Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) released two critical Industrial Control Systems (ICS) advisories. These advisories, ICSA-25-007-01 and ICSA-25-007-02, aim to inform users and administrators about vulnerabilities in key ICS products. The goal is to mitigate potential risks to vital infrastructure sectors by highlighting existing security weaknesses that could be exploited by cyber attackers. 

ICSA-25-007-01: ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products 

The first advisory, ICSA-25-007-01, addresses multiple vulnerabilities within ABB’s ASPECT-Enterprise, NEXUS, and MATRIX series products. ABB, a leading provider of industrial automation and control systems, has reported numerous security flaws that could severely impact system integrity. These vulnerabilities range from weak passwords to critical code injection weaknesses, and they pose a significant risk to critical manufacturing sectors. 

Key Vulnerabilities 

Several vulnerabilities have been identified within ABB’s products, which include: 

• Files or Directories Accessible to External Parties (CVE-2024-6209) 

• Improper Validation of Specified Type of Input (CVE-2024-6298) 

• Cleartext Transmission of Sensitive Information (CVE-2024-6515) 

• Cross-site Scripting (XSS) (CVE-2024-6516) 

• Server-Side Request Forgery (SSRF) (CVE-2024-6784) 

• Code Injection (CVE-2024-48839) 

• Weak Password Requirements (CVE-2024-48845) 

• Unrestricted Upload of Dangerous Files (CVE-2024-51548) 

The most severe vulnerabilities carry a CVSS v3 score of 10.0, indicating they are highly exploitable and could lead to remote code execution, unauthorized access, or denial of service (DoS). These vulnerabilities were present across multiple versions of ABB products, including ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x), and MATRIX Series (MAT-x), with affected versions prior to 3.08.02. 

Affected Products 

The following products are affected by these vulnerabilities: 

• ABB ASPECT-Enterprise (ASP-ENT-x <= 3.08.02) 

• ABB NEXUS Series (NEX-2x, NEXUS-3-x) 

• ABB MATRIX Series (MAT-x) 

These products are deployed worldwide and are critical to operations in sectors like critical manufacturing. The vulnerabilities affect systems in both industrial and commercial environments, making them high-priority targets for cybersecurity professionals. 

Mitigations 

ABB has recommended users upgrade their systems to version 3.08.02 or later, which resolves many of these issues. Additionally, users are urged to apply security patches and adopt stronger password policies to mitigate the risk of unauthorized access. 

CISA’s advisory highlights that these vulnerabilities could be exploited remotely, with low complexity and without requiring direct access to the devices. Exploits could allow attackers to execute arbitrary code, gain unauthorized access to sensitive data, or disrupt operations. Thus, the ICSA-25-007-01 advisory serves as a critical call to action for administrators to update their systems and implement security best practices immediately. 

ICSA-25-007-02: Nedap Librix Ecoreader 

The second advisory, ICSA-25-007-02, addresses vulnerabilities in the Nedap Librix Ecoreader. Nedap is a well-known provider of RFID solutions, and the Ecoreader is used in access control and inventory management. The advisory highlights several flaws in the system that could expose sensitive data and allow attackers to manipulate access controls. 

While the ICSA-25-007-02 advisory lacks the extensive list of vulnerabilities that appear in the ABB advisory, it still outlines critical risks, particularly in environments where physical security and data integrity are paramount. 

Conclusion  

The release of CISA’s ICS advisories, ICSA-25-007-01 and ICSA-25-007-02, highlights the critical need for prompt action to secure industrial control systems against emerging cyber threats. These advisories identify vulnerabilities in ABB’s and Nedap’s products that could compromise ICS integrity, leading to operational disruptions and data breaches.  

With cyberattacks on infrastructure becoming more sophisticated, organizations must prioritize security updates and proactive measures. Cybersecurity experts like Cyble can help organizations better defend against cyber threats, ensuring the protection of critical infrastructure and operations. 

References:

• https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-releases-two-industrial-control-systems-advisories
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-02

The post CISA Releases Two New Industrial Control Systems Advisories for 2025 appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

The water sector is experiencing a rise in cyber threats, with critical infrastructure, including both IT and operational technology (OT) systems, becoming primary targets for malicious actors. These attacks, which exploit vulnerabilities in internet-facing OT systems and industrial control systems (ICS), pose cybersecurity risks to public health, business continuity, and national security.  

MyCERT, the Malaysian Computer Emergency Response Team, has issued MA-1228.012025, an advisory aimed at raising awareness of cybersecurity risks in the water sector and providing recommendations to mitigation stratergies. While there have been no cyber incidents reported in Malaysia’s water systems, the MyCERT advisory stresses the importance of vigilance and proactive defense strategies. 

MyCERT Advisory Highlights the Growing Cybersecurity Threat to Water Systems 

Water systems control essential services such as pumping stations, chlorination processes, and valves, all of which are critical to public health and safety. However, older systems with outdated software and weak security measures are increasingly susceptible to cyber-attacks. Many of these attacks exploit simple security weaknesses, such as default passwords and unprotected access points, enabling attackers to gain unauthorized access to sensitive systems. 

Cyberattacks targeting water systems can take many forms, from ransomware attacks demanding payment to prevent data exposure, to more insidious breaches targeting programmable logic controllers (PLCs) and other ICS devices. While large utilities have strengthened their defenses, smaller systems remain especially vulnerable. 

The recent cyber incident in October 2024, involving American Water in New Jersey, is one of such examples of these attacks. Although the attack did not result in operational disruptions at American Water’s facilities, it stresses the importance of cybersecurity vulnerabilities in the sector. The attack primarily affected computer networks and administrative systems, underlining the necessity for water utilities worldwide, including those in Malaysia, to enhance their security measures. 

Potential Impacts of Cyberattacks on Water Systems 

Cybersecurity incidents in the water sector can have a wide range of destructive consequences, both direct and indirect. Among the most concerning impacts are: 

• Cyberattacks can interfere with the normal functioning of water systems, leading to delays in water treatment, pumping, and distribution processes. 
• If attackers gain control of critical water system functions, they could contaminate drinking water or improperly manage chemicals, posing serious risks to public health. 
• Industries relying on water, such as agriculture and manufacturing, could face operational shutdowns, leading to economic losses. 
• Attackers who gain access to sensitive water system data could compromise confidential information, resulting in reputational damage and erosion of public trust. 
• These attacks exploit vulnerabilities in water systems to hold sensitive data hostage. If ransoms are not paid, attackers may leak confidential data, including trade secrets and personal information, leading to further harm. 
• Recovering from a cyberattack often involves substantial costs, including expenses for system restoration, legal fees, and potential fines for data breaches. 

MyCERT Advisory for Securing Water Systems 

To mitigate the cybersecurity risks facing water systems, MyCERT has outlined a series of best practices aimed at improving resilience and reducing the likelihood of successful attacks. Water system administrators are encouraged to follow these guidelines to protect critical assets: 

1. Immediately replace default passwords with strong, unique passwords. This is one of the most basic yet effective steps to secure systems. 
2. Minimize the number of critical systems exposed to the public internet, thereby reducing the attack surface for potential threats. 
3. Ensure that user accounts have access only to the data and systems necessary for their role. This can limit the damage caused by compromised accounts. 
4. MFA provides an added layer of security by requiring additional verification steps before granting access to critical systems. 
5. Apply network segmentation in water treatment facilities to isolate key systems from non-essential systems, preventing widespread damage in the event of an attack. 
6. Ensure that all systems, both OT and IT, are updated with the latest security patches and antivirus definitions. This is crucial to defending against known vulnerabilities. 
7. Perform daily backups of both OT and IT systems and store backup copies in remote locations. Regularly test backup processes to ensure they function correctly during a disaster recovery scenario. 
8. Provide annual cybersecurity training for all staff members, ensuring they understand the latest threats and how to avoid common pitfalls like phishing or clicking on malicious links. 
9. Regularly update disaster recovery and business continuity plans to account for emerging threats and vulnerabilities. Ensure these plans are well-practiced in the event of an actual breach. 

Conclusion  

The MyCERT advisory emphasizes the need to strengthen cybersecurity in Malaysia’s water systems, which are crucial for public health and the economy. As these systems become more digital and interconnected with sectors like agriculture and manufacturing, their exposure to cyber risks grows. 

By adopting best practices like updating passwords, using multi-factor authentication, and applying security patches, water utilities can improve defenses against cyber threats. MyCERT encourages staying updated on cybersecurity developments and conducting regular assessments. While Malaysia has not faced major cyber incidents in water systems, the rising threats require vigilance. Platforms like Cyble, with AI-driven threat intelligence, help protect these vital infrastructures. 

References 

• https://www.mycert.org.my/portal/advisory?id=MA-1228.012025 

The post MyCERT Advisory Recommends Cybersecurity Practices for Water Systems appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

This week’s vulnerability report sheds light on a broad range of critical vulnerabilities identified from December 25 to December 31, 2024. The report emphasizes several high-severity flaws that pose online threats to cybersecurity, including new additions to the CISA’s Known Exploited Vulnerability (KEV) catalog.

Among the most pressing vulnerabilities, one concerning Palo Alto Networks’ PAN-OS stands out. This vulnerability has been actively exploited by cybercriminals to compromise firewalls, forcing them to reboot and disrupting network security. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to their KEV catalog, signifying its exploitation in the wild.

Beyond this, CRIL also analyzed multiple high-profile vulnerabilities impacting D-Link products and Four-Faith routers, both of which are integral to various Internet of Things (IoT) applications.

CISA’s KEV Catalog Adds New Vulnerability

This week, CISA’s KEV catalog was updated to include a critical vulnerability in PAN-OS by Palo Alto Networks (CVE-2024-3393). The flaw lies in the handling of malformed DNS packets, which can be leveraged to exploit the firewall systems, ultimately causing service disruptions by forcing them to reboot. Given its active exploitation, CISA has strongly urged organizations using Palo Alto Networks firewalls to apply the necessary patches to safeguard their networks from potential breaches.

In addition, Four-Faith routers (CVE-2024-12856) have also been found vulnerable to OS command injection. These routers are extensively used in IoT environments, where remote attackers can exploit default credentials and send specially crafted HTTP requests. Once successful, attackers can remotely execute arbitrary OS commands, significantly compromising the integrity of the affected systems.

D-Link Vulnerabilities Pose Major Threats

D-Link, a global leader in networking hardware, continues to be the focus of vulnerability research. CRIL identified multiple flaws affecting various D-Link routers, including the DIR-806 (CVE-2019-10891), DIR-645 (CVE-2015-2051), and DIR-845L (CVE-2024-33112), among others. These command injection vulnerabilities allow attackers to execute arbitrary commands on vulnerable devices remotely, facilitating initial access for malware campaigns.

Furthermore, vulnerabilities in D-Link’s GO-RT-AC750 (CVE-2022-37056) and DIR-845L (CVE-2024-33112) routers were found to be exploited by the Ficora and Capsaicin botnets, targeting outdated routers or devices that are no longer supported. These findings emphasize the importance of updating D-Link devices and ensuring that default credentials are changed to prevent attackers from easily gaining access.

New Exploits in Apache Software and Google Products

The Apache Software Foundation has also become a focal point in the latest vulnerability findings. Two critical vulnerabilities were identified in Apache Traffic Control (CVE-2024-45387) and Apache HugeGraph-Server (CVE-2024-43441). The former, an SQL injection vulnerability, allows privileged users to execute arbitrary SQL queries against a backend database. The latter vulnerability, an authentication bypass flaw, affects Apache HugeGraph, an open-source graph database, and could be exploited by attackers to bypass authentication mechanisms.

In the realm of web security, Google Chrome (CVE-2024-9122) and the AngularJS web framework (CVE-2024-54152) also saw severe vulnerabilities this week. The Chrome vulnerability centers around a Type Confusion flaw in the V8 JavaScript engine, enabling attackers to access out-of-bounds memory locations through malicious HTML pages. Meanwhile, AngularJS users are at risk of a code injection flaw in earlier versions of Angular Expressions, which could allow arbitrary code execution on affected systems.

Vulnerability Exploits in Underground Forums

CRIL researchers also monitored underground forums and Telegram channels, where they observed multiple instances of Proof-of-Concept (PoC) exploits being shared. Among the vulnerabilities discussed were CVE-2023-21554, which affected Microsoft MSMQ, and CVE-2024-54152, which affected AngularJS. Threat actors in these forums discussed the active exploitation of these vulnerabilities and shared tools and methods for attacking vulnerable systems.

The Microsoft Message Queuing (MSMQ) service vulnerability (CVE-2023-21554), also known as QueueJumper, is particularly concerning. This remote code execution (RCE) vulnerability can allow attackers to execute arbitrary code on vulnerable servers. A notable trend in underground forums was the high demand for exploits targeting MSMQ servers, with actors willing to purchase exploits for up to USD 1,000.

Similarly, the CVE-2024-9122 vulnerability in Google Chrome was also discussed widely on dark web channels, where exploits for this high-severity flaw were being weaponized to target vulnerable versions of the browser.

Recommendation and Mitigation Strategies

As always, CRIL stresses the importance of prompt patching and network defenses to protect against these cyber threats. Key recommendations include:

1. Ensure that all systems are up to date with the latest patches from official vendors. Timely patching is critical to prevent attackers from exploiting known vulnerabilities.
2. Develop a comprehensive patch management strategy that includes asset tracking, patch assessment, and deployment. Automate the process where feasible to improve efficiency.
3. Implement network segmentation to minimize the exposure of critical systems. Use firewalls, VLANs, and access controls to restrict access to sensitive assets.
4. Enforce strong password policies and implement multi-factor authentication (MFA) to prevent unauthorized access.
5. Use Security Information and Event Management (SIEM) tools to detect suspicious activities in real time and generate alerts for potential exploits.
6. Maintain an updated incident response and recovery plan to ensure quick action in the event of a security breach.
7. Regularly perform vulnerability assessments and penetration tests to identify and mitigate security gaps.
8. Stay updated with the latest vulnerability disclosures and security advisories from trusted sources such as CISA and official vendors.

Conclusion

The latest Weekly Vulnerability Report from Cyble highlights critical security flaws across prominent platforms, such as D-Link, Apache, and Palo Alto. These vulnerabilities present significant risks to organizations worldwide. By leveraging Cyble’s advanced threat intelligence solutions, including proactive AI-powered platforms like Cyble Vision, businesses can better protect themselves from emerging threats, ensuring rapid response and reduced exposure to cyber risks. Stay ahead of cybercriminals with Cyble’s cutting-edge cybersecurity tools and expert guidance.

The post Weekly Vulnerability Insights Report: Critical Vulnerabilities Highlighted from December 25-31, 2024 appeared first on Cyble.

Blog – Cyble – ​Read More

Every year, Kaspersky experts briefly turn into soothsayers. No, our colleagues don’t reach for crystal balls, tarot cards or horoscopes to see into the cybersecurity future; their predictions are based on an analysis of the global trends and threats we encounter in our daily work.

And they’re often spot-on: for 2024, we predicted a rise in scams tied to play-to-earn (P2E) games, the proliferation of voice deepfakes, and other trends.

Now, let’s look at which cyberthreats and trends we believe will dominate in 2025:

• AI will become an everyday work tool.
• Scammers scamming in relation to new games and movies.
• Subscription scams will flourish.
• Social networks could be banned.
• User rights over personal data will expand.

AI will become an everyday work tool

In 2025, we expect artificial intelligence to solidify its role in our everyday lives. Major platforms like Google and Bing have integrated AI into search results over the past year, and users worldwide are hooked on ChatGPT and its many counterparts. Predicting how exactly AI will develop is tricky, but one thing is certain: what’s popular with regular users is inevitably twice as popular with scammers. Therefore, we urge you to exercise caution when using AI tools — and remind you that throughout 2024, we repeatedly reported on the associated threats.

How hackers can read your chats with ChatGPT or Microsoft Copilot

How to use ChatGPT, Gemini, and other AI securely

Trojans in AI models

With the popularization of artificial intelligence in 2025, the associated risks will be seen more clearly and frequently. Malicious actors are already adept at exploiting AI, so we should expect even more problems, such as those linked to deepfakes.

Scammers look forward to new games and movies

Fraudsters never miss major releases in the entertainment industry, and 2025 will be no exception. While gamers eagerly anticipate long-awaited titles like Mafia: Old Country, Civilization VII, and Death Stranding 2, attackers are already devising new schemes involving fake preorders and digital keys. We won’t even mention the dangers of downloading games from torrent sites — the risks are abundantly clear.

Movie enthusiasts won’t be overlooked either, as scammers join the rest of us in anticipating sequels and remakes like Superman, Jurassic World Rebirth, Captain America: Brave New World, Return to Silent Hill, and Tron: Ares. Be especially cautious — fraudsters may offer tickets to early screenings, sell fake merchandise, and exploit the love of cinema in every possible way. So get some reliable protection to be entertained securely.

Subscription scams will flourish

In recent years, the world has shifted significantly toward subscription-based models for goods and services, and scammers have capitalized on the trend — just think of the fake Telegram Premium subscription scam we’ve detailed on our blog.

As the number of subscription services continues to grow, some users might be tempted to “buy a subscription at a discount” or even “download the program for free”, playing right into the hands of scammers. Remember: if it sounds too good to be true, it probably is. Download programs and apps only from official sources, and ensure your devices have reliable protection, as malware can even be found in legitimate app stores.

Social networks may be banned

In Australia, access to popular social-media platforms has already been banned for all children under 16 without exception. Ten years ago, such an initiative would have been laughed off: “Just set your age to over 16 and carry on as usual”. But advancements in AI have changed everything. Reliable age verification systems are now being implemented, making it much harder to bypass such restrictions. The future of children’s access to social media, not only in Australia but worldwide, depends largely on the effectiveness of these systems.

If successful, this practice could easily be adopted by other countries, starting with Australia’s closest economic partners. While a complete ban on social media in 2025 seems unlikely, it’s highly probable that similar practices will be introduced elsewhere, leading to restrictions for certain user groups.

User rights over personal data will expand

Good news for anyone concerned about their personal data privacy: in 2025, users will gain greater control over their information! This is thanks to the gradual expansion of rights related to data portability, which may simplify the transfer of data between the platforms processing it.

Privacy policies such as the GDPR (EU) and CRPA (California, USA) are inspiring similar reforms across other U.S. states and in Asia. And let’s not forget the 2024 case where the European Center for Digital Human Rights upheld user rights against Meta, preventing the tech giant from using private personal data to train its AI models. So, we could see a shift in 2025 in the digital world’s balance of power — tilting it more in favor of individual users.

Kaspersky official blog – ​Read More

Overview 

The Indian Computer Emergency Response Team (CERT-In) has issued an alert regarding a critical security vulnerability in the WPForms plugin for WordPress. The flaw, identified as CVE-2024-11205, could allow attackers to bypass authorization controls and perform payment refunds and subscription cancellations on Stripe-powered websites.  

This WPForms plugin vulnerability, affecting WPForms versions 1.8.4 through 1.9.2.1, leaves WordPress sites vulnerable to exploitation by authenticated users with lower-level permissions. The vulnerability was disclosed publicly on December 9, 2024, by Wordfence researchers, and a patch was made available in WPForms version 1.9.2.2. 

The flaw stems from the absence of a capability check in the wpforms_is_admin_page function. This function is responsible for determining whether a user is accessing the admin interface via an AJAX request. Without proper authorization checks, attackers with Subscriber-level access or higher could bypass the restrictions and execute critical actions such as refunds and subscription cancellations on Stripe-powered sites. 

This vulnerability has been documented in the CIVN-2025-0001 Vulnerability Note, issued by CERT-In on January 1, 2025, indicating a High severity rating. Websites that rely on WPForms for financial transactions are particularly at risk of unauthorized modifications to their data, potentially causing significant financial losses and disruption of services.

Technical Details of the WPForms Plugin Vulnerability (CVE-2024-11205) 

The vulnerability exists in versions 1.8.4 through 1.9.2.1 of the WPForms plugin, where the wpforms_is_admin_ajax function lacks proper checks to ensure that the user requesting sensitive actions is authorized to do so. This function is intended to confirm whether a request originates from an admin interface, but because it does not perform capability checks, attackers can exploit the flaw to trigger ajax_single_payment_refund and ajax_single_payment_cancel functions.

These functions are used to process Stripe payments, but in the vulnerable versions of WPForms, they can be exploited by authenticated users with as little as Subscriber-level access. While nonce protection exists to prevent attacks such as Cross-Site Request Forgery (CSRF), authenticated attackers can bypass this protection by obtaining the nonce. This means that an attacker could potentially: 

• Initiate unauthorized refunds for legitimate payments, resulting in financial harm to businesses. 
• Cancel active subscriptions, disrupting services and harming customer relationships. 

These unauthorized actions could lead to a loss of revenue, significant operational costs, and reputational damage, particularly for businesses that rely on WPForms for managing payments and subscriptions. 

Exploitation Scenario 

The vulnerability allows attackers with Subscriber-level access or higher to exploit the ajax_single_payment_refund and ajax_single_payment_cancel functions. Normally, these actions are restricted to administrators, but the missing capability checks allow lower-level users to initiate them. 

Once an attacker gains access to these functions, they can initiate unauthorized refunds for Stripe payments and cancel active subscriptions. This could result in: 

• Unauthorized refunds can cause significant revenue loss for businesses. 
• Attacks that cancel subscriptions can interfere with customer services, leading to customer dissatisfaction and churn. 
• Unauthorized transactions can lead to a loss of trust among customers and potential harm to the business’s reputation. 

Given WPForms’ widespread use, this flaw affects millions of WordPress websites, with businesses of all sizes being vulnerable to exploitation. 

Remediation and Patch Details 

WPForms quickly addressed the issue by releasing a patched version of the plugin, version 1.9.2.2, on November 18, 2024. Users who are running versions 1.8.4 through 1.9.2.1 are strongly advised to update to the latest version immediately to protect their websites from exploitation. 

In addition to the patch, Wordfence, a leading security service for WordPress, took swift action to protect its users. On November 15, 2024, Wordfence Premium, Care, and Response users received a firewall rule to protect against potential exploits targeting this vulnerability. Protection for users of the free version of Wordfence was rolled out on December 15, 2024. 

The impact of this CVE-2024-11205 vulnerability is severe for businesses that rely on WPForms to manage payments and subscriptions via Stripe. If exploited, the vulnerability could result in: 

• Financial damage from unauthorized refunds and subscription cancellations. 
• Disruption of business operations, particularly for e-commerce sites that rely on WPForms for processing payments. 
• Loss of customer trust, as attackers could interfere with services and create doubts about the site’s security. 

Conclusion 

The CVE-2024-11205 vulnerability poses a risk to WPForms users, allowing attackers with Subscriber-level access or higher to initiate unauthorized payment refunds and cancel subscriptions. To mitigate this threat, it is crucial for users to update to the latest patched version, 1.9.2.2, which addresses the issue. The vulnerability’s potential impact on financial transactions and business operations makes it imperative for WordPress site administrators to prioritize this update, particularly those using WPForms for payment and subscription management. 

References:  

• https://www.cert-in.org.in/ 

• https://www.wordfence.com/blog/2024/12/6000000-wordpress-sites-protected-against-payment-refund-and-subscription-cancellation-vulnerability-in-wpforms-wordpress-plugin/ 

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforms-lite/wpforms-184-1921-missing-authorization-to-authenticated-subscriber-payment-refund-and-subscription-cancellation 

The post CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services appeared first on Cyble.

Blog – Cyble – ​Read More