Trusted-relationship cyberattacks and their prevention

The old saying, “A chain is only as strong as its weakest link”, directly applies to enterprise cybersecurity. Businesses these days often rely on dozens or even hundreds of suppliers and contractors, who, in turn, use the services and products of yet more contractors and suppliers. And when these chains involve not raw materials but complex IT products, ensuring their security becomes significantly more challenging. This fact is exploited by attackers, who compromise a link in the chain to reach its end — their main target. Accordingly, it’s essential for business leaders and the heads of IT and information security to understand the risks of supply-chain attacks in order to manage them effectively.

What is a supply-chain attack?

A supply-chain attack involves a malicious actor infiltrating an organization’s systems by compromising a trusted third-party software vendor or service provider. Types of this attack include the following:

  • Compromising well-known software developed by a supplier and used by the target organization (or multiple organizations). The software is modified to perform malicious tasks for the attacker. Once the next update is installed, the software will contain undeclared functionality that allows the organization to be compromised. Well-known examples of such attacks include the compromise of the SolarWinds Orion and 3CX Last year, the to-date largest attempt at such an attack was discovered — XZ Utils. Fortunately, it was unsuccessful.
  • Attackers find corporate accounts used by a service provider to work within the target organization’s systems. The attackers use these accounts to infiltrate the organization and carry out an attack. For example, the American retail giant Target was hacked through an account issued to an HVAC provider.
  • Attackers compromise a cloud provider or exploit the features of a cloud provider’s infrastructure to access the targeted organization’s data. The most high-profile case last year involved the compromise of more than 150 clients of the Snowflake cloud service, leading to the data leak of hundreds of millions of users of Ticketmaster, Santander Bank, AT&T, and others. Another large-scale, big-impact attack was the hack of the authentication service provider Okta.
  • Attackers exploit permissions delegated to a contractor in cloud systems, such as Office 365, to gain control over the target organization’s documents and correspondence.
  • Attackers compromise specialized devices belonging to or administered by a contractor, but connected to the target organization’s network. Examples include smart-office air-conditioning systems, and video surveillance systems. For example, building automation systems became a foothold for a cyberattack on telecom providers in Pakistan.
  • Attackers modify IT equipment purchased by the target organization, either by infecting pre-installed software or embedding hidden functionality into the devices’ firmware. Despite their complexity, such attacks have actually occurred in practice. Proven cases include Android device infections, and widely discussed server infections at the chip level.

All variations of this technique in the MITRE ATT&CK framework come under the name “Trusted Relationship” (T1199).

Benefits of supply-chain attacks for criminals

Supply-chain attacks offer several advantages for attackers. Firstly, compromising a supplier creates a uniquely stealthy and effective access channel — as demonstrated by the attack on SolarWinds Orion software, widely used in major U.S. corporations, and the compromise of Microsoft cloud systems, which led to email leaks from several U.S. government departments. For this reason, this type of attack is especially favored by criminals hunting for information. Secondly, the successful compromise of a single popular application or service instantly provides access to dozens, hundreds, or even thousands of organizations. Thus, this kind of attack also appeals to those motivated by financial gain, such as ransomware groups. One of the most high-profile breaches of this type was the attack on IT supplier Kaseya by the REvil group.

A tactical advantage (to criminals) of attacks exploiting trusted relationships lies in the practical consequences of this trust: the applications and IP addresses of the compromised supplier are more likely to be on allowlists, actions performed using accounts issued to the supplier are less frequently flagged as suspicious by monitoring centers, and so on.

Damage from supply-chain attacks

Contractors are usually compromised in targeted attacks carried out by highly motivated and skilled attackers. Such attackers are typically aiming to obtain either a large ransom or valuable information — and in either case, the victim will inevitably face long-term negative consequences.

These include the direct costs of investigating the incident and mitigating its impact, fines and expenses related to working with regulators, reputational damage, and potential compensation to clients. Operational disruptions caused by such attacks can also result in significant productivity losses, and threaten business continuity.

There are also cases that don’t technically qualify as supply-chain attacks — attacks on key technology providers within a specific industry — that nevertheless disrupt the supply chain. There were several examples of this in 2024 alone, the most striking being the cyberattack on Change Healthcare, a major company responsible for processing financial and insurance documents in the U.S. healthcare industry. Clients of Change Healthcare were not hacked, but while the compromised company spent a month restoring its systems, medical services in the U.S. were partially paralyzed, and it was recently revealed that confidential medical records of 100 million patients were exposed as a result of this attack. In this case, mass client dissatisfaction became a factor pressuring the company to pay the ransom.

Returning to the previously mentioned examples: Ticketmaster, which suffered a major data breach, faces several multi-billion-dollar lawsuits; criminals demanded $70 million to decrypt the data of victims of the Kaseya attack; and damage estimates from the SolarWinds attack range from $12 million per affected company to $100 billion in total.

Which teams and departments should be responsible for supply-chain-attack prevention?

While all the above may suggest that dealing with supply-chain attacks is entirely the responsibility of information security teams, in practice, minimizing these risks requires the coordinated efforts of multiple teams within the organization. Key departments that should be involved in this work include:

  • Information security: responsible for implementing security measures and monitoring compliance with them, conducting vulnerability assessments, and responding to incidents.
  • IT: ensures that the procedures and measures required by information security are followed when organizing contractors’ access to the organization’s infrastructure, uses monitoring tools to oversee compliance with these measures, and prevents the emergence of shadow or abandoned accounts and IT services.
  • Procurement and vendor management: should work with information security and other departments to include trust and corporate information-security compliance criteria in supplier selection processes. Should also regularly check that supplier evaluations meet these criteria and ensure ongoing compliance with security standards throughout the contract period.
  • Legal departments and risk management: ensure regulatory compliance and manage contractual obligations related to cybersecurity.
  • Board of directors: should promote a security culture within the organization, and allocate resources for implementing the above measures.

Measures for minimizing the risk of supply-chain attacks

Organizations should take comprehensive measures to reduce the risks associated with supply-chain attacks:

  • Thoroughly evaluate suppliers. It’s crucial to assess the security level of potential suppliers before beginning collaboration. This includes requesting a review of their cybersecurity policies, information about past incidents, and compliance with industry security standards. For software products and cloud services, it’s also recommended to collect data on vulnerabilities and pentests, and sometimes it’s advised to conduct dynamic application security testing (DAST).
  • Implement contractual security requirements. Contracts with suppliers should include specific information security requirements, such as regular security audits, compliance with your organization’s relevant security policies, and incident notification protocols.
  • Adopt preventive technological measures. The risk of serious damage from supplier compromise is significantly reduced if your organization implements security practices such as the principle of least privilege, zero trust, and mature identity management.
  • Organize monitoring. We recommend using XDR or MDR solutions for real-time infrastructure monitoring and detecting anomalies in software and network traffic.
  • Develop an incident response plan. It’s important to create a response plan that includes supply-chain attacks. The plan should ensure that breaches are quickly identified and contained — for example by disconnecting the supplier from company systems.
  • Collaborate with suppliers on security issues. It’s vital to work closely with suppliers to improve their security measures — such collaboration strengthens mutual trust and makes mutual protection a shared priority.

Deep technological integration throughout the supply chain affords companies unique competitive advantages, but simultaneously creates systemic risks. Understanding these risks is critically important for business leaders: attacks on trusted relationships and supply chains are a growing threat, entailing significant damage. Only by implementing preventive measures across the organization and approaching partnerships with suppliers and contractors strategically can companies reduce these risks and ensure the resilience of their business.

Kaspersky official blog – ​Read More

Inside the Active Threats of Ivanti’s Exploited Vulnerabilities

Cyble Inside the Active Threats of Ivanti’s Exploited Vulnerabilities

Threats, exploitation, and mitigation of Ivanti’s two critical actively exploited vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways.

Overview

On January 8, 2025, Ivanti disclosed two critical vulnerabilities—CVE-2025-0282 and CVE-2025-0283—affecting its Connect Secure, Policy Secure, and Neurons for ZTA Gateways. These vulnerabilities expose enterprises to unauthenticated remote code execution (RCE) and privilege escalation risks. While Ivanti has released patches to address these issues, threat actor exploitation, particularly of CVE-2025-0282, has prompted a global response.

This blog aims to provide detailed insights into these vulnerabilities and their exploitation, offering valuable guidance for mitigating risks.

A Closer Look at CVE-2025-0282 and CVE-2025-0283

CVE-2025-0282: Remote Code Execution

  • Type: Stack-based Buffer Overflow
  • Severity: Critical (CVSS Score: 9.0)
  • Impact: Enables unauthenticated attackers to execute arbitrary code remotely via the Ivanti Connect Secure appliance.
  • Affected Versions:
    • Ivanti Connect Secure: Versions prior to 22.7R2.5.
    • Ivanti Policy Secure: Versions prior to 22.7R1.2.
    • Ivanti Neurons for ZTA Gateways: Versions prior to 22.7R2.3.

This vulnerability is actively being exploited, primarily against Ivanti Connect Secure appliances exposed to the internet. Threat actors use it to achieve remote code execution, enabling deep infiltration into enterprise environments.

Exploitation Process

Threat actors have demonstrated sophisticated exploitation techniques, as observed by Mandiant. The process often includes:

  1. Identifying the Target Version: Repeated requests to the vulnerable appliance help attackers determine the firmware version.
  2. Disabling Security Mechanisms: Threat actors disable SELinux and block syslog forwarding to evade detection.
  3. Writing and Executing Malicious Scripts: Base64-encoded scripts are written to temporary directories and executed to deploy malware.
  4. Deploying Web Shells: These enable attackers to maintain remote access.
  5. Erasing Logs: Tools like sed are used to remove traces of exploitation from debug and application logs.

CVE-2025-0283: Privilege Escalation

  • Type: Stack-based Buffer Overflow
  • Severity: High (CVSS Score: 7.0)
  • Impact: Allows local authenticated attackers to escalate privileges.
  • Affected Versions: The same versions as CVE-2025-0282.

While CVE-2025-0283 has not been actively exploited, its potential to be chained with other vulnerabilities poses significant risks.

Mitigation

Ivanti released a patch for Connect Secure on January 8, and updates for Policy Secure and ZTA Gateways are slated for January 21.

Malware Deployment and Persistence

Initial attacks leveraged the vulnerability for remote code execution and to drop obfuscated webshell payloads onto compromised systems, according to Mandiant. These webshells enable persistent access and lateral movement within targeted networks.

Key IoCs Identified

  • Webshell Samples:
    • SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668
    • Decoded functionality allowed attackers to execute system commands remotely.

  • Attack Vectors:
    • Exploitation originated from anonymous VPN services and known malicious IP addresses.
    • Common suspicious usernames: SUPPORT87, SUPPOR817, and VPN.

  • Post-Exploitation Activities:
    • Unauthorized security policy modifications, including opening access from WAN to LAN.
    • Deletion of forensic evidence to obscure attack traces.

  • Geographic Patterns:
    • Concentrated attack origin in Europe, leveraging proxied IP addresses.

Key Threat Actor Activities

Mandiant has linked the exploitation campaign to China-affiliated groups, specifically UNC5337 and UNC5221, using malware families like SPAWN and PHASEJAM.

Here’s how these tools are weaponized:

  • SPAWN Family Components:
    • SPAWNMOLE: A tunneler that hijacks network connections to establish communication with command-and-control (C2) servers.
    • SPAWNSNAIL: An SSH backdoor enabling persistent access.
    • SPAWNSLOTH: A log-tampering utility that obfuscates traces of malicious activity.

  • PHASEJAM:
    • Inserts malicious web shells into Ivanti appliance files like getComponent.cgi.
    • Blocks legitimate system upgrades by modifying upgrade scripts.

Anti-Forensics Techniques

Threat actors erase critical logs, such as:

  • Kernel messages (dmesg).
  • State dumps and core dumps from crashes.
  • SELinux audit logs.

These actions complicate incident response and forensic investigations.

CISA, ACSC, and NCSC have classified CVE-2025-0282 as a critical vulnerability, emphasizing its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Their advisories stress that edge devices like VPNs are prime targets for attackers and require immediate patching.

Detection and Mitigation

Detection

Ivanti said, “Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix.”

Organizations are advised to use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise. However, ICT alone may not detect all malicious activity, especially if attackers have erased traces. Combining ICT results with endpoint detection and response (EDR) tools is crucial.

Mitigation

  1. Patch Systems:
    • Update to Ivanti’s patched firmware versions:
      • Connect Secure: 22.7R2.5
      • Policy Secure and ZTA Gateways: 22.7R2.5 (available by January 21, 2025)

  2. Reset Credentials:
    • Change all passwords for admin and user accounts, including VPN pre-shared keys.

  3. Reconfigure Security Policies:
    • Remove unauthorized rules allowing broad access.

  4. Monitor Network Activity:
    • Continuously monitor logs for unusual behavior or unauthorized access.

  5. Enforce Network Segmentation:
    • Restrict management interfaces to trusted internal IP addresses only.

Key Agency Recommendations

  • CISA: Advocates for enhanced monitoring of ICS appliances and swift adoption of fixes.
  • ACSC: Warns against delayed patching, highlighting the potential for mass exploitation.
  • NCSC: Stresses the importance of layered defenses and regular security assessments.

Best Practices for Enhanced Security

Cyble emphasizes the importance of adopting a proactive security strategy. Key recommendations include:

  • Two-Factor Authentication (2FA): Enforce 2FA for all accounts to reduce the risk of unauthorized access.
  • Log Monitoring: Use SIEM solutions to track anomalies in real time.
  • Incident Response: Maintain a tested and updated incident response plan to mitigate the impact of breaches.
  • Limit External Exposure: Disable internet-facing management interfaces wherever possible.

References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283

https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog

https://www.ncsc.gov.uk/news/active-exploitation-ivanti-vulnerability

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ivanti-connect-secure-ivanti-policy-secure-and-ivanti-neurons-zta-gateways

The post Inside the Active Threats of Ivanti’s Exploited Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe?

Cyble CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe?

Google Chrome and WordPress users face high-severity security threats. CyberSecurity Malaysia advises immediate updates to prevent potential exploits and safeguard data.

Overview

CyberSecurity Malaysia has recently notified users of critical vulnerabilities in two widely used software platforms: Google Chrome and the WordPress File Upload plugin. If exploited, these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause disruptions.

Security updates have been issued, and users are strongly advised to apply these updates immediately to protect their systems.

This article provides an in-depth look at these vulnerabilities, their potential impacts, affected products, and recommended mitigation actions.

Google Chrome Security Update

Google has released security updates to address multiple vulnerabilities in the Chrome browser. These vulnerabilities have been categorized as high-severity risks and require immediate attention from users and administrators.

If successfully exploited, these vulnerabilities could enable attackers to:

  • Execute arbitrary code on the target system.
  • Escalate their privileges to gain unauthorized access.
  • Cause denial-of-service (DoS) attacks on affected ChromeOS devices.

These threats underscore the importance of keeping software updated to prevent exploitation.

One of the critical vulnerabilities addressed in this update is:

  • CVE-2025-0291 (High): This is a Type Confusion vulnerability in the V8 JavaScript engine. Type Confusion occurs when the program allocates or uses a resource in an unintended way, which could allow attackers to manipulate the system and execute malicious code.

Recommendations

CyberSecurity Malaysia advises all users and administrators to:

  1. Review the latest Google Chrome release notes.
  2. Update Chrome to the latest version without delay.
  3. Regularly check for updates to ensure their browser remains secure.

WordPress File Upload Plugin Vulnerability

WordPress has issued a critical security update to address a vulnerability in its File Upload plugin. This vulnerability, if exploited, could have severe consequences for WordPress websites, particularly those using outdated versions of the plugin.

The vulnerability could allow unauthenticated attackers to:

  • Execute remote code on the server.
  • Read arbitrary files, potentially exposing sensitive information.
  • Delete files, causing data loss and service disruptions.

With a high severity score of 9.8 on the CVSS scale, this vulnerability is categorized as critical and poses a significant threat to websites using the affected plugin.

Affected Products

  • WordPress File Upload Plugin: Versions 4.24.15 and below are affected.
  • Vulnerability Details:
    • CVE Identifier: CVE-2024-11613
    • Vulnerability Type: Improper Control of Code Generation (Code Injection).
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Researcher: Abrahack
    • Date of Public Disclosure: January 7, 2025

The vulnerability lies in the improper sanitization of the source parameter within the file wfu_file_downloader.php, which allows attackers to define their own directory paths. This flaw enables remote code execution, arbitrary file reading, and file deletion.

Recommendations

To protect their websites, CyberSecurity Malaysia urges WordPress users and administrators to:

  1. Update the WordPress File Upload Plugin: Install version 4.25.0 or any newer patched version.
  2. Regularly Monitor Plugin Updates: Ensure plugins are always up to date to prevent vulnerabilities.
  3. Review the Official Wordfence Security Updates: Follow detailed guidance provided by WordPress security teams.

Patched versions can be found on the WordPress.org plugin page.

Key Takeaways

  1. Act Quickly: The vulnerabilities in Google Chrome and WordPress File Upload plugin can lead to severe consequences, including unauthorized access, data breaches, and service disruptions. Immediate action is necessary to mitigate risks.
  2. Stay Updated: Regularly updating software, browsers, and plugins is one of the most effective ways to defend against cyber threats.
  3. Follow Trusted Sources: Always rely on credible sources such as Google, WordPress, and CyberSecurity Malaysia for updates and advisories.
  4. Educate Yourself and Your Team: Awareness of such vulnerabilities and their potential impacts can help individuals and organizations build a proactive security posture.

Conclusion

Both Google and WordPress have acted swiftly to address these vulnerabilities, and now it’s up to users to ensure their systems and websites are secure. CyberSecurity Malaysia’s advisories serve as a crucial reminder of the need for consistent software updates and security monitoring.

By taking timely action, users and administrators can safeguard their digital assets and minimize the risk of exploitation.

Stay updated, stay protected!

Source:

The post CyberSecurity Malaysia Flags Major Threats in Chrome and WordPress – Are You Safe? appeared first on Cyble.

Blog – Cyble – ​Read More

BadRAM: attack using malicious RAM module | Kaspersky official blog

Researchers from three European universities recently demonstrated the so-called BadRAM attack. This attack is made possible because of a vulnerability in AMD EPYC processors, and primarily threatens cloud-solution providers and virtualization systems. In the worst-case scenario, the vulnerability could be used to compromise data from highly secure virtual machines.

However, implementing this scenario in practice would be quite difficult. The attack requires physical access to the server, plus the highest level of access to the software. Before discussing the BadRAM attack in detail, we should first understand the concept of a trusted execution environment (TEE).

Features of TEE

Software errors are inevitable. Estimates from as early as the 1990s suggest that there are between one and 20 errors for every thousand lines of code. Some of these errors lead to vulnerabilities that malicious actors can exploit to access confidential information. Therefore, when certain data or computational processes (for example, processing private encryption keys) must be highly secure, it makes sense to isolate this data — or these processes — from the rest of the code. This is the essence of the trusted execution environment concept.

There are numerous TEE implementations designed for various tasks, each varying in the degree of security they provide. In AMD processors, TEE is implemented as Secure Encrypted Virtualization (SEV) — a technology that enhances the protection of virtual machines. It encrypts the data of a virtual system in memory so that other virtual systems — or even the operators of the physical server running these virtual OSs — can’t access it. Secure Nested Paging, a more recent extension of this technology, can detect unauthorized attempts to access virtual system data.

Consider the scenario where a financial institution uses third-party infrastructure to run its virtual systems. These virtual OSs process highly confidential data, and it’s essential to ensure their absolute security. While it’s possible to impose stringent requirements on the provider of the infrastructure, in some cases it’s easier to operate under the assumption that they can’t be fully trusted.

Secure Encrypted Virtualization, just like Intel’s similar Trusted Domain Extensions (TDX) technology, essentially uses a separate processor. Although it’s physically part of the server processor (Intel or AMD), it’s effectively isolated from the main processor cores. By participating in the data encryption process, this isolated module provides an additional layer of security.

Details of the BadRAM attack

Let’s return to the BadRAM attack. It bypasses the Secure Encrypted Virtualization protection and gains access to the encrypted data of a virtual system in such a way that the Secure Nested Paging technology is also unable to detect the breach. This video shows how a “malicious” application on a server can read data from a protected virtual machine running on the same server.

How does it work? The authors of the study used a very unusual attack method — modifying the hardware itself. Every computer has random access memory (RAM). Each memory module contains several chips for storing data, plus one service chip — known as the SPD. This chip announces the presence of the memory module in the system and transmits key parameters (such as the optimal operating frequency of the memory chips and their capacity) to the processor. It was precisely this information about the capacity that the researchers modified.

This is a rather paradoxical attack method. First, the attackers take a 32GB memory module; then, they re-flash the SPD chip, setting its capacity to twice that amount — 64GB. The processor trusts this information and tries to use the memory module as if its capacity was indeed 64GB. Under normal circumstances, this would quickly lead to freezes or other failures: some data blocks would simply overwrite others, and information from various applications would get corrupted. To prevent this, the researchers restricted write-access to the modified memory module for all processes except the target virtual system.

So what does this accomplish? If the processor thinks that the memory capacity is twice as large as it actually is, then each pair of virtual addresses maps to only one physical memory cell. This allows a scenario where a real memory area is simultaneously used by a protected virtual OS — and accessible to another, malicious, application. The latter won’t write to the memory cells, but can read what the virtual OS writes to them. This is precisely the scenario that AMD’s SEV technology is designed to prevent, but in this case it proves ineffective — both memory access protection and encryption are bypassed.

We’re glossing over many important details of the study, but the main takeaway is that this malicious memory module creates a situation where the supposedly highly-secure data of a virtual machine becomes accessible to an external application. Yes, this is an extremely complex attack — requiring physical access to the server in addition to “hacking” the server’s software to gain the highest access privileges. However, compare this to a previous study, where a similar result was achieved using an extremely expensive ($170,000) hardware device that intercepted data transmission between the processor and the memory module in real time.

In the BadRAM attack, the SPD chip is modified using a simple kit consisting of a microcomputer and readily available software costing around $10 in total. After modification, physical access to the server is no longer required, and all subsequent attack stages can be carried out remotely. In some memory modules, even remote rewriting of the SPD data may be possible.

Fortunately, the vulnerabilities exploited in this attack have been patched in firmware updates for AMD EPYC 3rd Gen and 4th Gen processors. The protection technology now includes a mechanism capable of detecting “malicious” memory modules. By the way, the researchers also tested Intel’s TDX technology, which appears to already have a similar RAM integrity-check in place, making attacks like BadRAM impossible.

The concept of a trusted execution environment is designed for work in highly hostile environments. We discussed a scenario where the owner of a virtual OS doesn’t trust the hosting provider. Even under such paranoid conditions, avoiding errors remains a significant challenge — as demonstrated by the BadRAM study. The authors generally argue that TEE system developers rely too heavily on the difficulty of extracting data from RAM, and illustrate how even the most sophisticated security systems can be bypassed using relatively simple means.

Kaspersky official blog – ​Read More

U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene

Cyble Threat Intelligence | Zero-Day Attacks

As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks. 

Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network. 

No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing

Admin Account Had Access to 100,000 Routers 

Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches: 

“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.” 

Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.” 

Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said. 

An FCC vote on the new telecom security rules could come on January 15. 

Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included: 

  • Improved configuration management 
  • Securing the management plane 
  • Better vulnerability management of networks 
  • Improved information sharing on incidents and techniques 

“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.” 

Treasury Hack, Ivanti Zero-Day Exploits Attributed to China 

Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit

The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day. 

In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks. 

Cyber Hygiene Recommendations from Cyble 

Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report

In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft. 

“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said. 

He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks

  • Local copies of sensitive data stored on end user systems and laptops 
  • Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet 
  • Lack of secure hardening configurations on endpoints, servers and IT infrastructure 
  • Lack of network segmentation, allowing lateral movement 
  • Inadequate protection of API keys, access tokens and passwords in public code repositories 
  • Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft 
  • Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration 
  • Security misconfigurations on internet-facing applications and servers and cloud infrastructure 
  • Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls 
  • Poor security hygiene at third parties with access to sensitive data 

Conclusion 

Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur. 

The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right. 

The post U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene appeared first on Cyble.

Blog – Cyble – ​Read More

Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report

Cyble ICS Vulnerabilities

Overview 

This week’s ICS vulnerability report sheds light on multiple flaws detected between January 01, 2025, to January 07, 2025. The report offers crucial insights into the cybersecurity challenges faced by organizations. It draws attention to the vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA), which has issued multiple advisories highlighting the risks that need urgent mitigation.

CISA’s latest advisories target two specific vulnerabilities affecting a wide range of ICS devices and systems. These advisories are crucial, given that vulnerabilities in ICS systems can have serious consequences for the safety and efficiency of critical infrastructure. In total, 27 vulnerabilities were reported, affecting products from vendors such as ABB and Nedap Librix. These vulnerabilities span multiple series, including ASPECT-Enterprise, NEXUS, and MATRIX, as well as the Nedap Librix Ecoreader.

Several Common Weakness Enumerations (CWEs) have been identified across the affected products, including CWE-1287 (improper validation), CWE-552 (insufficient access control), CWE-770 (resource exhaustion), CWE-943 (improper validation of input), and CWE-521 (insufficient access control). These CWEs highlight recurring issues that undermine the security of critical systems, such as improper input validation and insufficient access control measures.

One of the more interesting aspects of these vulnerabilities is that 12 out of the 27 reported have publicly available proof-of-concept (PoC) exploits. This greatly increases the risk for organizations, as cybercriminals can easily leverage these exploits to target vulnerable systems, potentially resulting in severe damage.

Breakdown of the Weekly ICS Vulnerability Report 

The ICS vulnerabilities reported during the week are mostly categorized as critical, with a small proportion classified as high-severity. Critical vulnerabilities are those that have the potential to cause severe damage or compromise sensitive systems, while high-severity vulnerabilities still present cyber risks but may be less immediately impactful.

Among the affected vendors, ABB stands out with 26 vulnerabilities reported in its ASPECT-Enterprise, NEXUS, and MATRIX series products. The remainder of the vulnerabilities, one in total, was reported for Nedap Librix devices. The vulnerabilities reported by CISA affect a variety of critical infrastructure sectors, with a particularly high concentration in the Critical Manufacturing sector.

This sector, which plays an important role in national security and economic stability, accounted for 96.3% of the reported vulnerabilities, highlighting its importance and vulnerability. On the other hand, the Commercial Facilities sector reported just 3.7% of the vulnerabilities, reflecting comparatively lower exposure.

Recommendations for Mitigating ICS Vulnerabilities 

The CRIL report highlights the need for proactive measures to mitigate these vulnerabilities and enhance the overall security of ICS systems. Below are some key recommendations: 

  1. It is essential for organizations to stay on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy is crucial for minimizing exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification is vital. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing can identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan is vital. Organizations should ensure that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion  

The ongoing vulnerabilities within Industrial Control Systems (ICS) pose cyber threats to critical infrastructure sectors, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. The ICS vulnerability report and advisories from CISA are crucial in helping organizations stay informed and address these risks proactively.  

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report appeared first on Cyble.

Blog – Cyble – ​Read More

Do we still have to keep doing it like this?

Do we still have to keep doing it like this?

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

  • Global scale identity management 
  • Insider threat 
  • Availability of time critical systems 
  • Building scalable secure systems 
  • Attack attribution and situational understanding 
  • Information provenance 
  • Security with privacy 
  • Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. “People are your greatest asset, if you treat them that way.” 

I’m seeing a lot of “how to thrive in 2025!” posts right now. For anyone who isn’t ready for that, or tired of it all, I just want to say, I’m right there with you. But if you’re also feeling like it’s “new year, same problems”  perhaps there’s one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I’d thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

The one big thing

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

 Why do I care?  

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats – primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

So now what?  

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

Top security headlines of the week   

  • CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
  • FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading
  • Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

Can’t get enough Talos?  

  • Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

Upcoming events where you can find Talos     

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

Most prevalent malware files of the week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal:  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
MD5: d86808f6e519b5ce79b83b99dfb9294d  

VirusTotal: https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
Typical Filename: n/a 
Claimed Product: n/a  
Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8  

Cisco Talos Blog – ​Read More

HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption

HexaLocker, Ransomware, Skuld Stealer

Key Takeaways

  • HexaLocker was first discovered in mid-2024, with version 2 introducing significant updates and enhanced functionalities.
  • HexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution after the affected system reboots.
  • The updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system before encryption.
  • Unlike its predecessor, HexaLocker V2 exfiltrates victim files before encrypting them, following the double extortion method of data theft and file encryption.
  • HexaLocker V2 utilizes a combination of advanced encryption algorithms, including AES-GCM for string encryption, Argon2 for key derivation, and ChaCha20 for file encryption.
  • HexaLocker V2 replaces the TOXID communication method with a unique hash, enabling victims to communicate with the Threat Actors’ (TA’s) site. 

Executive Summary

On August 9th, the HexaLocker ransomware group announced a new Windows-based ransomware on their Telegram channel. The post highlighted that the ransomware was developed in the Go programming language and claimed that their team included members from notable groups like LAPSUS$ and others. Following this announcement, researchers from Synacktiv analyzed this ransomware variant and published their findings shortly after.

On October 21st, cybersecurity researcher PJ04857920 shared a post on X, revealing that the admin behind HexaLocker had decided to shut down the operation and put the ransomware’s source code and web panel up for sale based on information from the HexaLocker group’s Telegram channel.

Later, on December 12th, they provided another update on X, stating that the HexaLocker ransomware had been revived, with signs of ongoing development and activity. The Telegram post also mentioned that the upgraded version of HexaLocker would feature enhanced encryption algorithms, stronger encryption passwords, and new persistence mechanisms.

Cyble Research and Intelligence Labs (CRIL) came across a new version of the HexaLocker ransomware. Upon execution, it copies itself to the %appdata% directory, creates a run entry for persistence, encrypts files, and appends the “HexaLockerv2” extension to them.

Prior to encryption, the ransomware also steals the victim’s files and exfiltrates them to a remote server. Notably, in this new version, the ransomware downloads an open-source stealer named Skuld to collect sensitive information from the victim’s machine before encryption. The figure below shows the Hexalocker Ransomware Site used for Victim’s communication.

Ransomware. Hexalocker
Figure 1 – Ransomware login page

Technical Details

Persistence

Upon execution, the HexaLocker ransomware creates a self-copy named “myapp.exe” in the “%appdata%MyApp” directory and establishes persistence by adding an AutoRun entry at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with the value “MyAppAutostart” ensuring the ransomware binary executes upon system reboot.

Task Manager, AutoRun
Figure 2  – AutoRun entry

Obfuscation

All string references, including the Stealer URL, file paths, folder names, environment variable names, WMIC commands, and ransom notes, are generated during runtime through multiple layers of AES-GCM decryption. This approach effectively obfuscates the strings, making them harder to detect by security solutions. In contrast, all strings in the previous version were statically visible.

String decryption
Figure 3 – String Decryption

Stealer

Prior to initiating the encryption process, the ransomware downloads a stealer binary, a Go-compiled program, from the URL hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe and executes it from the current directory. This stealer functionality was absent in the previous version of HexaLocker.

The downloaded stealer, identified as Skuld, is an open-source tool designed to target Windows systems and steal user data from various applications such as Discord, browsers, crypto wallets, and more.

Skuld Stealer
Figure 4 – Skuld Stealer’s features

In this case, the TA has utilized only the browser module from the many available in the open-source Skuld Stealer. The image below shows function names corresponding only to the browser module from the Skuld project.

Github, Browser
Figure 5 – Browser modules

The stealer collects various sensitive data stored by Chromium and Gecko-based browsers, such as cookies, saved credit card information, downloads, browsing history, and login credentials. Skuld Stealer targets the following web browsers in this campaign.

Gecko-based browsers

Firefox SeaMonkey
Waterfox K-Meleon
Thunderbird IceDragon
Cyberfox BlackHaw
Pale Moon mercury

Chromium browsers

Chrome SxS ChromePlus 7Star
Chrome Chedot Vivaldi
Kometa Elements Browser Epic Privacy Browser
Uran Fenrir Inc Citrio
Coowon liebao QIP Surf
Orbitum Dragon 360Browser
Maxthon3 K-Melon CocCoc
BraveSoftware Amigo Torch
Sputnik Edge DCBrowser
YandexBrowser UR Browser Slimjet
Opera    

The stolen data is compressed into a ZIP archive named ‘BrowsersData-*.zip’ and stored in the AppDataLocalTemp directory before being exfiltrated to the remote server “hxxps://hexalocker[.]xyz/upload.php”. The image below shows the console output of the stealer upon completing each stage.

Infostealer, Malware
Figure 6 – Stealer Console Output

Exfiltration

Upon executing the stealer payload, the ransomware exfiltrates the victims’ files by scanning all folders starting from “C:” to find files with extensions matching those listed in the table below. The identified files are compiled into a single ZIP archive named “data_*.zip”, stored in the “%localappdata%DataHexaLocker” directory, and subsequently transmitted to the attacker’s remote server via “hxxps[:]//hexalocker.xyz/receive.php”.

Category File Types
Documents .pdf, .doc, .docx, .rtf, .txt, .wps, .xls, .xlsx, .csv, .ppt, .pot, .xps, .xsd, .xml
Images .jpg, .jpeg, .png, .bmp, .gif, .tif, .tiff, .ico, .jpe, .dib, .raw, .psd, .exr, .bay
Audio .mp3, .wav, .wma, .m4a, .m4p, .flac, .aac, .amr, .ogg, .adp
Video .mp4, .mkv, .avi, .mov, .wmv, .flv, .3gp, .m4v, .amv, .swf
Compressed Files .zip, .rar, .7z, .tar, .gz, .bz2, .cab, .iso, .lzh, .ace, .arj
Code & Scripts .php, .asp, .htm, .html, .js, .jsp, .css, .py, .java, .c, .cpp, .asm, .vbs, .cmd, .bat
Executable Files .exe, .msi, .dll, .apk, .lnk
Database Files .db, .dbf, .mdb, .sql, .odc, .odm, .pst, .mdf, .myi, .tab
3D/Design Files .3ds, .dae, .stl, .max, .dwg, .dxf, .obj, .r3d, .kmz, .opt
Web/Markup Files .html, .htm, .xml, .xsl, .rss, .cfm, .xsf
System/Backup Files .bak, .cer, .crt, .pfx, .p12, .p7b, .log, .cfg, .ini, .lnk
Others .sum, .sln, .dif, .dmg, .p7c, .opt, .sie, .key, .vob

Encryption

The ransomware generates a key and the salt needed for encryption and sends them to a remote server at “hxxps[:]//hexalocker.xyz/index[.]php,” along with host-specific details such as the IP address, computer name, and ID. This information is used to identify the victims and facilitate the recovery of the encrypted files.

PII, Exfiltration
Figure 7 – Victim’s Details

Once the gathered information is transmitted to the attacker, HexaLocker proceeds to scan the “C:Users<username>” directory on the victim’s machine. It searches for files that match a specific set of extensions, as listed in the table below.

Category Extensions
Text Documents .txt, .doc, .odt, .rtf, .wps, .dot
Databases .sql, .mdb, .dbf, .pdb, .mdf, .mdw, .myi
Spreadsheets .xls, .ods, .csv, .xla, .xlw, .xlm, .xlt, .slk
Presentations .ppt, .odp, .pps, .pot
Programming Files .cpp, .css, .php, .asp, .ini, .inc, .obj, .bat, .cmd, .vbs, .jsp, .asm, .cfm
Archives .zip, .rar, .tar, .iso, .bz2, .cab, .lzh, .ace, .arj
Images .jpg, .png, .bmp, .gif, .tif, .ico, .psd, .raw, .svg, .jpe, .dib, .iff, .dcm, .bay, .dcr, .nef, .orf, .r3d
Audio .mp3, .mka, .m4a, .wav, .wma, .flv, .pls, .adp
Video .mp4, .mkv, .avi, .mov, .wmv, .3gp, .m4v, .amv, .m4p, .vob, .mpv, .3g2, .f4v, .m1v
Web Files .htm, .html, .xml, .css, .js, .jsp, .rss
Executables .exe, .jar, .msi, .dll
Scripts .php, .asp, .vbs, .cmd, .bat
Backup/Logs .bak, .log
3D/CAD .3ds, .dae, .dwg, .max, .geo
Compressed .zip, .rar, .tar, .bz2, .gz
Configuration .ini, .cfg, .xml
Emails .msg, .oft, .pst, .dbx
Fonts .ttf, .otf, .woff
Certificates .crt, .cer, .pfx, .p12, .p7b, .p7c
Others .lnk, .dat, .sum, .opt, .dic, .tbi, .xps, .key, .tab, .stm, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .opt

The ransomware reads the content of the original file and uses the ChaCha20 algorithm to encrypt the data. Once the encryption is complete, it creates a new file with the “.HexaLockerV2” extension and writes the encrypted content to this newly created file. The ransomware then proceeds to delete the original file using the os.Remove function, leaving only the encrypted file behind. The figure below shows the chacha20 encryption algorithm used by the ransomware binary.

Chacha20
Figure 8 – Chacha20 Algorithm

The figure below illustrates the files encrypted by the HexaLocker Ransomware, which have the “.HexaLockerV2” extension.

Figure 9 – User files after encryption

Finally, the ransomware displays a ransom note to the victim, instructing them to contact the TA through their communication channels, such as Signal, Telegram, and Web Chat, as shown below.

Ransom Note
Figure 10 – Ransom note

The ransom note contains a unique personal hash, which the victim uses to communicate with the TA through a chat window provided by the attacker, as shown below.

Hexalocker, Chat
Figure 11 – Web Chat Window

Conclusion

The new version of HexaLocker ransomware represents a significant upgrade, incorporating enhanced encryption logic and a customized stealer component. Developed in Go, this ransomware benefits from Go’s efficiency, making it more challenging to detect by endpoints.

Before initiating the encryption process, the ransomware employs the Skuld stealer to collect sensitive information from the victim’s machine. This strategic combination of the Skuld stealer and the ransomware highlights the continuous evolution and sophistication of the HexaLocker group, posing an ongoing threat to targeted systems.

The Yara rule to detect HexaLocker Version 2 is available for download from the linked Github repository.    

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures to Prevent Ransomware Attacks 

  • Regularly back up important files to offline or cloud storage, ensuring they are stored securely and not connected to the main network.
  • Enable automatic updates for your operating system, applications, and security software to ensure you receive the latest patches and security fixes.
  • Implement endpoint protection with reputable anti-virus and anti-malware software to detect and block potential ransomware threats.
  • Educate employees or users about phishing attacks and suspicious email links, which are common ransomware delivery methods.
  • Restrict user privileges and avoid running unnecessary services to minimize the attack surface, ensuring users only have access to the resources they need.

MITRE ATT&CK® Techniques

Tactic Technique ID Procedure
Execution (TA0002)
User Execution (T1204.002)  
User executes the ransomware file.
Persistence (TA0003)   Registry Run Keys / Startup Folder (T1547.001) Adds a Run key entry for execution on reboot.
Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140 Ransomware Decrypts strings using the AES algorithm
Discovery (TA0007) File and Directory Discovery (T1083) Ransomware enumerates folders for file encryption and file deletion. 
Impact (TA0040) T1486 (Data Encrypted for Impact)  Ransomware encrypts files for extortion. 
Credential Access (TA0006 Credentials from Password Stores: Credentials from Web Browsers (T1555.003 Retrieves passwords from Login Data
Credential Access (TA0006 Steal Web Session Cookie (T1539 Steals browser cookies 
Collection (TA0009 Archive via Utility (T1560.001 Zip utility is used to compress the data before exfiltration 
Exfiltration (TA0010 Exfiltration Over C2 Channel (T1041 Exfiltration Over C2 Channel

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 SHA-256 Stealer
0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a SHA-256 HexaLockerV2
28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 SHA-256 HexaLockerV2
d0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 SHA-256 HexaLockerV2
hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe URL Stealer download url
hxxps[:]//hexalocker[.]xyz/upload[.]php URL NA
hxxps[:]//hexalocker[.]xyz/receive[.]php URL NA

References

https://www.trellix.com/en-in/blogs/research/skuld-the-infostealer-that-speaks-golang

https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html

The post HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption appeared first on Cyble.

Blog – Cyble – ​Read More

How vulnerable Ecovacs robot vacuums are being hacked | Kaspersky official blog

Imagine: you get up in the night for a glass of water, walk across the unlit landing, when out of the darkness a voice starts yelling at you. Not nice, you’d surely agree. But that’s the new reality for owners of vulnerable robot vacuums, which can be commanded by hackers to turn from domestic servants into foul-mouthed louts. And that’s not all: hackers can also control the robot remotely and access its live camera feed.

The danger is clear and present: recently, cases of cyberhooligans hijacking vulnerable robot vacuums to prank people (and worse) have been seen in the wild. Read on for the details…

How a robot vacuum works

Let’s start with the fact that a modern robot vacuum is a full-fledged computer on wheels, usually running on Linux. It comes with a powerful multi-core ARM processor, a solid chunk of RAM, a capacious flash drive, Wi-Fi, and Bluetooth.

Schematic of a typical robot vacuum

Today’s robot vacuum is a full-fledged computer on wheels Source

And of course, the modern robot vacuum has sensors everywhere: infrared, lidar, motion, camera (often several of each), and some models also have microphones for voice control.

Camera and microphones in the Ecovacs DEEBOT X1

The Ecovacs DEEBOT X1 has not only a camera, but an array of microphones Source

And naturally, all modern robot vacuums are permanently online and hooked up to the vendor’s cloud infrastructure. In most cases, they communicate aplenty with this cloud — uploading piles upon piles of data collected during operation.

Vulnerabilities in Ecovacs robot vacuums and lawn mowers

The first report of vulnerabilities in Ecovacs robot vacuums and lawnmowers surfaced in August 2024, when security researchers Dennis Giese (known for hacking a Xiaomi robot vacuum) and Braelynn Luedtke gave a talk at DEF CON 32 on reverse engineering and hacking Ecovacs robots.

Ecovacs GOAT G1 robot lawnmower

The Ecovacs GOAT G1 can also be equipped with GPS, LTE and a long-range Bluetooth module Source

In their talk, Giese and Luedtke described several methods for hacking Ecovacs robot vacuums and the mobile app that owners use to control them. In particular, they found that a potential hacker could access the feed from the robot’s built-in camera and microphone.

This is possible for two reasons. First, if the app is used on an insecure network, attackers can intercept the authentication token and communicate with the robot. Second, although in theory the PIN code set by the device owner secures the video feed, in practice it gets verified on the app side — so it can be bypassed.

Attackers accessing the video feed from an Ecovacs robot vacuum

The PIN code for securing the video feed from an Ecovacs robot vacuum is verified on the app side, which makes the mechanism extremely vulnerable Source

The researchers also managed to gain root access to the robot’s operating system. They found it was possible to send a malicious payload to the robot via Bluetooth, which in some Ecovacs models gets turned on after a scheduled reboot, while in others it’s on all the time. In theory, encryption should protect against this, but Ecovacs uses a static key that’s the same for all devices.

Armed with this knowledge, an intruder can get root privileges in the operating system of any vulnerable Ecovacs robot and hack it at a distance of up to 50 meters (~165 feet) — which is precisely what the researchers did. As for robot lawnmowers, these models are hackable at more than 100 meters (~330 feet) away, since they’ve got more powerful Bluetooth capabilities.

Add to that that, as mentioned already, today’s robot vacuums are full-fledged Linux-based computers, and you can see how attackers can use one infected robot as a means to hack others nearby. In theory, hackers can even create a network-worm to automatically infect robots anywhere in the world.

Bluetooth vulnerability could potentially be used to create a worm

Bluetooth vulnerability in Ecovacs robots could lead to a chain of infection Source

Giese and Luedtke informed Ecovacs about the vulnerabilities they found, but received no response. The company did try to close some of the holes, say the researchers, but with little success and ignoring the most serious vulnerabilities.

How the Ecovacs robot vacuums were hacked for real

It appears that the DEF CON talk generated great interest in the hacker community — so much so that someone seems to have taken the attack a step further and deployed it on Ecovacs robot vacuums out in the real world. According to recent reports, owners in several U.S. cities had been hit by hackers and made to suffer abuse from their robot servants.

In one incident in Minnesota, an Ecovacs DEEBOT X2 started moving by itself and making strange noises. Alarmed, its owner went into the Ecovacs app and saw that someone was accessing the video feed and remote-control feature. Writing it off as a software glitch, he changed the password, rebooted the robot and sat down on the couch to watch TV with his wife and son.

But the robot kicked back into life almost straight away — this time emitting a continuous stream of racial slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it into the garage and left it there. Despite this ordeal, he is grateful that the hackers made their presence so obvious. Far worse, he says, would have been if they’d simply secretly monitored his family through the robot without revealing themselves.

 Video feed from an Ecovacs robot vacuum

Hijacking a live video feed of an Ecovacs robot vacuum Source

In a similar case, this time in California, another Ecovacs DEEBOT X2 chased a dog around the house, again shouting obscenities. And a third case was reported from Texas, where, you guessed it, an Ecovacs robot vacuum went walkabout and hurled abuse at its owners.

The exact number of hacks of Ecovacs robot vacuums is unknown. One reason for this, alluded to above, is that the owners may not be aware of it: the hackers may be quietly observing their daily lives through the built-in camera.

How to guard against robot vacuum hacking?

The short answer is: you can’t. Unfortunately, there’s no universal method of protecting against robot vacuum hacking that covers all bases. For some models, in theory, there’s the option of hacking it yourself, getting root access, and unlinking the machine from the vendor’s cloud. But this is a complex and time-consuming procedure that the average owner won’t consider attempting.

A serious problem with IoT devices is that many vendors, sadly, still pay insufficient attention to security. And they often prefer to bury their heads in the sand — even declining to respond to researchers who helpfully report such issues.

To reduce the risks, try do your own research on the security practices of the vendor in question before purchasing. Some actually do a pretty good job of keeping their products safe. And, of course, always install firmware updates: new versions usually remove at least some of the vulnerabilities that hackers can exploit to gain control over your robot.

And remember that a robot connected to home Wi-Fi, if hacked, can become a launchpad for an attack on other devices connected to the same network — smartphones, computers, smart TVs, and so on. So it’s always a good idea to move IoT devices (in particular, robot vacuums) to a guest network, and install reliable protection on all devices where possible.

Kaspersky official blog – ​Read More

Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience

Lithuanian Cyber Command

Overview 

On January 1, Lithuania marked a pivotal moment in its national defense strategy with the official launch of the Lithuanian Cyber Command (LTCYBERCOM). Spearheaded by the Ministry of National Defence, this new military unit aims to enhance the country’s cybersecurity posture while strengthening its collaboration with NATO and other international partners. 

A New Era in Cyber Defense with Lithuanian Cyber Command 

LTCYBERCOM is tasked with conducting cyberspace operations and managing strategic communications and information systems (CIS). Its creation reflects Lithuania’s recognition of the growing importance of cyberspace in modern warfare and national security. By consolidating cyber defense resources under one command, LTCYBERCOM ensures a unified and efficient approach to countering digital threats. 

The command structure includes: 

  • Command Headquarters: Responsible for planning and executing cyber operations. 

  • Lithuanian Great Hetman Kristupas Radvila Perkūnas CIS Battalion: Focused on delivering robust communication and information services. 

  • IT Service of the Cyber Defence Command: A revamped entity from the Ministry of National Defence’s former IT service. 

This restructuring consolidates Lithuania’s cyber capabilities, aligning them under the Cyber Command’s mandate. Some functions, however, remain with the National Cyber Security Centre and the Core Centre of State Telecommunications, ensuring seamless coordination across all levels of cyber defense. 

Strengthening National and Allied Defense 

Vice Minister of National Defence Tomas Godliauskas called out the importance of LTCYBERCOM in modern defense strategies. “The Lithuanian Cyber Command is critical as an enabler of military planning and action coordination in cyberspace. Strengthening cyber defense and effective cyber incident management are cornerstone steps in protecting against emerging threats and safeguarding national security,” he said. 

The command also ensures interoperability with NATO’s cyber defense framework. As a NATO member since 2004, Lithuania has actively contributed to collective defense efforts. LTCYBERCOM will enhance Lithuania’s ability to respond to cyber threats while aligning its strategies with NATO’s broader objectives. 

Responding to Growing Cyber Threats 

Lithuania’s investment in cyber defense comes amid a surge in digital threats driven by geopolitical tensions. Cyberattacks, particularly from neighboring Russia, have targeted NATO allies, including Lithuania, with the goal of disrupting critical infrastructure and sowing division. 

A 2024 report from Google highlighted an uptick in Russian cyber operations against NATO nations, coinciding with Russia’s ongoing invasion of Ukraine. These attacks showcase the need for robust cyber defenses to protect not just national interests but also the stability of the NATO alliance. 

By establishing LTCYBERCOM, Lithuania is taking a proactive stance against these challenges. The new command will focus on preventing and mitigating cyber incidents, securing critical infrastructure, and ensuring rapid responses to digital threats. 

Complementary Roles of National Agencies 

While the Lithuanian Cyber Command assumes responsibility for military cyber operations, the National Cyber Security Centre under the Ministry of Defence continues to play a vital role in civilian cybersecurity. This year, the NCSC invited more than 500 organizations providing critical services to participate in the annual cybersecurity exercise “Cyber ​​Shield”. In addition, all residents had the opportunity to deepen their knowledge in various cybersecurity training programs. 

The center also provides incident response services, enhances resilience across government agencies, and supports critical sectors. Together, these entities form a comprehensive defense framework that addresses both military and civilian cybersecurity needs. 

Conclusion 

The legal foundation for LTCYBERCOM was laid in July 2024 when Lithuania’s Seimas approved amendments to the structure of the Armed Forces. This legislative milestone paved the way for the January inauguration, signaling Lithuania’s commitment to adapting its defense strategies for the digital age. 

Looking ahead, LTCYBERCOM is poised to become a cornerstone of Lithuania’s national defense strategy. With cyberattacks becoming an integral part of modern conflict, LTCYBERCOM equips Lithuania with the tools and strategies needed to safeguard its sovereignty and support its allies. By focusing on cyber capabilities, the country ensures its readiness to counter emerging threats while contributing to NATO’s collective security framework. 

References: 

The post Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience appeared first on Cyble.

Blog – Cyble – ​Read More