United Against Cybercrime: ASEAN Ministers Forge New Security Pathways

Cyble United Against Cybercrime: ASEAN Ministers Forge New Security Pathways

Overview

The digital world in Southeast Asia is evolving rapidly, with nations striving to balance innovation, inclusivity, and security. The recently held 5th ASEAN Digital Ministers’ Meeting (ADGMIN) in Bangkok, Thailand, marked a significant milestone in this journey. The meeting highlighted the importance of cybersecurity in shaping a resilient digital future for the region. The ASEAN Digital Masterplan 2025 (ADM 2025) continues to serve as a guiding framework for fostering collaboration, enabling trust in digital services, and promoting the safe and inclusive use of technology.

From addressing online scams to operationalizing the ASEAN Regional Computer Emergency Response Team (CERT) and advancing AI governance, the event showcased ASEAN’s commitment to fortifying its digital ecosystem against cyber threats. With an emphasis on collaboration and proactive measures, the meeting highlighted the pressing need to enhance cybersecurity frameworks, strengthen cross-border data governance, and address emerging challenges posed by technologies like generative AI.

Key Cybersecurity Highlights

  1. ASEAN Regional CERT Operationalization: One of the significant milestones discussed was the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT). This initiative aims to enhance collaboration among member states, facilitate real-time information sharing, and strengthen the region’s preparedness against cyberattacks. CERT’s operationalization highlights ASEAN’s focus on collective resilience in cyberspace.
  2. Tackling Online Scams: Online scams remain a pressing issue across ASEAN. The ASEAN Working Group on Anti-Online Scams (WG-AS) released its Report on Online Scams Activities in ASEAN (2023–2024), offering insights into the threat landscape. The report outlines key recommendations for regional collaboration to combat scams effectively. The ASEAN Recommendations on Anti-Online Scams provide a framework for governments to develop policies aimed at mitigating online fraud, with a focus on cross-border scams and fraudulent activities exploiting digital platforms.
  3. Promoting Responsible State Behavior in Cyberspace: ASEAN adopted the Checklist for Responsible State Behavior in Cyberspace, aligning with global norms to promote peace and security online. This initiative focuses on fostering cooperation and ensuring responsible use of digital tools while mitigating risks.
  4. Strengthening Cross-Border Data Governance: Data governance was another key topic, with ASEAN showcasing its advancements in:
    • The ASEAN Model Contractual Clauses (MCCs) for trusted cross-border data flows.
    • The Operational Framework for Cross-Border Privacy Rules (CBPR) is used to align global privacy standards.
    • The ASEAN Guide on Data Anonymization enables innovative data use while ensuring privacy.

These efforts are designed to enhance trust in digital transactions and support regional and global interoperability.

  1. Focus on Generative AI Governance: With the rapid adoption of generative AI, the newly expanded ASEAN Guide on AI Governance and Ethics emphasizes responsible AI deployment. Policy recommendations aim to address challenges like misinformation, biases, and cybersecurity vulnerabilities. This move positions ASEAN as a leader in ethical AI practices.

Resilient Digital Infrastructure

Cybersecurity also took the spotlight in discussions about protecting critical infrastructure:

  • Submarine Cables: Recognizing their importance, ASEAN established a Working Group on Submarine Cables (WG-SC) to secure and enhance the resilience of this critical backbone of internet connectivity.
  • Digital Identification Systems: Efforts to build strong digital ID systems were discussed, with ASEAN focusing on seamless, secure cross-border digital interactions.

Partnerships and Regional Collaboration

The 5th ASEAN Digital Ministers’ Meeting underscored the critical role of international partnerships in strengthening regional cybersecurity frameworks. Recognizing that cyber threats often transcend borders, ASEAN engaged dialogue partners, including China, Japan, and Russia, to deepen collaboration on cybersecurity challenges and solutions.

  • China shared insights into its ongoing initiatives to fight cybercrime and protect critical infrastructure, offering opportunities for ASEAN member states to collaborate on knowledge sharing, threat intelligence, and best practices in cybersecurity.
  • Japan emphasized its commitment to strengthening cybersecurity resilience across the Asia-Pacific, showcasing its advancements in secure digital infrastructure and its expertise in managing cross-border cyber risks. Through its partnership, Japan is also supporting ASEAN’s capacity-building programs to develop skilled cybersecurity professionals.
  • Russia, leveraging its experience in battling cyberattacks and ransomware, highlighted the importance of establishing joint efforts for threat intelligence sharing and developing strategies to mitigate advanced persistent threats (APTs) targeting the region.

In addition to these collaborations, ASEAN reaffirmed its collective efforts to address specific threats, such as SIM card-related fraud and cross-border scams, which have been on the rise across member states.

The meeting also opened doors for expanding technical cooperation and joint training exercises, enabling member states and dialogue partners to boost their collective defense mechanisms.

By welcoming input from global players and tackling region-specific issues, ASEAN demonstrated its commitment to promoting a unified, secure digital future while strengthening its presence on the global cybersecurity stage. These partnerships are vital in ensuring that the region remains resilient in the face of evolving cyber threats and continues to thrive in its digital transformation journey.

Closing thoughts

The Bangkok Digital Declaration reaffirmed ASEAN’s focus on cybersecurity as a foundation for innovation and inclusivity. With the final review of the ASEAN Digital Masterplan 2025 (ADM 2025) underway, the groundwork is being laid for the next phase of ASEAN’s digital transformation.

By prioritizing cybersecurity and fostering collaboration, ASEAN is positioning itself as a global leader in building a secure and innovative digital ecosystem. The region’s progress at the ADGMIN meeting reflects its determination to address emerging challenges and unlock the potential of a truly connected digital future.

Source: https://asean.org/wp-content/uploads/2025/01/15-ENDORSED-JOINT-MEDIA-STATEMENT-5th-ADGSOM-v2-Cleaned.pdf

https://asean.org/joint-media-statement-of-the-5th-asean-digital-ministers-meeting-and-related-meetings

The post United Against Cybercrime: ASEAN Ministers Forge New Security Pathways appeared first on Cyble.

Blog – Cyble – ​Read More

How to remove metadata from photos, videos, and other files, and why do it at all | Kaspersky official blog

If you’re anything like me, you probably share plenty of photos, videos and documents, and send lots of voice messages and emails every single day too. But how often do you stop to consider the additional data contained in these files? For each of these files/media contains metadata — which can reveal a lot of interesting details not meant for prying eyes; for example, a photo’s time and location, a document’s editing history, device information, IP address, geolocation, and much more. So, for example, whenever you post an innocent selfie on social media, you’re also making public a whole ton of extra information that you might not necessarily want others to see.

In this article, we explore the pros and cons of metadata and how to remove it.

What is metadata and what’s it for?

To put it simply, metadata is additional information about a file’s content. Such data is added to files by applications that create or process them, operating systems, or users themselves. In most cases, metadata is created and updated automatically. For example, for files, this can include the creation date, last modified date, type, owner, and so on. In the case of photos, metadata can include the date and location, exposure settings, camera or smartphone model, and so on, recorded in Exif format. Specifically which data is stored depends on the camera/smartphone model and settings.

Some metadata is “visible” and easy to edit. For example, audio files contain special tags describing the content — author, artist, album, track name, genre, etc. — that can be easily changed in any media player.

Other metadata is less evident. Did you know, for example, that from the metadata of an office document you can easily discover who edited it, when, for how long, and using which programs? In some cases, you can even restore the entire edit history from the first keystroke.

Of course, metadata wasn’t originally designed to be “the perfect stalking tool”, but simply a useful feature. However, you can end up sharing more than you intended; for example, your employer or client could find out how much time you actually spent working on a document, and the Exif data of a selfie you post online can reveal what smartphone you use and where you were at the time. Metadata can also help catch criminals or uncover fraudulent schemes.

For example, in 2019, U.S. law enforcement managed to arrest the fraudster Hicham Kabbaj, who’d been sending his former employer invoices for equipment supplies from a shell company called Interactive Systems for four years. Of course, no equipment was actually supplied, but a total of six million dollars was transferred into Interactive System’s accounts. The fraudster was eventually caught out because of simple oversight: four of the 52 invoices were in the MS Word .doc format, and the metadata listed the author as KABBAJ.

Besides the police, malicious actors can also use metadata. In 2016, we conducted an experiment to try to determine a person’s location from a single photo. For us, this was just a fun exercise, but criminals could have very different motives.

Or consider a slightly more complex scenario: your innocent PDF file somehow ends up in the hands of a malicious actor. How it got there doesn’t matter — let’s say they introduced themselves as your colleague. In this case, the contents of the file may be of no interest to the criminal. What’s important to them, however, is that you’ve already taken the bait (so the attack can continue) and leaked the PDF’s metadata — revealing the software and version you used to create it. With this knowledge, the attacker can send you malware specifically designed to exploit a vulnerability in your particular system. Protecting yourself from this kind of scenario requires a combination of measures: ignoring suspicious messages, removing metadata, and updating your software promptly.

How to remove metadata

You can remove metadata using built-in tools or third-party programs and services. We recommend the former, as then your metadata won’t end up in the hands of third parties this way. Third-party tools act as an extra layer between you and the “cleaned” file. This layer could potentially retain metadata, which criminals could somehow get hold of.

So now let’s look at how to remove metadata from photos and videos, and DOC and PDF files using built-in tools.

Photos and videos

On Windows

In File Explorer, right-click on the file, select Properties, and go to the Details tab. At the bottom of the screen, click Remove Properties and Personal Information, and in the window that opens, either keep the default option Create a copy with all possible properties removed, or manually select the properties you want to remove, and click OK.

On macOS and iOS.

Apple operating systems let you remove or modify the date, time, and geolocation. However, location data is only recorded for photos and videos taken with geolocation services enabled.

To remove or modify metadata on a macOS device, open the Photos app, go to the Image menu, select Location, and click Hide Location. Here you can also Revert to Original Location — which raises the question of where this data is actually stored — or Assign Location to one or more photos after you Copy Location from another photo. Additionally, in the Image menu, you can Adjust Date and Time of the capture.

On an iPhone or iPad, open the Photos app, select the photo to edit, and tap the ⓘ info button, or simply swipe up on the photo. Here, you can Adjust the date, time, and location. For location, you can either select No Location or assign any other location to the photo. (This is useful if you’re posting photos taken in a studio near your home, while pretending to be in, say, Maldives.) To edit multiple photos at once, select them all, tap the three-dot button (…), then choose Adjust Date & Time or Adjust Location.

On Android

On Android devices, you can remove or modify location data using the Google Photos app. Select the photo or video, tap the three-dot More icon, select Edit, and tap Remove location.

DOC files

If you’re using Word, go to the File tab and select Info. Then click Check for Issues, followed by Inspect Document and Inspect. Under Document Properties and Personal Information, click Remove All.

Windows users can also remove DOC file metadata using File Explorer, just as they would with photos and videos.

PDF files

If you’re using Adobe Acrobat, go to File, then Document properties, and select Description. In the window that opens, you can manually edit the author, subject, keywords, and title of the document. Clicking Additional Metadata opens a window displaying all the document’s metadata.

You can also remove PDF metadata using File Explorer in the same way as for photos and videos.

Security Measures

So, what’s the main way to protect yourself from malicious actors exploiting your metadata? Two words: exercising caution. In addition, for maximum security, follow these extra precautions:

  • Set your social media profiles to private. This way, attackers won’t be able to use the metadata from your old photos and videos.
  • Use a comprehensive security solution. It will act as a safety net — protecting your payment and personal data even if you fall victim to a cybercriminal.
  • Remove metadata regularly. At first, this may seem like a lot of extra work just to send a simple selfie, but over time, removing metadata will become second nature.

Kaspersky official blog – ​Read More

Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks 

Ivanti CSA Attacks 

Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs). 

The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People’s Republic of China (PRC). 

The Ivanti CSA Exploit Chains 

CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability. 

The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers. 

The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0. 

The First Exploit Chain 

In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code, which in some of the attacks consisted of base64-encoded Python scripts that harvested encrypted admin credentials from the database. 

The TAs used the credentials to log in and leverage CVE-2024-9380 to execute commands from a privileged account, using a GET request sent to /gsb/reports[.]php and a POST request using the TW_ID input field to implant web shells for persistence. 

The Second Exploit Chain 

The agencies cited just one confirmed compromise using the CVE-2024-9379 SQL injection vulnerability. 

The TAs used GET /client/index.php%3f.php/gsb/broker.php for initial access, then used CVE-2024-9379 to try to create a web shell by sending GET and POST requests to /client/index.php%3F.php/gsb/broker.php. 

The POST body used this string in the lockout attempts input box: 

LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10) 

The LOCKOUTATTEMPTS command was handled properly by the application, but the SQL injection portion was not. Nonetheless, the application processed both commands, and the TAs were able to add a user to the user_info table. 

After they inserted valid bash code into the user_info table, the threat actors tried to log in as the user, possibly hoping the application would handle the bash code improperly. Instead of evaluating the validity of the login, the application ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as code. 

“The threat actors repeated the process of echo commands until they built a valid web shell,” FBI and CISA said. “However, there were no observations that the threat actors were successful.” 

Detecting Ivanti CSA Attacks 

Three of the victim organizations were able to rapidly detect the malicious activity and replaced affected virtual machines with clean versions. 

In one of the cases, an admin detected creation of suspicious accounts. Admin credentials were likely exfiltrated in that case, but there were no signs of lateral movement. 

A second organization had an endpoint protection platform (EPP) that detected when the TAs executed base64 encoded script to create webshells. 

A third organization used IoCs from the first two to detect malicious activity such as the download and deployment of Obelisk and GoGo Scanner, which generated logs that were used to further detect malicious activity. 

Ivanti CSA Mitigations 

The CISA and FBI advisory also contains IoCs and incident response and mitigation recommendations. The agencies noted that “Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.” 

In addition to updating to the latest supported version of CSA, the mitigations generally follow security best practices: 

  • Install endpoint detection and response (EDR) on the system 
  • Establish a baseline and maintain detailed logs of network traffic, account behavior, and software 
  • Keep operating systems, software, and firmware up to date with timely patching, which the advisory said is “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure, and known exploited vulnerabilities in internet-facing systems should be prioritized. 
  • Properly secure remote access tools with application controls and allowlisting to block unlisted applications from executing 
  • Limit the use of remote desktop protocol (RDP) and other remote desktop services, and rigorously apply best practices if the services are essential 

Conclusion 

Like many joint advisories from CISA and the FBI, the Ivanti CSA advisory offers good insight into threat actor behavior and IoCs and gives organizations practical, cost-effective steps organizations can take to better secure themselves. 

Cyble’s vulnerability management service can help organizations accelerate the critical process of detecting and prioritizing internet-facing vulnerabilities as part of its top-rated, AI-powered threat intelligence platform

The post Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  appeared first on Cyble.

Blog – Cyble – ​Read More

Unlocking Vulnrichment: Enhancing CVE Data for Smarter Vulnerability Management 

Vulnerability Management 

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced Vulnrichment, an innovative initiative designed to enhance CVE data by adding crucial context, scoring, and detailed analysis. Launched on May 10, 2024, Vulnrichment aims to empower security professionals by providing more than just basic CVE information—it offers the insights needed to make informed, timely decisions regarding vulnerability management.  

As part of a mid-year update, CISA’s Tod Beardsley, Vulnerability Response Section Chief, provides an overview of how this resource can be leveraged to improve vulnerability management. 

For IT defenders and vulnerability management teams, Vulnrichment represents a significant advancement in how CVE data is presented and utilized. By enriching basic CVE records with essential metadata like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS) scores, Vulnrichment transforms raw CVE data into a more actionable and comprehensive resource. 

The best part? No additional setup is required. This enhanced data is integrated directly into the CVE feeds already being consumed by security teams. Whether you’re pulling CVE data from the official CISA platform at https://cve.org or GitHub at https://github.com/CVEProject/cvelistV5, you’re already collecting the enriched CVE records that Vulnrichment provides. 

How Vulnrichment Enhances CVE Data 

CISA’s Vulnrichment is designed to provide a deeper layer of insight into each CVE, helping security professionals prioritize vulnerabilities with greater clarity. Here’s an example of how Vulnrichment works with a specific CVE, CVE-2023-45727, which has been marked as a Known Exploited Vulnerability (KEV) by CISA. If you want to understand the exploitation status of this CVE, you can query the SSVC decision points included in the Vulnrichment ADP (Authorized Data Publisher) container. For instance, using the command line tool jq, you can execute a query to extract the “Exploitation” field to understand whether the vulnerability is actively being exploited, requires proof of concept, or is not yet exploited in the wild. 

By parsing the ADP container, you can extract this enriched data, which helps you make informed decisions about whether to prioritize this vulnerability over others. This ability to access context-rich CVE data provides valuable intelligence for vulnerability management efforts, enabling teams to prioritize patching more effectively. 

Reporting Issues and Continuous Improvement 

CISA invites users to actively engage with Vulnrichment by reporting any inconsistencies they encounter. For example, if a CVE is assigned an incorrect CWE ID in the Vulnrichment container, security professionals can open an issue on CISA’s GitHub repository (https://github.com/cisagov/vulnrichment/issues) to flag the error. This open-source approach fosters a collaborative effort to improve Vulnrichment’s accuracy and reliability. By addressing such issues promptly, CISA ensures that Vulnrichment remains a dynamic, trusted resource for vulnerability management. 

The Value of Vulnrichment for Vulnerability Management 

Why is Vulnrichment so valuable for vulnerability management professionals? Here are some key reasons why this initiative is reshaping how CVE data is used: 

  1. Increased Clarity and Actionability: CVE data alone can sometimes be sparse and difficult to interpret. Vulnrichment adds critical context such as whether a vulnerability has been actively exploited, its exploitability (e.g., does it require user interaction?), and the potential impact. This added layer of intelligence enables security professionals to prioritize remediation efforts based on actual threat risk. 

  1. Simplified Prioritization: With Vulnrichment’s SSVC decision points, vulnerabilities are classified based on their exploitability, technical impact, and automatability. For example, vulnerabilities that are actively being exploited or can be easily automated are flagged for higher priority. This makes the question of “Which vulnerabilities should I patch first?” significantly easier to answer, optimizing the entire vulnerability management process. 

  1. Confidence in Data Accuracy: Vulnrichment ensures the accuracy and completeness of CVE data. If the original CVE entry lacks certain critical details, such as CVSS scores or CWE identifiers, CISA supplements the information to fill in the gaps. As CVEs are updated by the original CVE Numbering Authorities (CNAs), CISA’s contributions are removed to avoid any conflicts, ensuring users always have access to the best available data. 

Concluding 

CISA’s Vulnrichment initiative encourages community collaboration to refine vulnerability management tools. By providing enriched CVE data with context, scoring, and actionable insights, Vulnrichment helps security professionals make faster, smarter decisions. This resource supports researchers, analysts, and IT managers in prioritizing vulnerabilities and addressing threats more effectively. To get started, users can access the Vulnrichment GitHub repository and integrate the enhanced data into their workflows, improving overall vulnerability management. 

References:  

The post Unlocking Vulnrichment: Enhancing CVE Data for Smarter Vulnerability Management  appeared first on Cyble.

Blog – Cyble – ​Read More

Seasoning email threats with hidden text salting

  • Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as “poisoning”) in the second half of 2024.
  • Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
  • Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

Introduction to hidden text salting

Seasoning email threats with hidden text salting

Hidden text salting (or “poisoning”) is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

Technical explanation

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

Seasoning email threats with hidden text salting
A phishing email impersonating the Wells Fargo brand.

The HTML source of the above email is shown below. The <style> tag is used to define style information for an email via CSS. Inside the <style> element, one can specify how HTML elements should render in a browser or email client. The <style> element must be included inside the <head> section of the document. In this example, threat actors have set the display property to inline-block. When inline-block is used instead of inline, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the overflow property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

Seasoning email threats with hidden text salting
The HTML source snippet of the above phishing email shows how the ‘width’ property in CSS is used to hide the irrelevant characters inserted between the letters of the Wells Fargo brand.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

Seasoning email threats with hidden text salting
A phishing email impersonating the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

Seasoning email threats with hidden text salting
The HTML source snippet of the above phishing email, with Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters inserted between the letters of the Norton LifeLock brand.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

Seasoning email threats with hidden text salting
A phishing email impersonating the Harbor Freight brand.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the LANG field of Microsoft’s X-Forefront-Antispam-Report anti-spam header. The LANG field specifies the language in which the message was written, and the X-Forefront-Antispam-Report header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft’s cloud-based filtering service.

Seasoning email threats with hidden text salting
A snippet of the above email’s header shows French as the identified language of this email by Microsoft’s cloud-based filtering service, called EOP.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the display property of the div element to hide the French words, thus confusing the language detection module of Microsoft.

Seasoning email threats with hidden text salting
The HTML source snippet of the above phishing email, with French characters that are hidden using the display property.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

Seasoning email threats with hidden text salting
A spear phishing email with an HTML attachment.

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

Seasoning email threats with hidden text salting
The HTML source snippet of the above phishing email, with irrelevant comments inserted between the base64-encoded characters.

Mitigation

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

Advanced filtering techniques: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., “visibility: hidden”) and display (e.g., “display: none”) that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

Relying on visual features: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

Protection

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the content of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.  

Cisco Talos Blog – ​Read More

Everything is connected to security

Everything is connected to security

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

The one big thing

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

Why do I care?

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

So now what?

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

Top security headlines of the week

  • Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
  • Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR [sic] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal
  • Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law

Can’t get enough Talos?

  • My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
  • In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025) 
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent

 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

 

Cisco Talos Blog – ​Read More

CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”  

AnyDesk

Overview 

Government entities and organizations in Ukraine are on high alert after the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a social engineering campaign targeting unsuspecting users with malicious AnyDesk requests.    

The attackers are impersonating CERT-UA, a legitimate government agency, to trick victims into granting remote access to their computers using AnyDesk, a popular remote desktop application.    

Here’s a breakdown of the attack and how to stay safe: 

Deceptive Tactics 

  • Impersonation: Attackers are using the CERT-UA name, logo, and even a specific AnyDesk ID (1518341498, though this may change) to establish trust with potential victims.    
  • Pretext for Access: The attackers claim to be conducting a “security audit” to check the level of protection on the target’s device.    

CERT-UA’s Clarification 

CERT-UA has confirmed that it may use remote access tools like AnyDesk in specific situations. However, they emphasize that such actions only occur “with prior approval” established through official communication channels. 

Indicators of Compromise 

  • Unsolicited AnyDesk connection requests, particularly those mentioning a security audit.    
  • AnyDesk requests from users named “CERT-UA” or with the AnyDesk ID 1518341498 (be wary of variations).    

Recommendations to Stay Safe 

  • Be Wary of Unsolicited Requests: Never grant remote access to your device unless you have initiated the request and can confirm the identity of the person on the other end. 
  • Multi-Factor Authentication: Enable multi-factor authentication on any remote access software you use for an extra layer of security. 
  • Verification is Key: If you’re unsure about the legitimacy of a remote access request, contact the organization the requester claims to represent through a verified communication channel (e.g., phone number from the official website). 
  • Only Use When Needed: Disable remote access software when not in use to minimize the attack surface
  • Report Suspicious Activity: If you encounter a suspicious AnyDesk request claiming to be from CERT-UA, report it to the agency immediately. 

By following these steps, you can significantly reduce the risk of falling victim to this impersonation attempt and protect your devices from unauthorized access. 

By staying informed about common social engineering tactics and implementing strong security practices, especially during these times of heightened geopolitical tensions, you can make it significantly harder for attackers to gain a foothold in your systems. 

References: 

https://cert.gov.ua/article/6282069

The post CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”   appeared first on Cyble.

Blog – Cyble – ​Read More

Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability 

ICS Vulnerability 

Overview 

A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report. 

The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks. 

Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest. 

TCAS II Vulnerabilities 

The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory

The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.” 

TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions. 

The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1. 

CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).” 

The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm-A Identity Request, which can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition. 

“After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F,” CISA said, adding that there is currently no mitigation available for CVE-2024-9310. 

CISA said the vulnerabilities in the TCAS II standard were exploited in a lab environment. 

“However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting,” the agency said. “Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.” 

No known publicly available exploit targeting the vulnerabilities has been reported at this time. 

Recommendations for Mitigating ICS Vulnerabilities  

The full Cyble report recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

The TCAS II flaws and other ICS vulnerabilities show the danger that vulnerabilities in critical infrastructure environments can pose, with the potential to disrupt operations, compromise sensitive data, and cause physical damage with potentially tragic outcomes. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability  appeared first on Cyble.

Blog – Cyble – ​Read More

How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case

Lost documents, stolen code, exposed customer data, and a falling stock price are all common consequences of just one click on a ransomware file. To avoid this problem, you need proper security tools and, most importantly, knowledge of how ransomware attacks are carried out. 

This quick guide will explain how ransomware works and the simple steps you can take to protect your business.

What is ransomware

Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money (ransom) is paid. It typically encrypts the victim’s files, making them inaccessible, and demands payment to provide the decryption key. The ransom demands can range from hundreds to thousands of dollars, often paid in cryptocurrencies like Bitcoin to maintain anonymity.

What is double extortion ransomware

Double extortion is a technique where attackers not only encrypt the victim’s data but also exfiltrate (steal) it. They threaten to leak the stolen data publicly if the ransom is not paid, adding an additional layer of pressure on the victim to comply. 

This technique increases the likelihood of payment, as victims face both data loss and potential reputational damage or legal consequences from data breaches.

Why your company may become a target of ransomware

The chance of your company to become a potential target of ransomware depends on several factors:

  • Size and Industry: Larger organizations and those in critical industries like healthcare, finance, and government are often targeted due to their sensitive data and higher likelihood of paying substantial ransoms.
  • Cybersecurity Posture: Companies with weak or outdated cybersecurity measures are more vulnerable. This includes lack of regular software updates, inadequate backup strategies, and insufficient employee training on cybersecurity best practices.
  • Data Value: Organizations that handle valuable or sensitive data, such as personal information, intellectual property, or confidential business data, are more attractive targets.
  • Public Profile: High-profile companies or those with a significant public presence may be targeted for the potential reputational damage that a data breach could cause.
  • Previous Incidents: Companies that have experienced cybersecurity incidents in the past may be seen as easier targets, especially if they have not adequately addressed the vulnerabilities that led to the previous attacks.

How criminals prepare and deliver ransomware 

Setup process

Most criminals use ready-made ransomware-as-a-service builders to create and configure their malware. These builders allow them to specify various parameters of the ransomware, such as the ransom message, amount, and Bitcoin address for payment.

Consider the Chaos ransomware, which provides a builder that allows the operator to set up their custom variant of the malware by clicking a few buttons.

View analysis of the Chaos builder

The Chaos ransomware builder opened in the ANY.RUN sandbox

To safely examine the Chaos builder and its executable, we need to upload it to a cloud sandbox like ANY.RUN.

As shown by Nico Knows Tech in this YouTube video, attackers can configure their Chaos build to choose the ransom message and amount, as well as set the extension for the encrypted files.

The logo of the malicious file can be changed to any image set by the attacker

As a means of disguise, attackers can change the logo of the main malicious executable file to a PDF one. Coupled with the hidden extension, this can trick users into opening it, thinking it is a standard document.

Advanced options of the ransomware builder provide detection evasion capabilities

To avoid detection by antivirus and other security solutions, the builder makes it possible to enable deleting shadow copies, disabling system recovery, and overwriting files to make them unrecoverable.

Delivery

After this quick setup process, the criminals are ready to distribute the ransomware among their targets. There are many delivery methods, but here are three common ones:

  • Emails that include malicious file attachments, such as PDFs or Word documents, which execute ransomware when opened.
  • Emails that contain links to compromised websites or malicious downloads, manipulating users into downloading and executing ransomware.
  • Malicious advertisements on websites like Google that redirect users to sites hosting ransomware.

A Ransomware Attack Example: Lynx

Let’s now see what happens once the malware file arrives at the target’s system.

For this, we can take a look at the Lynx ransomware, which was recently reviewed by PC Security Channel

The operators behind this threat maintain a public website containing a list of their victims along with samples of stolen documents. One of the latest cases was a large electricity provider from Romania, Electric Group, that serves over 3.8 million people.

Lynx Ransomware analyzed in the ANY.RUN sandbox

Thanks to ANY.RUN’s Interactive Sandbox, we can study the entire chain of attack and see exactly how this threat operates in a safe virtual environment.

View sandbox analysis of Lynx

The FIles modification tab shows all the file system activity logged during the analysis

As soon as we upload and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the malware begins encrypting files on the system and changing their extension to .LYNX.

It also drops a ransom note and replaces the desktop wallpaper with the ransom text, which contains a link to a TOR site via which the attackers expect the victim to contact them. 

Strengthen proactive threat analysis in your company
with ANY.RUN’s Interactive Sandbox 



Get 14-day free trial


The ransom note features .onion addresses used for communication with the attackers

ANY.RUN’s interactivity lets us manually open the README.txt dropped by Lynx to see the message.

ANY.RUN analysis of the Lynx process

The ANY.RUN sandbox detects all the malicious activities performed by Lynx and marks them with signatures.

ANY.RUN’s report on the Lynx sample

The sandbox also generates a comprehensive report on the analyzed threat sample that can be shared with all the stakeholders in the company.

How Sandboxing Helps Businesses Prevent Ransomware Attacks

As demonstrated by the Lynx analysis, sandbox tools like ANY.RUN provide you with a safe, secure, and private environment for detonating and exploring all the suspicious files and URLs you may come across in your day-to-day activities.

Whether it is a phishing email, an unusual executable, or an office document asking you to enable macros, uploading these to ANY.RUN’s Interactive Sandbox is the best course of action you can take to check these files for any possible threat and quickly make a decision on whether to engage with them further on your own system.

More than 500,000 security professionals use ANY.RUN for proactive analysis to:

  • Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
  • Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
  • Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
  • Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
  • Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
  • Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.


ANY.RUN cloud interactive sandbox interface

What is Enterprise plan?

Discover all features of the Enterprise plan designed for businesses and large security teams.



Conclusion

Taking proactive measures to understand and mitigate ransomware threats is vital for business security. Tools like ANY.RUN’s Interactive Sandbox offer a fast, simple, and effective solution for analyzing potential threats, enabling businesses to prevent attacks from compromising their infrastructure. By integrating such tools into your security strategy, you can enhance your cybersecurity posture and protect your business from the far-reaching consequences of ransomware attacks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CVE-2025-0411 – vulnerability in 7-Zip | Kaspersky official blog

The vulnerability CVE-2025-0411 has been discovered in the popular 7-Zip file archiver software, allowing attackers to bypass the Mark-of-the-Web protection mechanism. CVE-2025-0411 has a 7.0 CVSS rating. The vulnerability was quickly fixed, but since the program doesn’t have an automatic update mechanism, some users may still have a vulnerable version. That’s why we recommend immediately updating the archiver.

What is Mark-of-the-Web?

The Mark-of-the-Web (MOTW) mechanism involves placing a special metadata mark on files obtained from the internet. If such a mark is present, the Windows operating system considers such a file to be potentially dangerous. If the file is executable, the user sees a warning that it can cause harm when trying to execute it. Also, some programs limit the functionality of a file with this mark (for example, MS Office applications block the execution of macros in them). When an archive is downloaded from the internet, when it is unpacked, all the files should inherit this Mark-of-the-Web.

Malefactors have repeatedly been trying to get rid of the MOTW in order to mislead the user. In particular, several years ago we wrote that the BlueNoroff APT group had adopted methods to bypass this mechanism. According to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass.

What is the CVE-2025-0411 vulnerability, and how is it dangerous?

CVE-2025-0411 allows attackers to create an archive in such a way that when it’s unpacked by 7-Zip, the files won’t inherit the MOTW mark. As a result, an attacker can exploit this vulnerability to launch malicious code with user privileges. Of course, such a vulnerability is dangerous not in and of itself, but as part of a complex attack. In addition, to exploit it, the user must launch a malicious file manually. However, as we’ve already mentioned above, attackers often try to remove this mark, so giving them an extra way to do this is clearly a big no-no.

Researchers discovered CVE-2025-0411 back in November last year, and immediately reported it to the author of 7-Zip. This is why version 24.09, published on November 29, 2024, is no longer vulnerable.

How to stay safe

First of all, you should update 7-Zip to version 24.09 or newer. If this file archiver is used in your organization, we recommend updating it centrally (if there are appropriate tools), or at least notifying that it needs urgently updating. Kaspersky products for home users can check a number of widely used software products (including 7-Zip) and update them automatically.

In addition, we recommend all internet users to handle files received from the internet with exceptional caution, and not to open them on computers without a reliable security solution.

Kaspersky official blog – ​Read More