 4,407 detections. 

Lumma dominated the threat landscape in 2024
# Name Detections
1 Lumma 12,655
2 Agent Tesla 8,443
3 AsyncRAT 8,257
4 Remcos 8,004
5 Stealc 7,653
6 Xworm 7,237
7 Redline 7,189
8 Amadey 5,902
9 Snake 4,304
10 njRAT 3,522

With TI Lookup, you can track all of these and other malware families and stay updated on their evolving infrastructure. Here is an example of a request to TI Lookup to find Lumma domains:

TI Lookup can provide you with auto updates on specific queries

The service provides a list of relevant domain names used by the malware. Many of them are marked with the malconf tag, indicating that these domains were extracted from Lumma samples’ configurations.

Get 50 free search requests to test TI Lookup 



Contact us


Top MITRE ATT&CK Techniques in 2024 

The MITRE ATT&CK framework is a globally recognized resource that breaks down how attackers operate, mapping their tactics and techniques into clear categories. It’s an invaluable tool for cybersecurity professionals to understand and respond to threats effectively. 

2024 results show an increase in the abuse of PowerShell by attackers

In 2024, ANY.RUN recorded over 1.4 million matches to ATT&CK techniques, a noticeable increase from 1.2 million matches in 2023.  

The rankings saw some significant changes: Masquerading (T1036.005), the top technique in 2023 with 486,058 matches, was overtaken in 2024 by PowerShell (T1059.001) and CMD (T1059.003), which led the list with 162,814 and 148,443 matches, respectively. 

In 2024, new techniques appeared that were absent in 2023, including Python scripting (T1059.004) with 50,002 matches, System Checks for Sandbox Evasion (T1497.001) with 47,630 matches, and Linux Permissions Modification (T1222.002) with 38,760 matches. 

Rank  Technique ID  Technique Name  Detections
T1059.001  Command and Scripting Interpreter: PowerShell  162,814
T1059.003  Command and Scripting Interpreter: Windows CMD  148,443 
T1497.003  Virtualization/Sandbox Evasion: Time-Based  134,260 
T1036.003  Masquerading: Rename System Utilities  126,008 
T1562.002  Impair Defenses: Disable Antivirus Tools  122,256 
T1218.011  System Binary Proxy Execution: Rundll32  86,760 
T1114.001  Email Collection: Local Email Collection  85,546 
T1547.001  Boot or Logon Autostart Execution: Registry Run Keys  73,842 
T1053.005  Scheduled Task/Job: Scheduled Task  68,423 
10  T1569.002  System Services: Service Execution  51,345 
11  T1059.004  Command and Scripting Interpreter: Python  50,002 
12  T1036.005  Masquerading: Match Legitimate Name or Location  49,031 
13  T1497.001  Virtualization/Sandbox Evasion: System Checks  47,630 
14  T1543.002  Create or Modify System Process: Windows Service  39,231 
15  T1053.006  Scheduled Task/Job: Cron  39,228 
16  T1222.002  File and Directory Permissions Modification: Linux  38,760 
17  T1566.002  Phishing: Spearphishing Link  35,272 
18  T1059.005  Command and Scripting Interpreter: Visual Basic  27,213 
19  T1562.001  Impair Defenses: Disable or Modify Tools  24,133 
20  T1222.001  File and Directory Permissions Modification: Windows  19,275 

Top TTPs highlights: 

  • Scripting Dominance (T1059.001 & T1059.003): 
    PowerShell and Windows CMD remain the top tools for attackers, with over 310,000 detections combined. Their flexibility and integration with systems make them ideal for executing malicious commands. Monitoring script activity and implementing strict execution policies are critical defenses. 
  • Evasion Tactics on the Rise (T1497.003 & T1036.003): 
    Sandbox evasion through time-based delays (134,260 detections) and masquerading via renamed system utilities (126,008 detections) highlight attackers’ focus on stealth. Behavioral analysis and anomaly detection can help counter these techniques. 
  • Targeting Defenses (T1562.002): 
    Disabling antivirus tools was detected 122,256 times in 2024, showcasing its effectiveness for attackers. Organizations must invest in layered defenses that can identify and respond to tampering attempts in real-time. 
  • Exploiting System Services (T1569.002 & T1218.011): 
    Adversaries frequently used system services like Rundll32 (86,760 detections) and service execution (51,345 detections) to execute malicious code while blending into normal operations.  
  • Phishing and Email Collection (T1114.001 & T1566.002): 
    Techniques like local email collection (85,546 detections) and spearphishing links (35,272 detections) remained effective, especially in targeted attacks. Robust email filtering and user training remain vital for reducing these risks. 

Report Methodology 

This report is built on insights from 4,001,036 tasks submitted to our public threat database in 2024. Each task represents the hard work and curiosity of our community of researchers, who used ANY.RUN to uncover threats and analyze malware.  

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s products →

The post Malware Trends Overview Report: 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Legitimate Chrome extensions are stealing Facebook passwords

Right after Christmas, news broke of a multi-stage attack targeting developers of popular Chrome extensions. Ironically, the biggest-name target was a cybersecurity extension created by Cyberhaven — compromised just before the holidays (we’d previously warned about such risks). As the incident investigation unfolded, the list grew to include no fewer than 35 popular extensions, with a combined total of 2.5 million installations. The attackers’ goal was to steal data from the browsers of users who installed trojanized updates of these extensions. The focus of the campaign was on stealing credentials for Meta services to compromise business accounts and display ads at victims’ expense. However, that’s not the only data that malicious extensions can steal from browsers. We explain how the attack works, and what measures you can take to protect yourself against it at different stages.

Attacking developers: OAuth abuse

To inject trojan functionality into popular Chrome extensions, cybercriminals have developed an original phishing scheme. They send developers emails disguised as standard Google alerts claiming that their extension violates Chrome Web Store policies and needs a new description. The text and layout of the message mimic typical Google emails, so the victim is often convinced. Moreover, the email is often sent from a domain set up to attack a specific extension and containing the name of the extension in the actual domain name.

Clicking the link in the email takes the user to a legitimate Google authentication page. After that, the developer sees another standard Google screen prompting to sign in via OAuth to an app called “Privacy Policy Extension”, and to grant certain permissions to it as part of the authentication process. This standard procedure takes place on legitimate Google pages, except that the “Privacy Policy Extension” app requests permission to publish other extensions to the Chrome Web Store. If this permission is granted, the creators of “Privacy Policy Extension” are able to publish updates to the Chrome Web Store on behalf of the victim.

In this case, there’s no need for the attackers to steal the developer’s password or other credentials, or to bypass multi-factor authentication (MFA). They simply abuse Google’s system for granting permissions to trick developers into authorizing the publication of updates to their extensions. Judging by the long list of domains registered by the attackers, they attempted to attack far more than 35 extensions. In cases where the attack was successful, they released an updated version of the extension, adding two files for stealing Facebook cookies and other data (worker.js and content.js).

Attacking users

Chrome extensions typically receive updates automatically, so users who switched on their machines between December 25 and December 31, and opened Chrome, may have received an infected update of a previously installed extension.

In this event, a malicious script runs in the victim’s browser and sends data needed for compromising Facebook business accounts to the attackers’ server. In addition to Facebook identifiers and cookies, the malware steals information required to log in to the target’s advertising account, such as the user-agent data to identify the user’s browser. On facebook.com, even mouse-click data is intercepted to help the threat actors bypass CAPTCHA and two-factor authentication (2FA). If the victim manages ads for their company or private business on Meta, the cybercriminals get to spend their advertising budget on their own ads — typically promoting scams and malicious sites (malvertising). On top of the direct financial losses, the targeted organization faces legal and reputational risks, as the fake ads are published under its name.

The malware can conceivably steal data from other sites too, so it’s worth checking your browser even if you don’t manage Facebook ads for a company.

What to do if you installed an infected extension update

To stop the theft of information from your browser, the first thing you need to do is to uninstall the compromised extension or update it to a patched version. See here for a list of all known infected extensions with their current remediation status. Unfortunately, simply uninstalling or updating the infected extension is not enough. You should also reset any passwords and API keys that were stored in the browser or used during the incident period.

Then, check the available logs for signs of communication with the attackers’ servers. IoCs are available here and here. If communication with malicious servers was made, look for traces of unauthorized access in all services that were opened in the infected browser.

After that, if Meta or any other advertising accounts were accessed from the infected browser, manually check all running ads, and stop any unauthorized advertising activity you find. Lastly, deactivate any compromised Facebook account sessions on all devices (Log out all other devices), clear the browser cache and cookies, log in to Facebook again, and change the account password.

Incident takeaways

This incident is another example of supply-chain attacks. In the case of Chrome, it’s made worse by the fact that updates are installed automatically without notifying the user. While updates are usually a good thing, here the auto-update mechanism allowed malicious extensions to spread quickly. To mitigate the risks of this scenario, companies are advised to do the following:

  • Use group policies or the Google Admin console to restrict the installation of browser extensions to a trusted list;
  • Create a list of trusted extensions based on business needs and information security practices used by the developers of said extensions;
  • Apply version pinning to disable automatic extension updates. At the same time, it’ll be necessary to put in place a procedure for update monitoring and centralized updating of approved extensions by administrators;
  • Install an EDR solution on all devices in your organization to protect against malware and monitor suspicious events.

Companies that publish software, including web extensions, need to ensure that permission to publish is granted to the minimum number of employees necessary — ideally from a privileged workstation with additional layers of protection, including MFA and tightly configured application launch control and website access. Employees authorized to publish need to undergo regular information security training, and be familiar with the latest attacker tactics, including spear phishing.

Kaspersky official blog – ​Read More

YARA Rules: Cyber Threat Detection Tool for Modern Cybersecurity

Every ticking second is a chance for cyber threats to creep in. 

For businesses, the stakes couldn’t be higher. One malicious email opened by an employee, and the malware can spread across office computers faster than mushrooms after rain. The consequences? Lost data, financial damage, and a hit to your company’s reputation. 

To stop these threats before they cause harm, businesses need to stay prepared. 

This is where YARA rules come in. They help cybersecurity teams to detect potential threats, simplify the process, and deliver clear, actionable insights to fight back against potential dangers. 

In this article, we’ll dive into the crucial role of YARA rules, how they work, and how their integration into ANY.RUN’s sandbox helps teams to detect and handle cyber threats with confidence and efficiency. 

What Are YARA Rules?

Just as a lighthouse guides sailors safely past hidden rocks and treacherous waters, YARA rules guide cybersecurity professionals by identifying malicious patterns and offering a clear signal amidst the noise of potential threats. 

YARA, funnily enough, stands for Yet Another Ridiculous Acronym. However, its actions are far more serious than its name suggests. YARA rules play a critical role in cybersecurity, helping professionals identify and classify malware by matching patterns in files, processes, or even memory. 

At its core, YARA is a rule-based system that scans for specific characteristics, like unique strings or byte sequences, that are commonly found in malicious software. Think of it as a highly specialized filter that can sift through data to pinpoint potential threats with precision and speed. 

How YARA Helps Organizations Detect Cyber Threats 

YARA simplifies threat detection by identifying malicious patterns in files, processes, and memory with precision. It automates the scanning process, reducing the need for manual analysis and speeding up response times.  

The beauty of YARA lies in its adaptability. Organizations can customize rules to target specific threats or emerging malware families, ensuring their defenses evolve alongside the threat landscape.  

Combined with the real-time capabilities of ANY.RUN’s sandbox, this framework not only detects threats but also helps businesses understand their behavior, enabling them to mitigate risks before serious damage occurs. 

Main benefits of YARA rules in organizations: 

  • Quickly identify threats, reducing the time spent on manual analysis. 
  • Tailored to detect specific malware families or new attack patterns. 
  • Minimize false positives and improve detection accuracy. 
  • Streamline the scanning process, saving resources and improving efficiency. 
  • Reduce the financial impact of cybersecurity breaches by catching threats early. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



How does YARA work? 

YARA operates as a powerful pattern-matching tool that scans files, processes, or memory dumps for specific characteristics. At its core, it relies on rules, predefined sets of instructions that describe what YARA should look for and under what conditions it should flag something as suspicious. 

Here’s how the main process works: 

  1. Creating rules: The first step in using YARA is to create a rule. A rule defines the patterns or conditions YARA will look for in the data.  
  2. Scanning the target: Once the rules are defined, YARA scans the target data, this could be a file, a process, or even a memory dump. During the scan, YARA compares the data against the strings and conditions outlined in the rules. 
  3. Matching patterns: If YARA identifies patterns in the data that match those defined in the rule, it triggers a match. For example, if a rule is designed to detect ransomware, it might flag a file containing encryption-related commands or unique file headers used by ransomware families. 
  4. Flagging threats: When a match occurs, YARA provides a detailed report of the findings. This includes information about the matched rule, the specific patterns detected, and where they were found in the data. 
  5. Providing insights: The output from YARA gives cybersecurity teams actionable insights. These insights help analysts decide whether the flagged file or process is malicious and what steps to take next. 

YARA Elements You Should Know

YARA rules are made up of several essential components, each playing a critical role in detecting and classifying malware. To better understand how YARA works, let’s break down its key elements and examine an example. 

Meta section 

The meta section provides descriptive information about the rule. This includes details like the author, creation date, a brief description of the rule’s purpose, and additional contextual data. While it doesn’t affect the execution of the rule, it helps organize and document it for future use. 

Strings section

This section contains the patterns the rule will search for in files or processes. These patterns can include: 

  • Text strings: Words or phrases often found in malicious code. 
  • Hexadecimal sequences: Byte-level patterns unique to malware. 
  • Regular expressions: For advanced matching of dynamic content. 

Condition section 

The condition section defines the logic that determines when the rule will trigger. It specifies the criteria for matching patterns, such as requiring a minimum number of matches from the strings section or looking for specific file characteristics. 

Real-World Example of YARA Rule 

Below is an example of a YARA rule created to detect the Sakula malware family. It shows how each element works together to flag potential threats: 

rule Sakula {    
   meta:        
   author = "ANY.RUN"        
   date = "2024-12-11"        
   description = "Detects Sakula samples"        
   family = "Sakula"        
   sample1= "https://app.susp.io/tasks/3c4f4b5e-7254-4fb4-a31e-4617b03110b1"        
   sample2= "https://app.susp.io/tasks/5722f2e3-64fc-49a4-beac-600c992ab765"        
   hash1 = "5de4e79682120f5b115eea30ce2da200df380f6256f03e38d3692a785f06fd64"    
   hash2 = "a9430482e5695c679f391429c7f7a6d773985f388057e856d50a54d1b19f463b"    
strings:        
   $s1 = "%d_of_%d_for_%s_on_%s"        
   $s2 = "/c ping 127.0.0.1 & del "%s""        
   $s3 = "/c ping 127.0.0.1 & del /q "%s""        
   $s4 = "cmd.exe /c rundll32 "%s""        
   $s5 = "I'm a virus. My name is sola" ascii        
   $s6 = "Local\SM0:%d:%d:%hs" wide        
   $s7 = "Vxzruua/5.0" ascii        
   $s8 = "MicroPlayerUpdate.exe" ascii         
   $s9 = "CCPUpdate" ascii        
   $s10 = "Self Process Id:%d" ascii        
   $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }        
   $op2 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }    
condition:        
   uint16(0) == 0x5a4d and        
   (4 of ($s*) or         
   any of ($op*))}

Let’s highlight some of the key elements in this rule:

Meta

  • author = “ANY.RUN”: Indicates the creator of the rule. 
  • date = “2024-12-11”: Specifies when the rule was written, useful for tracking its relevance. 
  • description = “Detects Sakula samples”: Explains the rule’s purpose—targeting Sakula malware. 
  • family = “Sakula”: Categorizes the malware family the rule focuses on. 
  • sample1, sample2: Links to Sakula malware samples used for testing and refining the rule. 
  • hash1, hash2: Cryptographic hashes uniquely identifying the malware samples analyzed.

Strings

  • $s6 = “Local\SM0:%d:%d:%hs” wide
    This is a wide string (Unicode) that includes placeholders for integers (%d) and a short string (%hs).
  • $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
    This is a hexadecimal byte sequence that represents a specific operation or function in the malware.

Condition

  • uint16(0) == 0x5a4d:
    This condition checks if the first two bytes of the file are 0x5a4d, which is the signature for a Windows PE (Portable Executable) file.
  • (4 of ($s) or any of ($op))**:
    This condition checks if at least 4 of the strings ($s1 to $s9) are found in the file, or if any of the hexadecimal byte sequences ($op1 or $op2) are found in the file.  

See YARA in Action 

To better understand how this YARA rule detects Sakula malware, you can observe its behavior in real time using ANY.RUN’s Interactive Sandbox.

View analysis session 

Sakula malware detected by YARA inside ANY.RUN sandbox

This analysis session showcases the malware’s activity and how the rule effectively identifies its patterns.  

Analyze malware and phishing
with ANY.RUN’s Interactive Sandbox 



Sign up free


ANY.RUN’s interactive sandbox is a dynamic environment where cybersecurity teams can analyze files and observe their behavior in real time. Unlike traditional sandboxes, ANY.RUN lets users interact with the malware, providing deeper insights and faster results. 

YARA is an inseparable part of this process. By integrating YARA rules into the sandbox, ANY.RUN identifies malicious patterns in files and processes with precision and speed. 

ANY.RUN experts are constantly adding new YARA rules to the core of our malware sandbox, making the analysis process faster and saving security teams loads of time.  

You can easily upload any suspicious file or link into the sandbox, and during the analysis, YARA rules will kick in. If there’s malware hiding in your file or link, the sandbox will spot it for you. 

For example, after analyzing the following sample in the ANY.RUN sandbox, the process fgfkjsh.exe was flagged as malicious with the “MassLogger” tag.

Malicious file detected by ANY.RUN sandbox 

By clicking on the process located on the right side of the screen, the sandbox displays the message “MASSLOGGER has been detected (YARA).” 

Masslogger has been detected by YARA rule

But note that YARA isn’t working alone: ANY.RUN’s sandbox also uses Suricata rules to make detections even sharper.  

Discover more about Suricata rules and how they complement YARA in this detailed article: Detection with Suricata IDS 

YARA Search in TI Lookup 

YARA rules aren’t just limited to the sandbox: they’re also available in ANY.RUN’s Threat Intelligence (TI) Lookup. This tool lets you search a massive database of malware artifacts using YARA rules, helping you find connections between known threats and your own files. 

It’s perfect for teams handling big datasets or looking to spot trends in cyber threats. By combining YARA’s precision with the power of the sandbox and TI Lookup, ANY.RUN gives businesses a complete solution to fight back the evolving threats. 

Check out this video on YARA Search in TI Lookup.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post YARA Rules: Cyber Threat Detection Tool for Modern Cybersecurity appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Cyble Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Overview

Fortinet has disclosed a critical authentication bypass vulnerability affecting FortiOS and FortiProxy systems, identified as CVE-2024-55591. With a CVSS score of 9.6, this vulnerability allows unauthenticated attackers to execute unauthorized code or commands, granting them “super-admin” privileges.

The exploitation of this vulnerability has already been observed “in the wild,” stressing the urgency for affected organizations to act immediately.

Key Details

Vulnerability Summary

CVE-2024-55591 arises from a flaw in the Node.js websocket module, specifically within FortiOS and FortiProxy, where an alternate path or channel can bypass authentication mechanisms (CWE-288). This allows remote attackers to gain administrative access and compromise device configurations.

Affected Products

The vulnerability impacts specific versions of FortiOS and FortiProxy:

  • FortiOS 7.0: Versions 7.0.0 through 7.0.16
  • FortiProxy 7.0: Versions 7.0.0 through 7.0.19
  • FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Unpatched systems are vulnerable to unauthorized access and subsequent exploitation.

Indicators of Compromise (IoCs)

Organizations are advised to monitor for the following IoCs to detect potential compromise:

Log Entries

  • Admin Login Events

  • Log Message: Successful login from the “jsconsole” interface with “super-admin” privileges.
  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole”
  • Admin Account Creation

  • Log Message: Creation of admin accounts with random usernames from suspicious IPs.
  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep”

Common IP Addresses Usernames Used by Threat Actors

  • Frequent IPs:
    • 1.1.1.1
    • 2.2.2.2
    • 8.8.8.8
    • 45.55.158.47 [most used IP address]
    • 87.249.138.47

  • Admin/Usernames Created by Threat Actors:
    Randomly generated usernames have been observed, such as:
    • Gujhmk
    • Ed8x4k
    • G0xgey
    • Pvnw81
    • Alg7c4
    • Ypda8a
    • Kmi8p4
    • 1a2n6t
    • 8ah1t6
    • M4ix9f

Threat Actor Activity

Post-exploitation, attackers typically perform the following actions:

  1. Create admin accounts with elevated privileges.
  2. Add local users to existing SSL VPN user groups.
  3. Alter firewall policies to enable unauthorized network access.
  4. Use compromised SSL VPN accounts to establish tunnels into internal networks.

These actions allow lateral movement within the network, further compromising critical assets.

Mitigation Recommendations

Patch Management

Upgrade to Secure Versions:

  • FortiOS: Upgrade to 7.0.17 or higher.
  • FortiProxy: Upgrade to 7.0.20 or higher.
    Use Fortinet’s Upgrade Tool for guidance.

Access Control

  1. Disable HTTP/HTTPS Administrative Interfaces:
    Prevent unauthorized access by disabling external administrative interfaces.
  2. Restrict Access with Local-In Policies:
    Limit administrative access to trusted IP addresses using local-in policies.
    • Configure firewall address and groups for allowed IPs.
    • Apply local-in policies to restrict management interface access.

Monitoring and Detection

  1. Audit Logs:
    Continuously monitor system logs for anomalous login activities, suspicious IP addresses, and unauthorized account creations.
  2. Threat Intelligence Integration:
    Leverage threat intelligence feeds to stay updated on IoCs and adversarial tactics.

Incident Response

  1. Immediate Actions on Compromise:
    • Remove unauthorized accounts and reset passwords for all administrative and local users.
    • Revert unauthorized firewall and VPN configuration changes.
    • Isolate compromised devices from the network and conduct forensic analysis.

  2. Strengthen VPN Security:
    • Change SSL VPN ports to non-default values.
    • Implement multi-factor authentication (MFA) for all VPN users.

Workarounds

If patching is not immediately feasible, the following steps can temporarily mitigate risks:

  1. Restrict Administrative Access:
    Use local-in policies to limit management interface access to trusted IPs.
  2. Modify SSL VPN Ports:
    Configure custom ports for SSL VPN and HTTPS interfaces to avoid default port exploitation.
  3. Enable Trusthost Feature:
    Apply the trusthost feature to restrict access only to predefined IP ranges.

Conclusion

Organizations leveraging Fortinet solutions must act promptly to secure their infrastructure against CVE-2024-55591exploitation, leveraging patches, access restrictions, and continuous monitoring to detect and mitigate potential attacks. Proactively implementing these measures not only reduces the attack surface but also strengthens overall network security against advanced threat actors.

References:

https://www.fortiguard.com/psirt/FG-IR-24-535

https://docs.fortinet.com/upgrade-tool

The post Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security appeared first on Cyble.

Blog – Cyble – ​Read More

Slew of WavLink vulnerabilities

Slew of WavLink vulnerabilities

Lilith >_> of Cisco Talos discovered these vulnerabilities. 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

Static login vulnerability 

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

Ten .cgi vulnerabilities 

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist_sync.cgi 

Login.cgi 

internet.cgi 

firewall.cgi 

adm.cgi 

wireless.cgi 

usbip.cgi 

qos.cgi 

openvpn.cgi 

nas.cgi 

Three .sh vulnerabilities 

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw_check.sh and update_filter_url.sh vulnerabilities. 

testsave.sh 

fw_check.sh 

update_filter_url.sh 

 

Cisco Talos Blog – ​Read More

Australia Launches ‘Countering Foreign Interference’ Initiative to Safeguard Sovereignty and Democracy

Cyble Australia Launches ‘Countering Foreign Interference’ Initiative to Safeguard Sovereignty and Democracy

Overview

Foreign interference poses a persistent and evolving threat to Australia’s sovereignty, democracy, and national interests. Recognizing the critical importance of addressing these risks, the Australian Government has launched the “Countering Foreign Interference in Australia: Working Together Towards a More Secure Australia” initiative.

This comprehensive strategy outlines measures to identify, mitigate, and prevent foreign interference while empowering individuals and organizations to protect themselves.

Defining Foreign Interference

Foreign interference encompasses activities conducted on behalf of foreign powers that pose threats to individuals, infrastructure, or institutions. Unlike foreign influence, which operates transparently, foreign interference relies on clandestine, deceptive, and harmful methods to undermine Australia’s interests, the Australian Department of Home Affairs said.

Key Targets of Foreign Interference

  • Individuals: Members of diaspora communities are often coerced, intimidated, or manipulated to serve foreign interests.
  • Infrastructure and Institutions: Critical infrastructure, democratic processes, and national security systems are frequently targeted for control or disruption.
  • Information: Foreign actors steal, manipulate, or fabricate data to influence public opinion or gain strategic advantages.

The Scale of the Threat

The Director-General of Security Mike Burgess had earlier warned that espionage and foreign interference represent Australia’s principal security concerns. “If we had a threat level for espionage and foreign interference it would be at CERTAIN – the highest level on the scale. The threat is now. And the threat is deeper and broader than you might think.”

The Director-General’s comments indicated that more Australians are being targeted than ever before. Failure to counteract these activities risks long-term consequences, including undermining democratic values, economic prosperity, and social cohesion.

Key Sectors at Risk

  • Communities: Members of diaspora communities are particularly vulnerable to threats such as surveillance, harassment, and coercion. Foreign actors often exploit these individuals to advance their agendas.

Example: Protesters advocating against foreign regimes may face harassment or threats to their families abroad.

  • Democratic Institutions: Electoral processes and political systems are primary targets. Foreign actors may attempt to sway election outcomes, corrupt officials, or spread disinformation to erode public confidence.

Example: Covertly influencing campaign donations to push policies favorable to foreign interests.

  • Higher Education and Research: Universities and research institutions face risks such as intellectual property theft, academic coercion, and undue influence over curricula.

Example: Recruitment of academics by foreign entities to redirect research toward military or commercial objectives.

  • Industry: Joint ventures, supply chain manipulation, and intellectual property theft threaten Australia’s economic resilience and defense capabilities.

Example: Hidden affiliations in joint ventures exposing Australian companies to espionage.

  • Media and Communications: Foreign actors undermine independent media through disinformation, censorship, and recruitment of journalists, eroding trust and spreading propaganda.

Example: Influencing editorial decisions to align with foreign narratives, reducing transparency in public discourse.

Government Initiatives to Counter Foreign Interference

The Australian Government has adopted a multi-faceted approach to mitigate risks and strengthen resilience:

Legislative Framework

  • Criminal Code Act 1995: Criminalizes foreign interference with penalties of up to 20 years imprisonment.
  • Foreign Influence Transparency Scheme: Mandates registration of activities conducted on behalf of foreign principals.
  • Foreign Investment Framework: Reviews foreign investments to ensure they align with national interests.
  • Security of Critical Infrastructure Act 2018: Establishes legal obligations for safeguarding critical assets.

Additional Measures

  • Counter Foreign Interference Taskforce (CFI Taskforce): Led by ASIO and AFP, this taskforce identifies, assesses, and disrupts acts of foreign interference.
  • Counter Foreign Interference Coordination Centre (CFICC): Coordinates whole-of-government efforts and provides leadership on policy and outreach.
  • University Foreign Interference Taskforce (UFIT): Protects academic institutions from coercion and intellectual property theft.
  • Technology Foreign Interference Taskforce (TechFIT): Collaborates with the technology sector to address interference in critical technologies.
  • Electoral Integrity Assurance Taskforce (EIAT): Ensures the integrity of federal electoral events against foreign threats.

What Individuals and Organizations Can Do

The Australian Government stressed on the shared responsibility in countering foreign interference. Individuals and organizations must take proactive steps to safeguard their interests:

For Individuals

  • Report suspicious activities to the National Security Hotline (1800 123 400).
  • Practice cyber hygiene, such as using strong passwords and verifying online information sources.
  • Be vigilant about coercion or recruitment attempts, especially online or in professional settings.

For Organizations

  • Strengthen cybersecurity measures and report incidents to the Australian Cyber Security Centre (ACSC).
  • Conduct due diligence in partnerships, including verifying affiliations and reviewing intellectual property agreements.
  • Monitor insider threats and implement workforce screening and ethics frameworks.

Practical Tools

  • NITRO Portal: A secure reporting mechanism for businesses and research institutions to flag concerns about foreign interference.

Strengthening Partnerships

Australia’s coordinated response involves collaboration across government, industry, and international allies. By fostering partnerships and sharing intelligence, Australia aims to:

  • Raise the costs of foreign interference for adversaries.
  • Enhance the resilience of critical sectors.
  • Build public awareness about the threats and protective measures.

Conclusion

Foreign interference poses a significant challenge to Australia’s democratic integrity, national security, and social fabric. The launch of “Countering Foreign Interference in Australia” demonstrates the government’s commitment to addressing these threats through robust legislation, strategic initiatives, and public engagement.

By working together, individuals, organizations, and the government can mitigate risks, ensure resilience, and safeguard Australia’s future. Reporting suspicious activities, adopting best practices, and fostering a culture of vigilance are critical components of this collective effort to counter foreign interference effectively.

References:

https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/countering-foreign-interference

https://www.homeaffairs.gov.au/nat-security/files/cfi-australia.pdf

The post Australia Launches ‘Countering Foreign Interference’ Initiative to Safeguard Sovereignty and Democracy appeared first on Cyble.

Blog – Cyble – ​Read More

Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”  

One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month. This vulnerability, CVE-2025-21298, is a critical remotely exploitable vulnerability that can be triggered by sending a malicious email to a victim running a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and can be triggered when the victim previews the malicious email. This vulnerability has been assigned a CVSS 3.1 score of 9.8. Microsoft recommends disabling RTF as mitigation for this vulnerability. 

CVE-2025-21294 is a critical vulnerability in Microsoft Digest Authentication that affects multiple versions of Windows and Windows Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. To exploit this vulnerability, an attacker would need to win a race condition. 

CVE-2025-21295 is a critical remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and does not require user interaction for successful exploitation.  

CVE-2025-21296 is a critical remote code execution vulnerability in BranchCache. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft assesses that an attacker would need to be on the same network to successfully exploit this vulnerability.  

CVE-2025-21297 is another critical remote code execution vulnerability in Windows Remote Desktop Services. Microsoft has assessed that this vulnerability is “less likely to be exploited” and that it would require an attacker to win a race condition for exploitation to be successful. This vulnerability affects multiple versions of Windows Server.  

CVE-2025-21298 is a critical remote code execution vulnerability in Windows Object Linking and Embedding (OLE). It could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft recommends disabling RTF as a mitigation for this vulnerability.

CVE-2025-21307 is a critical remote code execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability, if successfully exploited, could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to vulnerable systems.  

CVE-2025-21311 is a critical privilege escalation vulnerability in NTLMv1. This vulnerability can be exploited remotely and could allow an attacker to increase their level of access to vulnerable systems. Microsoft recommends disabling the use of NTLMv1 as a mitigation for this vulnerability. 

CVE-2025-21362 – is a critical remote code execution vulnerability in Microsoft Excel. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This vulnerability can also be triggered via the preview pane.  

CVE-2025-21380 is a critical information disclosure vulnerability affecting Azure Marketplace SaaS Resources. According to Microsoft this vulnerability, which could enable an attacker to disclose information, has been mitigated.  

CVE-2025-21385 is a critical information disclosure vulnerability affecting Microsoft Purview. This vulnerability is due to a Server-Side Request Forgery (SSRF) vulnerability that Microsoft reports has been mitigated. 

Talos would also like to highlight the following important vulnerabilities that Microsoft considers to be “more likely” to be exploited:   

  • CVE-2025-21189 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21210 – Windows BitLocker Information Disclosure Vulnerability 
  • CVE-2025-21219 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21268 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21269 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21292 – Windows Search Service Elevation of Privilege Vulnerability 
  • CVE-2025-21299 – Windows Kerberos Security Feature Bypass Vulnerability 
  • CVE-2025-21314 – Windows SmartScreen Spoofing Vulnerability 
  • CVE-2025-21315 – Microsoft Brokering File System Elevation of Privilege Vulnerability 
  • CVE-2025-21328 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21329 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21354 – Microsoft Excel Remote Code Execution Vulnerability 
  • CVE-2025-21364 – Microsoft Excel Security Feature Bypass Vulnerability 
  • CVE-2025-21365 – Microsoft Word Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64432 – 64436, 64444 – 64457. There are also these Snort 3 rules: 301113, 301114, 301117 – 301123. 

Cisco Talos Blog – ​Read More