Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

/in

Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”  

One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month. This vulnerability, CVE-2025-21298, is a critical remotely exploitable vulnerability that can be triggered by sending a malicious email to a victim running a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and can be triggered when the victim previews the malicious email. This vulnerability has been assigned a CVSS 3.1 score of 9.8. Microsoft recommends disabling RTF as mitigation for this vulnerability. 

CVE-2025-21294 is a critical vulnerability in Microsoft Digest Authentication that affects multiple versions of Windows and Windows Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. To exploit this vulnerability, an attacker would need to win a race condition. 

CVE-2025-21295 is a critical remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and does not require user interaction for successful exploitation.  

CVE-2025-21296 is a critical remote code execution vulnerability in BranchCache. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft assesses that an attacker would need to be on the same network to successfully exploit this vulnerability.  

CVE-2025-21297 is another critical remote code execution vulnerability in Windows Remote Desktop Services. Microsoft has assessed that this vulnerability is “less likely to be exploited” and that it would require an attacker to win a race condition for exploitation to be successful. This vulnerability affects multiple versions of Windows Server.  

CVE-2025-21298 is a critical remote code execution vulnerability in Windows Object Linking and Embedding (OLE). It could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft recommends disabling RTF as a mitigation for this vulnerability.

CVE-2025-21307 is a critical remote code execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability, if successfully exploited, could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to vulnerable systems.  

CVE-2025-21311 is a critical privilege escalation vulnerability in NTLMv1. This vulnerability can be exploited remotely and could allow an attacker to increase their level of access to vulnerable systems. Microsoft recommends disabling the use of NTLMv1 as a mitigation for this vulnerability. 

CVE-2025-21362 – is a critical remote code execution vulnerability in Microsoft Excel. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This vulnerability can also be triggered via the preview pane.  

CVE-2025-21380 is a critical information disclosure vulnerability affecting Azure Marketplace SaaS Resources. According to Microsoft this vulnerability, which could enable an attacker to disclose information, has been mitigated.  

CVE-2025-21385 is a critical information disclosure vulnerability affecting Microsoft Purview. This vulnerability is due to a Server-Side Request Forgery (SSRF) vulnerability that Microsoft reports has been mitigated. 

Talos would also like to highlight the following important vulnerabilities that Microsoft considers to be “more likely” to be exploited:   

  • CVE-2025-21189 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21210 – Windows BitLocker Information Disclosure Vulnerability 
  • CVE-2025-21219 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21268 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21269 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21292 – Windows Search Service Elevation of Privilege Vulnerability 
  • CVE-2025-21299 – Windows Kerberos Security Feature Bypass Vulnerability 
  • CVE-2025-21314 – Windows SmartScreen Spoofing Vulnerability 
  • CVE-2025-21315 – Microsoft Brokering File System Elevation of Privilege Vulnerability 
  • CVE-2025-21328 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21329 – MapUrlToZone Security Feature Bypass Vulnerability 
  • CVE-2025-21354 – Microsoft Excel Remote Code Execution Vulnerability 
  • CVE-2025-21364 – Microsoft Excel Security Feature Bypass Vulnerability 
  • CVE-2025-21365 – Microsoft Word Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64432 – 64436, 64444 – 64457. There are also these Snort 3 rules: 301113, 301114, 301117 – 301123. 

Cisco Talos Blog – ​Read More

Passwords 101: don’t enter your passwords just anywhere they’re asked for | Kaspersky official blog

/in

Whenever you’re asked to log in to an online service, verify your identity, or download a document through a link, you’re usually required to enter your username and password. This is so common that most of us do it automatically without thinking twice. However, scammers can trick you into giving them passwords for your email, government service websites, banking services, or social networks by mimicking the service’s login form on their own (third-party) website. Don’t fall for it: only the email service itself can ask to verify your email password — no one else! The same applies to government services, banks, and social networks.

To avoid becoming a victim of fraud, every time you enter a password, take a moment to check where exactly you’re logging in, and what window is asking for your credentials. Three main scenarios are possible here — two are safe, one is fraudulent. Here they are.

Safe scenarios for entering passwords

  1. Logging into your email, social network, or online service through the official website. This is the simplest scenario, but you need to make sure you are indeed on the legitimate site — with no errors in the URL. If you’re accessing the online service by clicking a link in an email or from search results, carefully check the browser’s address bar before entering your password. Make sure that both the service name and the site address are correct and match each other.

Why is it so important to take an extra second to check? Creating phishing copies of legitimate sites is a favorite trick of scammers. A phishing site’s address may be almost identical to the original, differing in just a letter or two (for example, the “i” letter might be replaced with an “I”), or use a different domain zone.

It’s also rather simple to create a link that appears to lead to a site but actually takes you somewhere else. Check it out for yourself: this link seems to lead to our blog kaspersky.com/blog but actually redirects you to our other blog — securelist.com.

The image below shows examples of legitimate login pages for various services where you can safely enter your username and password.

Examples of legitimate login pages for various services. Entering your credentials here is safe

Examples of legitimate login pages for various services. Entering your credentials here is safe

  1. Logging in to a site using an auxiliary service. This is a convenient way to log in without creating additional passwords, commonly used for file storage services, collaboration tools, and so on. Auxiliary services are typically large email providers, social networks, or government service sites. The login button may say something like “Continue with Google”, “Continue with Facebook”, “Continue with Apple”, etc.

When you click the button, another window opens belonging to the auxiliary service (Google, Facebook, Apple, etc.). It works like this: the external service verifies your identity and confirms this to the site you’re logging in to. It’s crucial to check the addresses in both windows: make sure that the pop-up window asking for your password really belongs to the auxiliary service you expected (Google, Facebook, Apple, etc.), and the main window really belongs to the legitimate site you’re trying to log in to. In many cases, the pop-up window also indicates which site you’ll be logging in to. This auxiliary service mechanism allows you to enter the desired site without it ever seeing your password. Password verification takes place on the side of the auxiliary service (Google, Facebook, Apple, etc.). IT specialists call this login method single sign-on (SSO).

Example of SSO login to eBay through an auxiliary service (Google) that verifies your password. Entering your credentials here is also safe

Example of SSO login to eBay through an auxiliary service (Google) that verifies your password. Entering your credentials here is also safe

Fraudulent scenario: password theft

You receive an email or message with a login link, click it, and end up on a site that very closely resembles a legitimate email, social network, file-sharing, or e-signature service. The site asks you to log in to your account to prove your identity. To this end, you’re prompted to enter your email and password for your email, government services site, banking service, or social network directly on this site.

In this scenario, either there’s no pop-up window from a legitimate service (such as the one in the previous case), or the additional window also belongs to some third-party site. This is a scam designed to steal your

Look at the address bar: this is definitely not Netflix! Don't enter your credentials here!

Look at the address bar: this is definitely not Netflix! Don’t enter your credentials here!

account password! Remember, a third-party site can’t verify your password — it simply doesn’t know it, and passwords are never shared between sites.

How to protect yourself from password theft

  1. Carefully check the address of the site requesting your password.
  2. Only enter a password for a service on the official website of that service — nowhere else.
  3. Sometimes a separate window appears for entering a password. Make sure this window is a regular browser window where you can see the address bar and verify the address.
  4. Scammers can create lookalike sites with addresses that are hard to distinguish from real ones. To avoid falling into such a trap, use reliable anti-phishing protection on all devices and platforms. We recommend Kaspersky Premium, the winner of an anti-phishing test in 2024.
  5. An advanced protection method is to use a password manager for all your accounts. It verifies the actual page address, and will never enter your credentials on an unfamiliar site — no matter how convincing it looks.

Kaspersky official blog – ​Read More

Threat Intelligence Pivoting: Actionable Insights Behind Indicators

/in

Pivoting in cyber threat intelligence refers to using one piece of data to find and explore related information and expand your understanding of a threat. It lets discover hidden connections between indicators of compromise and find potential vulnerabilities before they are exploited.  

Why pivoting matters 

Cyber threat intelligence concentrates on indicators of compromise, IOCs. These are data points or artifacts (like IP addresses, domain names, file hashes, email addresses, etc.) that indicate a potential or actual malicious activity. Pivoting is researching links and correlations between IOCs and thus discovering new IOCs relevant to the same attack, malware, or threat agent.  
 
Pivoting helps make CTI proactive, helps predict and prevent the unfolding of an attack or the emergence of new threats. 
 
Threat intelligence and pivoting are critical for businesses and corporate security because they enhance an organization’s ability to anticipate, detect, and respond to cyber threats. By leveraging actionable insights from threat intelligence and pivoting to discover deeper connections, businesses can protect their assets, reduce risk, and strengthen overall cybersecurity posture. 

Note that the definition of pivoting in threat intelligence is different to that in cyber security. Generally, it’s a popular term used in many other fields.   

In CS the term is usually used by pen testers and hackers. Here pivoting is the act of an attacker moving from one compromised system to one or more other systems within the same or other organizations. Pivoting is fundamental to the success of advanced persistent threat (APT) attacks.  

How it works 

Pivoting for CTI shows its potential when IOCs are viewed not as “atomic” but rather as complex objects. Taken by themselves, they are, so to say, “backward-looking”, they lack context. IOCs are good forensic material, but not enough for predictive, proactive security effort.  

Pivoting focuses on behaviors. Indicators are linked through their behavioral commonalities. This approach grasps IOC relationships, helps discover new ones, predict their behavior, generalize tendencies, and eventually build strong and adaptive defense based on the understanding of adversaries. 

Pivoting routine 

Pivoting is not just about techniques and tools; it is rather about a certain approach or dare say a certain mindset. Once adopted, it’ll give your threat intelligence a new depth and perspective.   

The most basic algorithm is:  

  • Select an initial indicator. For example, a suspicious IP. Or a domain name associated with a known threat or attack. 
  • Analyze the indicator with a tool of your choice. 
  • Decompose the indicator. Understand its parameters. Define which of them could signal malicious behavior or be linked to other artifacts. 
  • Find and analyze linked artifacts. Pay attention to those that haven’t been yet connected with a threat or an attack.  
  • Research the discovered data. 
  • Draw actionable insights. 

Where to start  

You can start with network indicators pivoting.  Basic network IOCs are IPs, domains, SSL/TSL certificates. They all have certain parameters: for example, registrar and registrant for domains, hosting provider or server type for an IP address, issue date or issuer for a certificate. 
 
One of the most powerful tools for IOC research is ANY.RUN’s Thread Intelligence Lookup. It lets you search threat artifacts by about 40 search parameters, including YARA and Suricata rules, combine them and get real-time updates of search results.  

TI lookup is integrated with the Interactive Sandbox used for researching malware in action within a safe virtual environment.   
 
For example, let us try using ASN to identify network infrastructure.  
 
1. Find IPs assigned to the “Autonomous System of Iranian Research Organization for Science and Technology” using TI Lookup. The search query is:  

destinationIpAsn:”iranian research organization for science & technology”
The results for ANS search

2. Look at the list of IP addresses in the search results. Some of them have tags assigned to them. The tag “Stormkitty” refers to the eponymous stealer — StormKitty. 

Try TI Lookup for Pivoting 



Get 50 free requests


ANY.RUN’s Cybersecurity Blog – ​Read More

Trusted-relationship cyberattacks and their prevention

/in

The old saying, “A chain is only as strong as its weakest link”, directly applies to enterprise cybersecurity. Businesses these days often rely on dozens or even hundreds of suppliers and contractors, who, in turn, use the services and products of yet more contractors and suppliers. And when these chains involve not raw materials but complex IT products, ensuring their security becomes significantly more challenging. This fact is exploited by attackers, who compromise a link in the chain to reach its end — their main target. Accordingly, it’s essential for business leaders and the heads of IT and information security to understand the risks of supply-chain attacks in order to manage them effectively.

What is a supply-chain attack?

A supply-chain attack involves a malicious actor infiltrating an organization’s systems by compromising a trusted third-party software vendor or service provider. Types of this attack include the following:

  • Compromising well-known software developed by a supplier and used by the target organization (or multiple organizations). The software is modified to perform malicious tasks for the attacker. Once the next update is installed, the software will contain undeclared functionality that allows the organization to be compromised. Well-known examples of such attacks include the compromise of the SolarWinds Orion and 3CX Last year, the to-date largest attempt at such an attack was discovered — XZ Utils. Fortunately, it was unsuccessful.
  • Attackers find corporate accounts used by a service provider to work within the target organization’s systems. The attackers use these accounts to infiltrate the organization and carry out an attack. For example, the American retail giant Target was hacked through an account issued to an HVAC provider.
  • Attackers compromise a cloud provider or exploit the features of a cloud provider’s infrastructure to access the targeted organization’s data. The most high-profile case last year involved the compromise of more than 150 clients of the Snowflake cloud service, leading to the data leak of hundreds of millions of users of Ticketmaster, Santander Bank, AT&T, and others. Another large-scale, big-impact attack was the hack of the authentication service provider Okta.
  • Attackers exploit permissions delegated to a contractor in cloud systems, such as Office 365, to gain control over the target organization’s documents and correspondence.
  • Attackers compromise specialized devices belonging to or administered by a contractor, but connected to the target organization’s network. Examples include smart-office air-conditioning systems, and video surveillance systems. For example, building automation systems became a foothold for a cyberattack on telecom providers in Pakistan.
  • Attackers modify IT equipment purchased by the target organization, either by infecting pre-installed software or embedding hidden functionality into the devices’ firmware. Despite their complexity, such attacks have actually occurred in practice. Proven cases include Android device infections, and widely discussed server infections at the chip level.

All variations of this technique in the MITRE ATT&CK framework come under the name “Trusted Relationship” (T1199).

Benefits of supply-chain attacks for criminals

Supply-chain attacks offer several advantages for attackers. Firstly, compromising a supplier creates a uniquely stealthy and effective access channel — as demonstrated by the attack on SolarWinds Orion software, widely used in major U.S. corporations, and the compromise of Microsoft cloud systems, which led to email leaks from several U.S. government departments. For this reason, this type of attack is especially favored by criminals hunting for information. Secondly, the successful compromise of a single popular application or service instantly provides access to dozens, hundreds, or even thousands of organizations. Thus, this kind of attack also appeals to those motivated by financial gain, such as ransomware groups. One of the most high-profile breaches of this type was the attack on IT supplier Kaseya by the REvil group.

A tactical advantage (to criminals) of attacks exploiting trusted relationships lies in the practical consequences of this trust: the applications and IP addresses of the compromised supplier are more likely to be on allowlists, actions performed using accounts issued to the supplier are less frequently flagged as suspicious by monitoring centers, and so on.

Damage from supply-chain attacks

Contractors are usually compromised in targeted attacks carried out by highly motivated and skilled attackers. Such attackers are typically aiming to obtain either a large ransom or valuable information — and in either case, the victim will inevitably face long-term negative consequences.

These include the direct costs of investigating the incident and mitigating its impact, fines and expenses related to working with regulators, reputational damage, and potential compensation to clients. Operational disruptions caused by such attacks can also result in significant productivity losses, and threaten business continuity.

There are also cases that don’t technically qualify as supply-chain attacks — attacks on key technology providers within a specific industry — that nevertheless disrupt the supply chain. There were several examples of this in 2024 alone, the most striking being the cyberattack on Change Healthcare, a major company responsible for processing financial and insurance documents in the U.S. healthcare industry. Clients of Change Healthcare were not hacked, but while the compromised company spent a month restoring its systems, medical services in the U.S. were partially paralyzed, and it was recently revealed that confidential medical records of 100 million patients were exposed as a result of this attack. In this case, mass client dissatisfaction became a factor pressuring the company to pay the ransom.

Returning to the previously mentioned examples: Ticketmaster, which suffered a major data breach, faces several multi-billion-dollar lawsuits; criminals demanded $70 million to decrypt the data of victims of the Kaseya attack; and damage estimates from the SolarWinds attack range from $12 million per affected company to $100 billion in total.

Which teams and departments should be responsible for supply-chain-attack prevention?

While all the above may suggest that dealing with supply-chain attacks is entirely the responsibility of information security teams, in practice, minimizing these risks requires the coordinated efforts of multiple teams within the organization. Key departments that should be involved in this work include:

  • Information security: responsible for implementing security measures and monitoring compliance with them, conducting vulnerability assessments, and responding to incidents.
  • IT: ensures that the procedures and measures required by information security are followed when organizing contractors’ access to the organization’s infrastructure, uses monitoring tools to oversee compliance with these measures, and prevents the emergence of shadow or abandoned accounts and IT services.
  • Procurement and vendor management: should work with information security and other departments to include trust and corporate information-security compliance criteria in supplier selection processes. Should also regularly check that supplier evaluations meet these criteria and ensure ongoing compliance with security standards throughout the contract period.
  • Legal departments and risk management: ensure regulatory compliance and manage contractual obligations related to cybersecurity.
  • Board of directors: should promote a security culture within the organization, and allocate resources for implementing the above measures.

Measures for minimizing the risk of supply-chain attacks

Organizations should take comprehensive measures to reduce the risks associated with supply-chain attacks:

  • Thoroughly evaluate suppliers. It’s crucial to assess the security level of potential suppliers before beginning collaboration. This includes requesting a review of their cybersecurity policies, information about past incidents, and compliance with industry security standards. For software products and cloud services, it’s also recommended to collect data on vulnerabilities and pentests, and sometimes it’s advised to conduct dynamic application security testing (DAST).
  • Implement contractual security requirements. Contracts with suppliers should include specific information security requirements, such as regular security audits, compliance with your organization’s relevant security policies, and incident notification protocols.
  • Adopt preventive technological measures. The risk of serious damage from supplier compromise is significantly reduced if your organization implements security practices such as the principle of least privilege, zero trust, and mature identity management.
  • Organize monitoring. We recommend using XDR or MDR solutions for real-time infrastructure monitoring and detecting anomalies in software and network traffic.
  • Develop an incident response plan. It’s important to create a response plan that includes supply-chain attacks. The plan should ensure that breaches are quickly identified and contained — for example by disconnecting the supplier from company systems.
  • Collaborate with suppliers on security issues. It’s vital to work closely with suppliers to improve their security measures — such collaboration strengthens mutual trust and makes mutual protection a shared priority.

Deep technological integration throughout the supply chain affords companies unique competitive advantages, but simultaneously creates systemic risks. Understanding these risks is critically important for business leaders: attacks on trusted relationships and supply chains are a growing threat, entailing significant damage. Only by implementing preventive measures across the organization and approaching partnerships with suppliers and contractors strategically can companies reduce these risks and ensure the resilience of their business.

Kaspersky official blog – ​Read More

Inside the Active Threats of Ivanti’s Exploited Vulnerabilities

/in

Cyble Inside the Active Threats of Ivanti’s Exploited Vulnerabilities

Threats, exploitation, and mitigation of Ivanti’s two critical actively exploited vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways.

Overview

On January 8, 2025, Ivanti disclosed two critical vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways. These vulnerabilities expose enterprises to unauthenticated remote code execution (RCE) and privilege escalation risks. While Ivanti has released patches to address these issues, threat actor exploitation, particularly of CVE-2025-0282, has prompted a global response.

This blog aims to provide detailed insights into these vulnerabilities and their exploitation, offering valuable guidance for mitigating risks.

A Closer Look at CVE-2025-0282 and CVE-2025-0283

CVE-2025-0282: Remote Code Execution

  • Type: Stack-based Buffer Overflow

  • Severity: Critical (CVSS Score: 9.0)

  • Impact: Enables unauthenticated attackers to execute arbitrary code remotely via the Ivanti Connect Secure appliance.

  • Affected Versions:
    • Ivanti Connect Secure: Versions prior to 22.7R2.5.

    • Ivanti Policy Secure: Versions prior to 22.7R1.2.

    • Ivanti Neurons for ZTA Gateways: Versions prior to 22.7R2.3.

This vulnerability is actively being exploited, primarily against Ivanti Connect Secure appliances exposed to the internet. Threat actors use it to achieve remote code execution, enabling deep infiltration into enterprise environments.

Exploitation Process

Threat actors have demonstrated sophisticated exploitation techniques, as observed by Mandiant. The process often includes:

  1. Identifying the Target Version: Repeated requests to the vulnerable appliance help attackers determine the firmware version.

  2. Disabling Security Mechanisms: Threat actors disable SELinux and block syslog forwarding to evade detection.

  3. Writing and Executing Malicious Scripts: Base64-encoded scripts are written to temporary directories and executed to deploy malware.

  4. Deploying Web Shells: These enable attackers to maintain remote access.

  5. Erasing Logs: Tools like sed are used to remove traces of exploitation from debug and application logs.

CVE-2025-0283: Privilege Escalation

  • Type: Stack-based Buffer Overflow

  • Severity: High (CVSS Score: 7.0)

  • Impact: Allows local authenticated attackers to escalate privileges.

  • Affected Versions: The same versions as CVE-2025-0282.

While CVE-2025-0283 has not been actively exploited, its potential to be chained with other vulnerabilities poses significant risks.

Mitigation

Ivanti released a patch for Connect Secure on January 8, and updates for Policy Secure and ZTA Gateways are slated for January 21.

Malware Deployment and Persistence

Initial attacks leveraged the vulnerability for remote code execution and to drop obfuscated webshell payloads onto compromised systems, according to Mandiant. These webshells enable persistent access and lateral movement within targeted networks.

Key IoCs Identified

  • Webshell Samples:
    • SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

    • Decoded functionality allowed attackers to execute system commands remotely.

  • Attack Vectors:
    • Exploitation originated from anonymous VPN services and known malicious IP addresses.

    • Common suspicious usernames: SUPPORT87, SUPPOR817, and VPN.

  • Post-Exploitation Activities:
    • Unauthorized security policy modifications, including opening access from WAN to LAN.

    • Deletion of forensic evidence to obscure attack traces.

  • Geographic Patterns:
    • Concentrated attack origin in Europe, leveraging proxied IP addresses.

Key Threat Actor Activities

Mandiant has linked the exploitation campaign to China-affiliated groups, specifically UNC5337 and UNC5221, using malware families like SPAWN and PHASEJAM.

Here’s how these tools are weaponized:

  • SPAWN Family Components:
    • SPAWNMOLE: A tunneler that hijacks network connections to establish communication with command-and-control (C2) servers.

    • SPAWNSNAIL: An SSH backdoor enabling persistent access.

    • SPAWNSLOTH: A log-tampering utility that obfuscates traces of malicious activity.

  • PHASEJAM:
    • Inserts malicious web shells into Ivanti appliance files like getComponent.cgi.

    • Blocks legitimate system upgrades by modifying upgrade scripts.

Anti-Forensics Techniques

Threat actors erase critical logs, such as:

  • Kernel messages (dmesg).

  • State dumps and core dumps from crashes.

  • SELinux audit logs.

These actions complicate incident response and forensic investigations.

CISA, ACSC, and NCSC have classified CVE-2025-0282 as a critical vulnerability, emphasizing its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Their advisories stress that edge devices like VPNs are prime targets for attackers and require immediate patching.

Detection and Mitigation

Detection

Ivanti said, “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”

Organizations are advised to use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise. However, ICT alone may not detect all malicious activity, especially if attackers have erased traces. Combining ICT results with endpoint detection and response (EDR) tools is crucial.

Mitigation

  1. Patch Systems:
    • Update to Ivanti’s patched firmware versions:
      • Connect Secure: 22.7R2.5

      • Policy Secure and ZTA Gateways: 22.7R2.5 (available by January 21, 2025)

  2. Reset Credentials:
    • Change all passwords for admin and user accounts, including VPN pre-shared keys.

  3. Reconfigure Security Policies:
    • Remove unauthorized rules allowing broad access.

  4. Monitor Network Activity:
    • Continuously monitor logs for unusual behavior or unauthorized access.

  5. Enforce Network Segmentation:
    • Restrict management interfaces to trusted internal IP addresses only.

Key Agency Recommendations

  • CISA: Advocates for enhanced monitoring of ICS appliances and swift adoption of fixes.

  • ACSC: Warns against delayed patching, highlighting the potential for mass exploitation.

  • NCSC: Stresses the importance of layered defenses and regular security assessments.

Best Practices for Enhanced Security

Cyble emphasizes the importance of adopting a proactive security strategy. Key recommendations include:

  • Two-Factor Authentication (2FA): Enforce 2FA for all accounts to reduce the risk of unauthorized access.

  • Log Monitoring: Use SIEM solutions to track anomalies in real time.

  • Incident Response: Maintain a tested and updated incident response plan to mitigate the impact of breaches.

  • Limit External Exposure: Disable internet-facing management interfaces wherever possible.

References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283

https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog

https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ivanti-connect-secure-ivanti-policy-secure-and-ivanti-neurons-zta-gateways

The post Inside the Active Threats of Ivanti’s Exploited Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe?

/in

Cyble CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe?

Google Chrome and WordPress users face high-severity security threats. CyberSecurity Malaysia advises immediate updates to prevent potential exploits and safeguard data.

Overview

CyberSecurity Malaysia has recently notified users of critical vulnerabilities in two widely used software platforms: Google Chrome and the WordPress File Upload plugin. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause disruptions.

Security updates have been issued, and users are strongly advised to apply these updates immediately to protect their systems.

This article provides an in-depth look at these vulnerabilities, their potential impacts, affected products, and recommended mitigation actions.

Google Chrome Security Update

Google has released security updates to address multiple vulnerabilities in the Chrome browser. These vulnerabilities have been categorized as high-severity risks and require immediate attention from users and administrators.

If successfully exploited, these vulnerabilities could enable attackers to:

  • Execute arbitrary code on the target system.

  • Escalate their privileges to gain unauthorized access.

  • Cause denial-of-service (DoS) attacks on affected ChromeOS devices.

These threats underscore the importance of keeping software updated to prevent exploitation.

One of the critical vulnerabilities addressed in this update is:

  • CVE-2025-0291 (High): This is a Type Confusion vulnerability in the V8 JavaScript engine. Type Confusion occurs when the program allocates or uses a resource in an unintended way, which could allow attackers to manipulate the system and execute malicious code.

Recommendations

CyberSecurity Malaysia advises all users and administrators to:

  1. Review the latest Google Chrome release notes.

  2. Update Chrome to the latest version without delay.

  3. Regularly check for updates to ensure their browser remains secure.

WordPress File Upload Plugin Vulnerability

WordPress has issued a critical security update to address a vulnerability in its File Upload plugin. This vulnerability, if exploited, could have severe consequences for WordPress websites, particularly those using outdated versions of the plugin.

The vulnerability could allow unauthenticated attackers to:

  • Execute remote code on the server.

  • Read arbitrary files, potentially exposing sensitive information.

  • Delete files, causing data loss and service disruptions.

With a high severity score of 9.8 on the CVSS scale, this vulnerability is categorized as critical and poses a significant threat to websites using the affected plugin.

Affected Products

  • WordPress File Upload Plugin: Versions 4.24.15 and below are affected.

  • Vulnerability Details:
    • CVE Identifier: CVE-2024-11613

    • Vulnerability Type: Improper Control of Code Generation (Code Injection).

    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    • Researcher: Abrahack

    • Date of Public Disclosure: January 7, 2025

The vulnerability lies in the improper sanitization of the source parameter within the file wfu_file_downloader.php, which allows attackers to define their own directory paths. This flaw enables remote code execution, arbitrary file reading, and file deletion.

Recommendations

To protect their websites, CyberSecurity Malaysia urges WordPress users and administrators to:

  1. Update the WordPress File Upload Plugin: Install version 4.25.0 or any newer patched version.

  2. Regularly Monitor Plugin Updates: Ensure plugins are always up to date to prevent vulnerabilities.

  3. Review the Official Wordfence Security Updates: Follow detailed guidance provided by WordPress security teams.

Patched versions can be found on the WordPress.org plugin page.

Key Takeaways

  1. Act Quickly: The vulnerabilities in Google Chrome and WordPress File Upload plugin can lead to severe consequences, including unauthorized access, data breaches, and service disruptions. Immediate action is necessary to mitigate risks.

  2. Stay Updated: Regularly updating software, browsers, and plugins is one of the most effective ways to defend against cyber threats.

  3. Follow Trusted Sources: Always rely on credible sources such as Google, WordPress, and CyberSecurity Malaysia for updates and advisories.

  4. Educate Yourself and Your Team: Awareness of such vulnerabilities and their potential impacts can help individuals and organizations build a proactive security posture.

Conclusion

Both Google and WordPress have acted swiftly to address these vulnerabilities, and now it’s up to users to ensure their systems and websites are secure. CyberSecurity Malaysia’s advisories serve as a crucial reminder of the need for consistent software updates and security monitoring.

By taking timely action, users and administrators can safeguard their digital assets and minimize the risk of exploitation.

Stay updated, stay protected!

Source:

The post CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe? appeared first on Cyble.

Blog – Cyble – ​Read More

BadRAM: attack using malicious RAM module | Kaspersky official blog

/in

Researchers from three European universities recently demonstrated the so-called BadRAM attack. This attack is made possible because of a vulnerability in AMD EPYC processors, and primarily threatens cloud-solution providers and virtualization systems. In the worst-case scenario, the vulnerability could be used to compromise data from highly secure virtual machines.

However, implementing this scenario in practice would be quite difficult. The attack requires physical access to the server, plus the highest level of access to the software. Before discussing the BadRAM attack in detail, we should first understand the concept of a trusted execution environment (TEE).

Features of TEE

Software errors are inevitable. Estimates from as early as the 1990s suggest that there are between one and 20 errors for every thousand lines of code. Some of these errors lead to vulnerabilities that malicious actors can exploit to access confidential information. Therefore, when certain data or computational processes (for example, processing private encryption keys) must be highly secure, it makes sense to isolate this data — or these processes — from the rest of the code. This is the essence of the trusted execution environment concept.

There are numerous TEE implementations designed for various tasks, each varying in the degree of security they provide. In AMD processors, TEE is implemented as Secure Encrypted Virtualization (SEV) — a technology that enhances the protection of virtual machines. It encrypts the data of a virtual system in memory so that other virtual systems — or even the operators of the physical server running these virtual OSs — can’t access it. Secure Nested Paging, a more recent extension of this technology, can detect unauthorized attempts to access virtual system data.

Consider the scenario where a financial institution uses third-party infrastructure to run its virtual systems. These virtual OSs process highly confidential data, and it’s essential to ensure their absolute security. While it’s possible to impose stringent requirements on the provider of the infrastructure, in some cases it’s easier to operate under the assumption that they can’t be fully trusted.

Secure Encrypted Virtualization, just like Intel’s similar Trusted Domain Extensions (TDX) technology, essentially uses a separate processor. Although it’s physically part of the server processor (Intel or AMD), it’s effectively isolated from the main processor cores. By participating in the data encryption process, this isolated module provides an additional layer of security.

Details of the BadRAM attack

Let’s return to the BadRAM attack. It bypasses the Secure Encrypted Virtualization protection and gains access to the encrypted data of a virtual system in such a way that the Secure Nested Paging technology is also unable to detect the breach. This video shows how a “malicious” application on a server can read data from a protected virtual machine running on the same server.

How does it work? The authors of the study used a very unusual attack method — modifying the hardware itself. Every computer has random access memory (RAM). Each memory module contains several chips for storing data, plus one service chip — known as the SPD. This chip announces the presence of the memory module in the system and transmits key parameters (such as the optimal operating frequency of the memory chips and their capacity) to the processor. It was precisely this information about the capacity that the researchers modified.

This is a rather paradoxical attack method. First, the attackers take a 32GB memory module; then, they re-flash the SPD chip, setting its capacity to twice that amount — 64GB. The processor trusts this information and tries to use the memory module as if its capacity was indeed 64GB. Under normal circumstances, this would quickly lead to freezes or other failures: some data blocks would simply overwrite others, and information from various applications would get corrupted. To prevent this, the researchers restricted write-access to the modified memory module for all processes except the target virtual system.

So what does this accomplish? If the processor thinks that the memory capacity is twice as large as it actually is, then each pair of virtual addresses maps to only one physical memory cell. This allows a scenario where a real memory area is simultaneously used by a protected virtual OS — and accessible to another, malicious, application. The latter won’t write to the memory cells, but can read what the virtual OS writes to them. This is precisely the scenario that AMD’s SEV technology is designed to prevent, but in this case it proves ineffective — both memory access protection and encryption are bypassed.

We’re glossing over many important details of the study, but the main takeaway is that this malicious memory module creates a situation where the supposedly highly-secure data of a virtual machine becomes accessible to an external application. Yes, this is an extremely complex attack — requiring physical access to the server in addition to “hacking” the server’s software to gain the highest access privileges. However, compare this to a previous study, where a similar result was achieved using an extremely expensive ($170,000) hardware device that intercepted data transmission between the processor and the memory module in real time.

In the BadRAM attack, the SPD chip is modified using a simple kit consisting of a microcomputer and readily available software costing around $10 in total. After modification, physical access to the server is no longer required, and all subsequent attack stages can be carried out remotely. In some memory modules, even remote rewriting of the SPD data may be possible.

Fortunately, the vulnerabilities exploited in this attack have been patched in firmware updates for AMD EPYC 3rd Gen and 4th Gen processors. The protection technology now includes a mechanism capable of detecting “malicious” memory modules. By the way, the researchers also tested Intel’s TDX technology, which appears to already have a similar RAM integrity-check in place, making attacks like BadRAM impossible.

The concept of a trusted execution environment is designed for work in highly hostile environments. We discussed a scenario where the owner of a virtual OS doesn’t trust the hosting provider. Even under such paranoid conditions, avoiding errors remains a significant challenge — as demonstrated by the BadRAM study. The authors generally argue that TEE system developers rely too heavily on the difficulty of extracting data from RAM, and illustrate how even the most sophisticated security systems can be bypassed using relatively simple means.

Kaspersky official blog – ​Read More

U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene

/in

Cyble Threat Intelligence | Zero-Day Attacks

As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks. 

Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network. 

No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing

Admin Account Had Access to 100,000 Routers 

Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches: 

“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.” 

Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.” 

Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said. 

An FCC vote on the new telecom security rules could come on January 15. 

Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included: 

  • Improved configuration management 

  • Securing the management plane 

  • Better vulnerability management of networks 

  • Improved information sharing on incidents and techniques 

“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.” 

Treasury Hack, Ivanti Zero-Day Exploits Attributed to China 

Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit

The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day. 

In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks. 

Cyber Hygiene Recommendations from Cyble 

Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report

In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft. 

“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said. 

He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks

  • Local copies of sensitive data stored on end user systems and laptops 

  • Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet 

  • Lack of secure hardening configurations on endpoints, servers and IT infrastructure 

  • Lack of network segmentation, allowing lateral movement 

  • Inadequate protection of API keys, access tokens and passwords in public code repositories 

  • Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft 

  • Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration 

  • Security misconfigurations on internet-facing applications and servers and cloud infrastructure 

  • Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls 

  • Poor security hygiene at third parties with access to sensitive data 

Conclusion 

Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur. 

The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right. 

The post U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene appeared first on Cyble.

Blog – Cyble – ​Read More

Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report

/in

Cyble ICS Vulnerabilities

Overview 

This week’s ICS vulnerability report sheds light on multiple flaws detected between January 01, 2025, to January 07, 2025. The report offers crucial insights into the cybersecurity challenges faced by organizations. It draws attention to the vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA), which has issued multiple advisories highlighting the risks that need urgent mitigation.

CISA’s latest advisories target two specific vulnerabilities affecting a wide range of ICS devices and systems. These advisories are crucial, given that vulnerabilities in ICS systems can have serious consequences for the safety and efficiency of critical infrastructure. In total, 27 vulnerabilities were reported, affecting products from vendors such as ABB and Nedap Librix. These vulnerabilities span multiple series, including ASPECT-Enterprise, NEXUS, and MATRIX, as well as the Nedap Librix Ecoreader.

Several Common Weakness Enumerations (CWEs) have been identified across the affected products, including CWE-1287 (improper validation), CWE-552 (insufficient access control), CWE-770 (resource exhaustion), CWE-943 (improper validation of input), and CWE-521 (insufficient access control). These CWEs highlight recurring issues that undermine the security of critical systems, such as improper input validation and insufficient access control measures.

One of the more interesting aspects of these vulnerabilities is that 12 out of the 27 reported have publicly available proof-of-concept (PoC) exploits. This greatly increases the risk for organizations, as cybercriminals can easily leverage these exploits to target vulnerable systems, potentially resulting in severe damage.

Breakdown of the Weekly ICS Vulnerability Report 

The ICS vulnerabilities reported during the week are mostly categorized as critical, with a small proportion classified as high-severity. Critical vulnerabilities are those that have the potential to cause severe damage or compromise sensitive systems, while high-severity vulnerabilities still present cyber risks but may be less immediately impactful.

Among the affected vendors, ABB stands out with 26 vulnerabilities reported in its ASPECT-Enterprise, NEXUS, and MATRIX series products. The remainder of the vulnerabilities, one in total, was reported for Nedap Librix devices. The vulnerabilities reported by CISA affect a variety of critical infrastructure sectors, with a particularly high concentration in the Critical Manufacturing sector.

This sector, which plays an important role in national security and economic stability, accounted for 96.3% of the reported vulnerabilities, highlighting its importance and vulnerability. On the other hand, the Commercial Facilities sector reported just 3.7% of the vulnerabilities, reflecting comparatively lower exposure.

Recommendations for Mitigating ICS Vulnerabilities 

The CRIL report highlights the need for proactive measures to mitigate these vulnerabilities and enhance the overall security of ICS systems. Below are some key recommendations: 

  1. It is essential for organizations to stay on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy is crucial for minimizing exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification is vital. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing can identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan is vital. Organizations should ensure that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion  

The ongoing vulnerabilities within Industrial Control Systems (ICS) pose cyber threats to critical infrastructure sectors, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. The ICS vulnerability report and advisories from CISA are crucial in helping organizations stay informed and address these risks proactively.  

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report appeared first on Cyble.

Blog – Cyble – ​Read More

Do we still have to keep doing it like this?

/in

Do we still have to keep doing it like this?

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

  • Global scale identity management 
  • Insider threat 
  • Availability of time critical systems 
  • Building scalable secure systems 
  • Attack attribution and situational understanding 
  • Information provenance 
  • Security with privacy 
  • Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. “People are your greatest asset, if you treat them that way.” 

I’m seeing a lot of “how to thrive in 2025!” posts right now. For anyone who isn’t ready for that, or tired of it all, I just want to say, I’m right there with you. But if you’re also feeling like it’s “new year, same problems”  perhaps there’s one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I’d thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

The one big thing

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

 Why do I care?  

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats – primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

So now what?  

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

Top security headlines of the week   

  • CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
  • FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading
  • Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

Can’t get enough Talos?  

  • Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

Upcoming events where you can find Talos     

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

Most prevalent malware files of the week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal:  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
MD5: d86808f6e519b5ce79b83b99dfb9294d  

VirusTotal: https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
Typical Filename: n/a 
Claimed Product: n/a  
Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8  

Cisco Talos Blog – ​Read More