The growing dependence on digital technology of modern businesses makes them vulnerable to cyber threats. For three years in a row, manufacturing has stayed the sector most targeted by cyberattacks, IBM reports. Industrial companies suffered from more than 25% of security incidents recorded last year, the majority of them being ransomware attacks.

Investing in comprehensive cybersecurity infrastructure helps prevent substantial financial loss and reputation damage. But enforcing the perimeter is not enough: a proactive approach to threat management is essential.  

What is Threat Intelligence

Cyber Threat Intelligence (CTI) is about gathering and analyzing data to spot, understand, and stop current and future threats. Even with strong security teams, just reacting to threats is not enough. Using current, detailed information from outside sources is key to responding effectively.

Cyber threat intelligence provides security teams with data about threats, attacks, and adversaries. It powers decision-making on all levels: operational, tactical, and strategic.  

By analyzing threat indicators, tactics, techniques, and procedures of attackers, companies can anticipate attacks rather than just react to them. Vulnerabilities get identified before they can be exploited.

Why Companies Need Threat Intelligence 

There are plenty of reasons why industrial enterprises and manufacturing companies may require threat intelligence. Mostly, these reasons relate to the critical role of such companies in the economy on one hand and their specific risks and vulnerabilities on the other:  

1. They are part of critical infrastructure 
   Many manufacturing companies are involved in critical infrastructure (e.g., energy, transportation, defense supply chains). Attacking these industries can disrupt essential services, exert political or economic pressure, or fulfill geopolitical goals. 

2. They are part of important supply chains 
   A successful attack can ripple across industries, causing widespread delays and impacting multiple organizations. In 2021, an attack on Colonial Pipeline disrupted fuel distribution, causing trouble to manufacturing and transportation sectors. 

3. They have high ransom potential 
   Companies rely on continuous operations and cannot afford prolonged downtime. Attacked by ransomware, they are often willing to pay to resume production quickly and avoid financial losses. 

4. They collect consumer data and possess intellectual property 
   A bunch of valuable data is an irresistible honeypot for hackers. Trade secrets, patents, blueprints, and proprietary technologies. Sensitive data about customers, employees, and supply chains. Stolen data can be sold, used for fraud, espionage, and other outlaw activities. 

5. They depend on legacy systems 
   Outdated systems and technologies are not designed with modern cybersecurity in mind. For example, older programmable logic controllers (PLCs) in factories often lack encryption or authentication, making them easy targets. 

6. They are in the midst of digitalization and IoT adoption 
   Manufacturing is embracing Industry 4.0, integrating IoT devices, cloud computing, and automation. More connected devices and networks introduce more vulnerabilities. 

Time is Money, Downtime is No Money 

A sadly large share of enterprise companies prioritizes operational efficiency over cybersecurity due to limited budgets, lack of expertise, and a focus on physical security. But it is a short-sighted approach.  
 
Industrial companies have low tolerance for downtime: in the case of a ransomware attack they often prefer to pay adversaries than to permit a production halt. Research by Siemens in 2022 found that unplanned downtime costs Fortune Global 500 companies about US$1.5tn, which is 11% of their yearly turnover.  

Threat Intelligence Lookup at the Service of Enterprises 

Threat Intelligence Lookup is a key tool in the cybersecurity stockpile. It is a special-purpose search engine that helps navigate and research threat data.  
 
The data is extracted from malware samples uploaded via ANY.RUN’s Interactive Sandbox by over 500,000 security professionals.

TI Lookup key features:

• Fast interactive search across over 40 different threat data types, including system events and indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs). 
• Continuously updated database with new indicators and samples. 
• Customizable queries that support combining multiple indicators, wildcards, YARA and Suricata rules. 
• Integration with sandbox to view sessions where particular indicators or events were discovered.  
• Real-time updates on relevant threats and indicators to ensure ongoing monitoring. 
   

TI Lookup in Action: A Recent Example 

One of the latest and most dangerous malware campaigns that targeted the industrial sector unfolded this autumn. The attack was based on Lumma and Amadey malware.  
 
Analysts in ANY.RUN explored the attack’s anatomy with the aid of the Interactive Sandbox found a number of IOCs associated with the malware. These IOCs can be used as TI Lookup search requests to analyze the attack further in pursuit of actionable insights for arming corporate security systems against it.     
 
The following query consists of the name of the malware and the path to one of the malicious files used in the attack:  

filePath:”dbghelp.dll” AND threatName:”lumma” 

TI Lookup finds files associated with an attack and shows sandbox sessions featuring analysis of samples belonging to the same campaign.

How Threat Intel Research Helps Strengthen Enterprise Security 

By investigating, collecting, and analyzing threat data, security experts and management ensure:  

Early detection and prevention of threats. By knowing what IOCs to look for, companies can set up systems to monitor these signs continuously. Early detection can lead to quicker response times before significant damage occurs. 

Improved Incident Response. Security teams can more rapidly identify when an incident has occurred or is in progress. This speeds up the process of containment, eradication, and recovery. 

Enhanced threat hunting. IOC research lets focus threat-hunting efforts by looking for signs of similar or related threats that might not have been detected by automated systems. It also helps to distinguish benign anomalies from actual threats and reduce the noise from false positives, which can overwhelm security teams. 

Validation of security measures. Indicators can be used to test the effectiveness of current security controls by simulating or analyzing known threat patterns for fine-tuning security solutions. 

Understanding of vulnerabilities and attack vectors. IOCs provide insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing companies to better understand where they are vulnerable and how adversaries operate. 

Prioritization of security efforts and recourse management on the basis of understanding which threats are most likely to impact the organization. 

Forensic Analysis. Post-incident analysis facilitates understanding the scope of the compromise, how the attack was executed, what was accessed, and how to prevent similar attacks in the future. 

Training and awareness. Threat Intelligence Lookup can be used in training programs for educating staff to watch for suspicious activities or anomalies in system behavior. 

Cyber Threat Intelligence and Business Performance 

Threat intelligence objectives are closely connected with key business goals and metrics. 

ROI and Cost Optimization 

Significant cost savings can be achieved by preventing data breaches and minimizing mitigation efforts. By avoiding data losses and leaks, businesses can sidestep the expenses associated with incident response, legal fees, and regulatory fines.  

Informed Decision-Making 

Threat analysis by tools like ANY.RUN’s TI Lookup provides insights that allow to focus the resources and security efforts on the most relevant threats, critical areas, topical vulnerabilities.   

Operational Viability 

A pillar of enterprise efficiency, operational stability suffers immensely from even a brief downtime. Threat intelligence tools and methods like TI Lookup help automate threat detection, make it both wider and more accurate, and reduce downtime caused by breaches. 

Compliance and Reporting 

In manufacturing and industrial enterprises, regulatory compliance is critically important. Besides, such businesses often operate in multiple jurisdictions with varying rules and requirements. Plants and manufacturing facilities can be located in different countries with their own laws. Apart from improved threat detection, TI helps document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI. 

Brand Reputation Defense 

Customer and counterparty trust is one of the most valuable business assets in enterprise or elsewhere. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value. 

Conclusion 

Cyber resilience must be a business priority for enterprise companies with their critical role in the economy, low tolerance for downtime and complex digital environments. Threat intelligence builds a basis for proactive threat management and informed decisions, helps allocate resources, and avoid ineffective costs. Professional solutions like ANY.RUN’s Threat Intelligence Lookup power security teams for meeting the demands of business security.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How Threat Intelligence Lookup Helps Enterprises appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.

The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.

The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.

Leaked Security Company Credentials

Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.

Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies like McAfee—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.

Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.

Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.

Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.

The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. The vendors included:

• CrowdStrike
• Palo Alto Networks
• Fortinet
• Zscaler
• SentinelOne
• RSA Security
• Exabeam
• LogRhythm
• Rapid7
• Trend Micro
• Sophos
• McAfee
• Qualys
• Tenable

All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.

Trend Micro and Sophos have large consumer security businesses, as does McAfee, which exited the enterprise business in 2021. McAfee, for example, has had more than 600 credential leaks since the start of the year, almost all for consumers’ account access, likely harvested from info stealer attacks on the consumers’ personal devices.

CrowdStrike has had more than 300 credentials exposed since the start of the year, although some of those may be duplicates offered for sale across multiple forums. Most of those appear to be customer Falcon account credentials, again likely harvested from info stealers on customer endpoints. As some of those customers are high-tech companies and others with sensitive data, including a pharmaceutical giant and a large financial firm, they have a strong interest in keeping those accounts secure.

Some internal CrowdStrike accounts also appear to have been exposed this year, but those largely appear to be web marketing accounts, data that would likely have value only for competitors.

Palo Alto Networks and some other vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Palo Alto has had nearly 400 credential exposures so far this year, most of them from customer leaks.

Credential Leaks Could Aid in Hacker Reconnaissance

Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.

Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.

Conclusion: Dark Web Monitoring is Critical for Everyone

Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.

Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.

If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.

The post Cyble Finds Thousands of Security Vendor Credentials on Dark Web appeared first on Cyble.

Blog – Cyble – ​Read More

Our security solutions for Android are temporarily unavailable in the official Google Play store. To install Kaspersky apps on Android devices, we recommend using alternative app stores. You can also install our apps manually from the APK files available on our website or in your My Kaspersky account. This post gives in-depth instructions for installing Kaspersky on Android in 2025.

General recommendations

First, the good news: any Kaspersky apps you’ve already installed from Google Play will continue to work on your device. But they’ll automatically receive only antivirus database updates — not app or security feature improvements. If you uninstall an app, you won’t be able to reinstall it from Google Play.

Therefore, we recommend not deleting the apps already installed from Google Play, but to download and install over them the versions from these alternative stores:

• Samsung Galaxy Store
• Huawei AppGallery
• Vivo V-Appstore

You’ll find the same set of Kaspersky apps in all these stores, and the download methods are also alike:

• Open the store app.
• Enter “kaspersky” in the search bar (you may need to tap the magnifying glass icon to open the bar).
• Find the app you want in the search results.
• Depending on the store, tap Get, Install, Download or Update, or simply touch the download icon next to the name of the app.

If our apps are already installed on your device and you then download them from alternative stores, your device will retain all settings, and you won’t have to reactivate the license. What’s more, the apps can be updated automatically by enabling auto-update in the settings of the alternative store. Below is a how-to guide for all the recommended stores.

You can also install apps by downloading the APK files from our website. When you install over existing apps, all settings and licenses are retained. However, apps installed this way will not be updated automatically — you’ll need to track down new versions yourself, download them as APK files, and install them on your device manually. Because this is less convenient, we’ll soon be adding a feature to update apps automatically via their APK files, and will notify you when new updates come out. In the meantime, we recommend using the alternative app stores mentioned above.

What to do if your smartphone only has Google Play

If you only have Google Play on your smartphone, you first need to install an alternative app store, for example, Huawei AppGallery. Here’s how to do it:

• Open this link in your browser.
• Tap Download.
• Follow the on-screen instructions, tapping OK in response to any system warnings.

You can now download Kaspersky apps. More detailed instructions are available on the Huawei AppGallery website.

How to enable auto-update for Kaspersky apps in alternative stores

To make sure you always have the latest version, after installing an app from an alternative store you need to enable auto-update in the store settings. We have step-by-step instructions for all stores — just follow one of the links below to go to the one you need:

• Samsung Galaxy Store
• Huawei AppGallery
• Vivo V-Appstore

Samsung Galaxy Store

To enable auto-update of apps in the Samsung Galaxy Store:

• Open the menu (three horizontal lines).
• Go to Settings by tapping the gear icon in the top-right corner of the screen.
• On the screen that opens, find Auto update apps, and select Using Wi-Fi or mobile data.

How to enable auto-update of apps in the Samsung Galaxy Store

Huawei AppGallery

To enable auto-update of apps in Huawei AppGallery:

• Tap Me at the bottom right of the screen.
• Go to Settings.
• Tap Auto-update apps, and select On.

How to enable auto-update of apps in Huawei AppGallery

Vivo V-Appstore

To enable auto-update of apps in Vivo V-Appstore:

• Go to Manage by tapping the icon in the bottom right corner of the screen.
• Go to Settings by tapping the gear icon at the top of the screen.
• Tap Notifications and upgrades.
• Enable App auto-update.

How to enable auto-update of apps in Vivo V-Appstore

How to install Kaspersky apps from APK files

First, you need to download the APK files from your My Kaspersky account or from our website by following the corresponding link:

• Download the Kaspersky for Android APK file
• Download the Kaspersky VPN Secure Connection APK file
• Download the Kaspersky Password Manager APK file
• Download the Kaspersky Safe Kids APK file

Your device may warn you that the file isn’t safe to download. If this happens, confirm your action by tapping Keep or Download.

Once the download is complete, go to My files → Downloads, and tap the downloaded file. When installing it, you’ll need to allow installation of unknown apps from a new source. Here’s how to do it: Go to Settings → Apps → Additional → Special app access → Install unknown apps, find your browser in the list, and toggle the switch “Allow app installs” to On. That done, the Kaspersky app will continue to install. See here for more detailed instructions.

Granting permission to install unknown apps from Google Chrome

After installing our apps, make sure to turn this feature Off, since it can pose a security risk and so should only be used when absolutely necessary. To find out why we insist on this, see this Kaspersky Daily post.

How to buy a Premium subscription in your Kaspersky app

You can buy a subscription — for example, Kaspersky Premium — directly in the app itself. To do this, navigate to Profile, and under the Kaspersky Free icon tap Let’s go. Then select one of the three subscription tiers — Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium and the number of devices you want to protect, and check out.

How to activate an existing license in your Kaspersky app

If you installed any of our apps from an alternative store or from an APK file over one already installed from Google Play, there’s no need to reactivate your license.

If you bought a Kaspersky app on Google Play and connected it to your My Kaspersky account, but then uninstalled it and downloaded a new one from an APK file or an alternative store, your previously purchased license will work without any problems. See our detailed activation instructions.

If you uninstalled a Kaspersky app that was purchased from Google Play but not connected to your My Kaspersky account, then installed a new one according to the instructions in this post, please contact technical support to reactivate your license. They’ll be happy to assist.

If you have a license for multiple devices, the easiest way to activate apps on additional devices is to install them using the links in My Kaspersky — this way they’ll be activated automatically. You can also install Kaspersky apps from an alternative store or APK file as described above, and follow the instructions to activate the license.

Kaspersky official blog – ​Read More

Overview

Mozilla products, including the popular Mozilla Firefox and Thunderbird, have been found to contain multiple vulnerabilities that could allow attackers to execute arbitrary code, cause system instability, and even gain escalated privileges. The severity of these issues is high, and they affect both desktop and mobile versions of Mozilla’s browser and email client.

The Indian Computer Emergency Response Team (CERT-In) reported these Mozilla vulnerabilities in an advisory published on January 20, 2025, with patches already available in recent updates. Users and organizations relying on Mozilla Firefox, Mozilla Thunderbird, and their extended support release (ESR) versions are advised to take immediate action to mitigate risks.

The Mozilla vulnerabilities are present in several versions of Mozilla Firefox and Thunderbird, specifically:

• Mozilla Firefox versions prior to 134
• Mozilla Firefox ESR versions prior to 128.6
• Mozilla Firefox ESR versions prior to 115.19
• Mozilla Thunderbird versions prior to 134
• Mozilla Thunderbird ESR versions prior to 128.6
• Mozilla Thunderbird ESR versions prior to 115.19

The issues are critical for both individual users and enterprises using these open-source applications for browsing and communication. Users should ensure they have the latest updates installed to avoid potential exploits.

Overview of the Mozilla Vulnerabilities

A range of vulnerabilities has been identified in Mozilla Firefox and Thunderbird, with the potential to allow attackers to perform actions such as remote code execution (RCE), denial of service (DoS) attacks, bypass security restrictions, or even spoof system elements. Mozilla has provided security patches in versions 134 for Firefox and Thunderbird, as well as in the ESR releases 128.6 and 115.19. These issues are significant because they provide opportunities for remote attackers to exploit weaknesses in the software without needing to interact directly with the targeted system.

Vulnerabilities in Mozilla Firefox and Thunderbird have been classified with high and moderate severity levels, as attackers could gain unauthorized access to sensitive information, execute arbitrary code, or disrupt normal system operations. The full exploitation of these vulnerabilities may result in system instability or a complete compromise of the affected device.

Key Vulnerabilities

Several vulnerabilities have been identified and addressed across Mozilla Firefox and Thunderbird. Below are some of the notable issues that have been fixed in the latest updates:

1. CVE-2025-0244: Address Bar Spoofing in Firefox for Android
   1. Impact: High
   1. Description: This vulnerability allowed an attacker to spoof the address bar in Firefox for Android when redirecting to an invalid protocol scheme. This could mislead users into believing they were on a legitimate site, facilitating phishing and other malicious activities.
   1. Note: This issue only affected Android operating systems.

2. CVE-2025-0245: Lock Screen Setting Bypass in Firefox Focus for Android
   1. Impact: Moderate
   1. Description: A flaw in Firefox Focus allowed attackers to bypass user authentication settings for the lock screen, potentially giving unauthorized individuals access to the application.

3. CVE-2025-0237: WebChannel API Vulnerability
   1. Impact: Moderate
   1. Description: The WebChannel API, used for communication across processes in Firefox and Thunderbird, did not properly validate the sender’s principal. This could lead to privilege escalation attacks, allowing attackers to perform actions with higher privileges than intended.

4. CVE-2025-0239: Memory Corruption via JavaScript Text Segmentation
   1. Impact: Moderate
   1. Description: A flaw in how Firefox and Thunderbird handled JavaScript text segmentation could cause memory corruption, which might lead to crashes or, in some cases, the execution of arbitrary code.

5. CVE-2025-0242: Memory Safety Bugs
   1. Impact: High
   1. Description: Several memory safety bugs were discovered in both Firefox and Thunderbird that showed signs of memory corruption. If exploited, these bugs could allow remote attackers to execute arbitrary code, compromising system security.
   1. Fixed in: Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, Thunderbird 128.6

These vulnerabilities in Mozilla products are part of a broader set of security flaws that the Mozilla team has identified and addressed. The vulnerabilities affect multiple platforms, including desktop and mobile versions, and may result in severe security breaches if not patched.

Recommendations for Users

Given the potential impact of these Mozilla vulnerabilities, it is crucial for all users to update their systems to the latest versions of Mozilla Firefox or Thunderbird. The updates, which are available for both standard and ESR releases, fix critical security flaws and improve overall system stability. Additionally, users are advised to consider the following precautions:

• Ensure that Mozilla Firefox and Thunderbird are updated to versions 134 or higher, or to the appropriate ESR releases (128.6 or 115.19).
• Keep an eye on system behavior for signs of malicious exploitation, such as unexpected crashes or unauthorized access.
• For those using Mozilla Firefox or Thunderbird in a business environment, enable multifactor authentication and other security features to limit exposure to attacks.

Without the proper patches, attackers can exploit Mozilla Firefox vulnerabilities to gain access to sensitive data, compromise user systems, and cause severe disruptions. Memory corruption issues, such as those reported in CVE-2025-0242, could lead to remote code execution, allowing attackers to hijack user systems or deploy malware. Furthermore, flaws like CVE-2025-0244 could facilitate phishing campaigns by spoofing URLs in the address bar, tricking users into visiting malicious websites.

Conclusion

Mozilla has released important security fixes for vulnerabilities in Mozilla Firefox and Mozilla Thunderbird that affect a wide range of users. These vulnerabilities, which could lead to arbitrary code execution, denial of service, or privilege escalation, are present in older versions of the software. Users are strongly advised to upgrade to the latest versions to protect against potential exploitation. Additionally, by applying recommended mitigations and staying informed about the latest security updates, users can better protect their systems from cyber threats.

To protect online systems against these vulnerabilities, Cyble, an award-winning cybersecurity firm, offers advanced, AI-powered cybersecurity solutions. With platforms like Cyble Vision, businesses can leverage real-time threat detection and actionable insights to mitigate risks from these vulnerabilities, including Mozilla vulnerabilities. Cyble’s comprehensive suite of tools, including vulnerability management, dark web monitoring, and brand intelligence, helps organizations proactively address security gaps. By integrating Cyble’s threat intelligence, companies can enhance their defenses and better protect against cyberattacks.

For more information on how Cyble can help protect your systems, schedule a personalized demo and see how AI-driven solutions can strengthen your cybersecurity strategy.

References

• https://www.cert-in.org.in/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-03/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/

The post Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble honeypots have detected vulnerability exploits on Check Point and Ivanti products, databases, CMS systems, and many other IT products.

Overview

Cyble honeypot sensors have detected new attacks on vulnerabilities in Check Point and Ivanti products, among dozens of other vulnerability exploits recently picked up by Cyble sensors.

Cyble’s sensor intelligence reports to clients in the first two weeks of 2025 also highlighted new database and CMS attacks. Unpatched Linux systems and network and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The reports also examined new brute-force attacks and phishing campaigns. Here are some of the highlights.

Vulnerabilities Under Attack

Here are some of the vulnerability exploits detected by Cyble sensors.

CVE-2024-24919 is an 8.6-severity vulnerability affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, identified by Check Point being actively exploited. If successfully exploited, the vulnerability could allow an attacker to access sensitive information on Internet-connected Gateways that have a remote access VPN or mobile access enabled, and potentially move laterally and gain domain admin privileges.

Ivanti had a challenging 2024, with 11 vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog, trailing only Microsoft, and new vulnerabilities have already been added this year. One particular Ivanti vulnerability that Cyble is detecting attacks on is CVE-2024-7593, a 9.8-severity Ivanti Virtual Traffic Manager (vTM) vulnerability that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm.

Attackers are exploiting CVE-2024-8503, a time-based SQL injection vulnerability in VICIDIAL that could allow an unauthenticated attacker to enumerate database records. By default, VICIDIAL stores plaintext credentials within the database. VICIDIAL is a software suite that works with the Asterisk Open-Source PBX Phone system to create an inbound/outbound contact center.

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG gateways, specifically MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-56145 is a critical vulnerability in Craft CMS systems. If the register_argc_argv setting in php.ini is enabled, this issue affects users of impacted versions, allowing an unspecified remote code execution vector. Users are advised to update to versions 3.9.14, 4.13.2, or 5.5.2. Those unable to upgrade should mitigate the risk by disabling register_argc_argv in their PHP configuration.

Cyble sensors have also identified attackers scanning for the URL “/+CSCOE+/logon.html”, which is used to access the login page for the Cisco Adaptive Security Appliance (ASA) WebVPN service. The URL has been found to have various vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting, which could allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service.

Brute-Force Attacks

The Cyble sensor reports also include considerable detail on brute-force attacks. These attacks frequently target remote desktops and access systems, with ports 5900 (VNC), 3389 (RDP), and 22 (SSH) being the most frequently attacked ports.

Other frequently attacked ports include 3386 (GPRS tunneling), 445 (SMB), and 23 (Telnet).

Cyble advises adding security system blocks for frequently attacked ports.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access the full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

The post Cyble Sensors Detect Attacks on Check Point, Ivanti and More appeared first on Cyble.

Blog – Cyble – ​Read More