Overview

The digital world in Southeast Asia is evolving rapidly, with nations striving to balance innovation, inclusivity, and security. The recently held 5th ASEAN Digital Ministers’ Meeting (ADGMIN) in Bangkok, Thailand, marked a significant milestone in this journey. The meeting highlighted the importance of cybersecurity in shaping a resilient digital future for the region. The ASEAN Digital Masterplan 2025 (ADM 2025) continues to serve as a guiding framework for fostering collaboration, enabling trust in digital services, and promoting the safe and inclusive use of technology.

From addressing online scams to operationalizing the ASEAN Regional Computer Emergency Response Team (CERT) and advancing AI governance, the event showcased ASEAN’s commitment to fortifying its digital ecosystem against cyber threats. With an emphasis on collaboration and proactive measures, the meeting highlighted the pressing need to enhance cybersecurity frameworks, strengthen cross-border data governance, and address emerging challenges posed by technologies like generative AI.

Key Cybersecurity Highlights

1. ASEAN Regional CERT Operationalization: One of the significant milestones discussed was the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT). This initiative aims to enhance collaboration among member states, facilitate real-time information sharing, and strengthen the region’s preparedness against cyberattacks. CERT’s operationalization highlights ASEAN’s focus on collective resilience in cyberspace.
2. Tackling Online Scams: Online scams remain a pressing issue across ASEAN. The ASEAN Working Group on Anti-Online Scams (WG-AS) released its Report on Online Scams Activities in ASEAN (2023–2024), offering insights into the threat landscape. The report outlines key recommendations for regional collaboration to combat scams effectively. The ASEAN Recommendations on Anti-Online Scams provide a framework for governments to develop policies aimed at mitigating online fraud, with a focus on cross-border scams and fraudulent activities exploiting digital platforms.
3. Promoting Responsible State Behavior in Cyberspace: ASEAN adopted the Checklist for Responsible State Behavior in Cyberspace, aligning with global norms to promote peace and security online. This initiative focuses on fostering cooperation and ensuring responsible use of digital tools while mitigating risks.
4. Strengthening Cross-Border Data Governance: Data governance was another key topic, with ASEAN showcasing its advancements in:
   • The ASEAN Model Contractual Clauses (MCCs) for trusted cross-border data flows.
   • The Operational Framework for Cross-Border Privacy Rules (CBPR) is used to align global privacy standards.
   • The ASEAN Guide on Data Anonymization enables innovative data use while ensuring privacy.

These efforts are designed to enhance trust in digital transactions and support regional and global interoperability.

5. Focus on Generative AI Governance: With the rapid adoption of generative AI, the newly expanded ASEAN Guide on AI Governance and Ethics emphasizes responsible AI deployment. Policy recommendations aim to address challenges like misinformation, biases, and cybersecurity vulnerabilities. This move positions ASEAN as a leader in ethical AI practices.

Resilient Digital Infrastructure

Cybersecurity also took the spotlight in discussions about protecting critical infrastructure:

• Submarine Cables: Recognizing their importance, ASEAN established a Working Group on Submarine Cables (WG-SC) to secure and enhance the resilience of this critical backbone of internet connectivity.
• Digital Identification Systems: Efforts to build strong digital ID systems were discussed, with ASEAN focusing on seamless, secure cross-border digital interactions.

Partnerships and Regional Collaboration

The 5th ASEAN Digital Ministers’ Meeting underscored the critical role of international partnerships in strengthening regional cybersecurity frameworks. Recognizing that cyber threats often transcend borders, ASEAN engaged dialogue partners, including China, Japan, and Russia, to deepen collaboration on cybersecurity challenges and solutions.

• China shared insights into its ongoing initiatives to fight cybercrime and protect critical infrastructure, offering opportunities for ASEAN member states to collaborate on knowledge sharing, threat intelligence, and best practices in cybersecurity.
• Japan emphasized its commitment to strengthening cybersecurity resilience across the Asia-Pacific, showcasing its advancements in secure digital infrastructure and its expertise in managing cross-border cyber risks. Through its partnership, Japan is also supporting ASEAN’s capacity-building programs to develop skilled cybersecurity professionals.
• Russia, leveraging its experience in battling cyberattacks and ransomware, highlighted the importance of establishing joint efforts for threat intelligence sharing and developing strategies to mitigate advanced persistent threats (APTs) targeting the region.

In addition to these collaborations, ASEAN reaffirmed its collective efforts to address specific threats, such as SIM card-related fraud and cross-border scams, which have been on the rise across member states.

The meeting also opened doors for expanding technical cooperation and joint training exercises, enabling member states and dialogue partners to boost their collective defense mechanisms.

By welcoming input from global players and tackling region-specific issues, ASEAN demonstrated its commitment to promoting a unified, secure digital future while strengthening its presence on the global cybersecurity stage. These partnerships are vital in ensuring that the region remains resilient in the face of evolving cyber threats and continues to thrive in its digital transformation journey.

Closing thoughts

The Bangkok Digital Declaration reaffirmed ASEAN’s focus on cybersecurity as a foundation for innovation and inclusivity. With the final review of the ASEAN Digital Masterplan 2025 (ADM 2025) underway, the groundwork is being laid for the next phase of ASEAN’s digital transformation.

By prioritizing cybersecurity and fostering collaboration, ASEAN is positioning itself as a global leader in building a secure and innovative digital ecosystem. The region’s progress at the ADGMIN meeting reflects its determination to address emerging challenges and unlock the potential of a truly connected digital future.

Source: https://asean.org/wp-content/uploads/2025/01/15-ENDORSED-JOINT-MEDIA-STATEMENT-5th-ADGSOM-v2-Cleaned.pdf

https://asean.org/joint-media-statement-of-the-5th-asean-digital-ministers-meeting-and-related-meetings

The post United Against Cybercrime: ASEAN Ministers Forge New Security Pathways appeared first on Cyble.

Blog – Cyble – ​Read More

Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs). 

The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People’s Republic of China (PRC). 

The Ivanti CSA Exploit Chains 

CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability. 

The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers. 

The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0. 

The First Exploit Chain 

In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code, which in some of the attacks consisted of base64-encoded Python scripts that harvested encrypted admin credentials from the database. 

The TAs used the credentials to log in and leverage CVE-2024-9380 to execute commands from a privileged account, using a GET request sent to /gsb/reports[.]php and a POST request using the TW_ID input field to implant web shells for persistence. 

The Second Exploit Chain 

The agencies cited just one confirmed compromise using the CVE-2024-9379 SQL injection vulnerability. 

The TAs used GET /client/index.php%3f.php/gsb/broker.php for initial access, then used CVE-2024-9379 to try to create a web shell by sending GET and POST requests to /client/index.php%3F.php/gsb/broker.php. 

The POST body used this string in the lockout attempts input box: 

LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10) 

The LOCKOUTATTEMPTS command was handled properly by the application, but the SQL injection portion was not. Nonetheless, the application processed both commands, and the TAs were able to add a user to the user_info table. 

After they inserted valid bash code into the user_info table, the threat actors tried to log in as the user, possibly hoping the application would handle the bash code improperly. Instead of evaluating the validity of the login, the application ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as code. 

“The threat actors repeated the process of echo commands until they built a valid web shell,” FBI and CISA said. “However, there were no observations that the threat actors were successful.” 

Detecting Ivanti CSA Attacks 

Three of the victim organizations were able to rapidly detect the malicious activity and replaced affected virtual machines with clean versions. 

In one of the cases, an admin detected creation of suspicious accounts. Admin credentials were likely exfiltrated in that case, but there were no signs of lateral movement. 

A second organization had an endpoint protection platform (EPP) that detected when the TAs executed base64 encoded script to create webshells. 

A third organization used IoCs from the first two to detect malicious activity such as the download and deployment of Obelisk and GoGo Scanner, which generated logs that were used to further detect malicious activity. 

Ivanti CSA Mitigations 

The CISA and FBI advisory also contains IoCs and incident response and mitigation recommendations. The agencies noted that “Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.” 

In addition to updating to the latest supported version of CSA, the mitigations generally follow security best practices: 

• Install endpoint detection and response (EDR) on the system 
• Establish a baseline and maintain detailed logs of network traffic, account behavior, and software 
• Keep operating systems, software, and firmware up to date with timely patching, which the advisory said is “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure, and known exploited vulnerabilities in internet-facing systems should be prioritized. 
• Properly secure remote access tools with application controls and allowlisting to block unlisted applications from executing 
• Limit the use of remote desktop protocol (RDP) and other remote desktop services, and rigorously apply best practices if the services are essential 

Conclusion 

Like many joint advisories from CISA and the FBI, the Ivanti CSA advisory offers good insight into threat actor behavior and IoCs and gives organizations practical, cost-effective steps organizations can take to better secure themselves. 

Cyble’s vulnerability management service can help organizations accelerate the critical process of detecting and prioritizing internet-facing vulnerabilities as part of its top-rated, AI-powered threat intelligence platform. 

The post Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  appeared first on Cyble.

Blog – Cyble – ​Read More

• Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as “poisoning”) in the second half of 2024.
• Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
• Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

Introduction to hidden text salting

Hidden text salting (or “poisoning”) is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

Technical explanation

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

The HTML source of the above email is shown below. The <style> tag is used to define style information for an email via CSS. Inside the <style> element, one can specify how HTML elements should render in a browser or email client. The <style> element must be included inside the <head> section of the document. In this example, threat actors have set the display property to inline-block. When inline-block is used instead of inline, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the overflow property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the LANG field of Microsoft’s X-Forefront-Antispam-Report anti-spam header. The LANG field specifies the language in which the message was written, and the X-Forefront-Antispam-Report header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft’s cloud-based filtering service.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the display property of the div element to hide the French words, thus confusing the language detection module of Microsoft.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

Mitigation

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

Advanced filtering techniques: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., “visibility: hidden”) and display (e.g., “display: none”) that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

Relying on visual features: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

Protection

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the content of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.  

Cisco Talos Blog – ​Read More

Overview 

Government entities and organizations in Ukraine are on high alert after the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a social engineering campaign targeting unsuspecting users with malicious AnyDesk requests.    

The attackers are impersonating CERT-UA, a legitimate government agency, to trick victims into granting remote access to their computers using AnyDesk, a popular remote desktop application.    

Here’s a breakdown of the attack and how to stay safe: 

Deceptive Tactics 

• Impersonation: Attackers are using the CERT-UA name, logo, and even a specific AnyDesk ID (1518341498, though this may change) to establish trust with potential victims.    
• Pretext for Access: The attackers claim to be conducting a “security audit” to check the level of protection on the target’s device.    

CERT-UA’s Clarification 

CERT-UA has confirmed that it may use remote access tools like AnyDesk in specific situations. However, they emphasize that such actions only occur “with prior approval” established through official communication channels. 

Indicators of Compromise 

• Unsolicited AnyDesk connection requests, particularly those mentioning a security audit.    
• AnyDesk requests from users named “CERT-UA” or with the AnyDesk ID 1518341498 (be wary of variations).    

Recommendations to Stay Safe 

• Be Wary of Unsolicited Requests: Never grant remote access to your device unless you have initiated the request and can confirm the identity of the person on the other end. 
• Multi-Factor Authentication: Enable multi-factor authentication on any remote access software you use for an extra layer of security. 
• Verification is Key: If you’re unsure about the legitimacy of a remote access request, contact the organization the requester claims to represent through a verified communication channel (e.g., phone number from the official website). 
• Only Use When Needed: Disable remote access software when not in use to minimize the attack surface. 
• Report Suspicious Activity: If you encounter a suspicious AnyDesk request claiming to be from CERT-UA, report it to the agency immediately. 

By following these steps, you can significantly reduce the risk of falling victim to this impersonation attempt and protect your devices from unauthorized access. 

By staying informed about common social engineering tactics and implementing strong security practices, especially during these times of heightened geopolitical tensions, you can make it significantly harder for attackers to gain a foothold in your systems. 

References: 

https://cert.gov.ua/article/6282069

The post CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”   appeared first on Cyble.

Blog – Cyble – ​Read More

Lost documents, stolen code, exposed customer data, and a falling stock price are all common consequences of just one click on a ransomware file. To avoid this problem, you need proper security tools and, most importantly, knowledge of how ransomware attacks are carried out. 

This quick guide will explain how ransomware works and the simple steps you can take to protect your business.

What is ransomware

Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money (ransom) is paid. It typically encrypts the victim’s files, making them inaccessible, and demands payment to provide the decryption key. The ransom demands can range from hundreds to thousands of dollars, often paid in cryptocurrencies like Bitcoin to maintain anonymity.

What is double extortion ransomware

Double extortion is a technique where attackers not only encrypt the victim’s data but also exfiltrate (steal) it. They threaten to leak the stolen data publicly if the ransom is not paid, adding an additional layer of pressure on the victim to comply. 

This technique increases the likelihood of payment, as victims face both data loss and potential reputational damage or legal consequences from data breaches.

Why your company may become a target of ransomware

The chance of your company to become a potential target of ransomware depends on several factors:

• Size and Industry: Larger organizations and those in critical industries like healthcare, finance, and government are often targeted due to their sensitive data and higher likelihood of paying substantial ransoms.
• Cybersecurity Posture: Companies with weak or outdated cybersecurity measures are more vulnerable. This includes lack of regular software updates, inadequate backup strategies, and insufficient employee training on cybersecurity best practices.
• Data Value: Organizations that handle valuable or sensitive data, such as personal information, intellectual property, or confidential business data, are more attractive targets.
• Public Profile: High-profile companies or those with a significant public presence may be targeted for the potential reputational damage that a data breach could cause.
• Previous Incidents: Companies that have experienced cybersecurity incidents in the past may be seen as easier targets, especially if they have not adequately addressed the vulnerabilities that led to the previous attacks.

How criminals prepare and deliver ransomware 

Setup process

Most criminals use ready-made ransomware-as-a-service builders to create and configure their malware. These builders allow them to specify various parameters of the ransomware, such as the ransom message, amount, and Bitcoin address for payment.

Consider the Chaos ransomware, which provides a builder that allows the operator to set up their custom variant of the malware by clicking a few buttons.

View analysis of the Chaos builder

To safely examine the Chaos builder and its executable, we need to upload it to a cloud sandbox like ANY.RUN.

As shown by Nico Knows Tech in this YouTube video, attackers can configure their Chaos build to choose the ransom message and amount, as well as set the extension for the encrypted files.

As a means of disguise, attackers can change the logo of the main malicious executable file to a PDF one. Coupled with the hidden extension, this can trick users into opening it, thinking it is a standard document.

To avoid detection by antivirus and other security solutions, the builder makes it possible to enable deleting shadow copies, disabling system recovery, and overwriting files to make them unrecoverable.

Delivery

After this quick setup process, the criminals are ready to distribute the ransomware among their targets. There are many delivery methods, but here are three common ones:

• Emails that include malicious file attachments, such as PDFs or Word documents, which execute ransomware when opened.
• Emails that contain links to compromised websites or malicious downloads, manipulating users into downloading and executing ransomware.
• Malicious advertisements on websites like Google that redirect users to sites hosting ransomware.

A Ransomware Attack Example: Lynx

Let’s now see what happens once the malware file arrives at the target’s system.

For this, we can take a look at the Lynx ransomware, which was recently reviewed by PC Security Channel. 

The operators behind this threat maintain a public website containing a list of their victims along with samples of stolen documents. One of the latest cases was a large electricity provider from Romania, Electric Group, that serves over 3.8 million people.

Thanks to ANY.RUN’s Interactive Sandbox, we can study the entire chain of attack and see exactly how this threat operates in a safe virtual environment.

View sandbox analysis of Lynx

As soon as we upload and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the malware begins encrypting files on the system and changing their extension to .LYNX.

It also drops a ransom note and replaces the desktop wallpaper with the ransom text, which contains a link to a TOR site via which the attackers expect the victim to contact them. 

ANY.RUN’s interactivity lets us manually open the README.txt dropped by Lynx to see the message.

The ANY.RUN sandbox detects all the malicious activities performed by Lynx and marks them with signatures.

The sandbox also generates a comprehensive report on the analyzed threat sample that can be shared with all the stakeholders in the company.

How Sandboxing Helps Businesses Prevent Ransomware Attacks

As demonstrated by the Lynx analysis, sandbox tools like ANY.RUN provide you with a safe, secure, and private environment for detonating and exploring all the suspicious files and URLs you may come across in your day-to-day activities.

Whether it is a phishing email, an unusual executable, or an office document asking you to enable macros, uploading these to ANY.RUN’s Interactive Sandbox is the best course of action you can take to check these files for any possible threat and quickly make a decision on whether to engage with them further on your own system.

More than 500,000 security professionals use ANY.RUN for proactive analysis to:

• Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
• Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
• Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
• Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
• Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
• Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.

Conclusion

Taking proactive measures to understand and mitigate ransomware threats is vital for business security. Tools like ANY.RUN’s Interactive Sandbox offer a fast, simple, and effective solution for analyzing potential threats, enabling businesses to prevent attacks from compromising their infrastructure. By integrating such tools into your security strategy, you can enhance your cybersecurity posture and protect your business from the far-reaching consequences of ransomware attacks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More