U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene

Cyble Threat Intelligence | Zero-Day Attacks

As China-backed threat groups have been linked to recent attacks on telecom networks, the U.S. Treasury and other high-value targets, one issue has become increasingly clear: Good cyber hygiene could have limited damage from many of the attacks. 

Organizations have little in the way of defenses against advanced persistent threats (APTs) exploiting unknown zero-day vulnerabilities – at least until there’s an available patch – but they can make it harder for those threat actors to move laterally once inside their network. 

No incident drives that point home more than one cited by Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, in a December 27 press briefing

Admin Account Had Access to 100,000 Routers 

Many of the media questions focused on China’s infiltration of U.S. telecom networks. Neuberger noted that a ninth telecom service provider has now been identified as a victim. When asked for details, she noted one startling fact about one of the breaches: 

“in one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.” 

Lack of access controls gave the threat actors “broad and full access” to networks. “[W]e believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.” 

Neuberger expressed support for an FCC effort to mandate stronger telecom network security, and said she hopes it includes network segmentation. “Even if an attacker like the Chinese government gets access to a network, they’re controlled and they’re contained,” she said. 

An FCC vote on the new telecom security rules could come on January 15. 

Other important cybersecurity practices cited by Neuberger – and included in hardening guidance from the NSA and CISA – included: 

  • Improved configuration management 
  • Securing the management plane 
  • Better vulnerability management of networks 
  • Improved information sharing on incidents and techniques 

“The Chinese, you know, were very careful about their techniques,” Neuberger said. “They erased logs. In many cases, companies were not keeping adequate logs. So, there are details likely … that we will never know regarding the scope and scale of this.” 

Treasury Hack, Ivanti Zero-Day Exploits Attributed to China 

Other recent attacks attributed to China include the U.S Treasury Department breach and an Ivanti zero-day exploit

The Ivanti Connect Secure, Policy Secure and ZTA Gateways vulnerabilities – CVE-2025-0282 and CVE-2025-0283 – were added to CISA’s Known Exploited Vulnerabilities catalog on January 8, and CISA also published mitigation guidance for the vulnerabilities the same day. 

In response to the growing cyber threat from China, the Biden Administration is reportedly rushing out an executive order to harden federal networks against attacks. 

Cyber Hygiene Recommendations from Cyble 

Cyber hygiene also figures prominently in Cyble’s annual threat landscape report and an accompanying podcast, which will be released next week and will be available as a free Cyble research report

In the podcast, Kaustubh Medhe, Cyble’s Vice President of Research and Cyber Threat Intelligence, noted that perimeter security products such as VPNs, firewalls, WAFs, and load balancers from Fortinet, Cisco, Ivanti, Palo Alto, Citrix, Ivanti, Barracuda and others are “being exploited for ransomware and data theft. 

“What’s concerning is that the patching window for enterprises continues to shrink as ransomware gangs and APT groups are quick to weaponize and exploit zero-day vulnerabilities on a mass scale months before these vulnerabilities becoming public,” Medhe said. 

He listed a number of cybersecurity lapses that commonly lead to breaches and cyberattacks

  • Local copies of sensitive data stored on end user systems and laptops 
  • Insecure file servers, network shares or cloud storage, with weak or non-existent access policies, exposed on the internet 
  • Lack of secure hardening configurations on endpoints, servers and IT infrastructure 
  • Lack of network segmentation, allowing lateral movement 
  • Inadequate protection of API keys, access tokens and passwords in public code repositories 
  • Weak or ineffective endpoint protection and anti-malware solutions, and failure to detect and prevent infostealer infections that lead to credential compromise and theft 
  • Weak endpoint and network-level monitoring controls to detect and prevent high-volume data exfiltration 
  • Security misconfigurations on internet-facing applications and servers and cloud infrastructure 
  • Weak API security settings, inadequate authentication, lack of proper input validation, absence of rate limiting, lack of API monitoring, and weak detection controls 
  • Poor security hygiene at third parties with access to sensitive data 

Conclusion 

Recent cyberattacks linked to Chinese APT groups strongly suggest that while not every cyberattack can be prevented – particularly those involving exploitation of unknown zero days – basic security practices like proper access control and permissions, network segmentation, and proper application, device and cloud configuration could go a long way toward limiting damage from attacks that do occur. 

The good news is that proper cyber hygiene often doesn’t cost anything more than the time to get it right. 

The post U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene appeared first on Cyble.

Blog – Cyble – ​Read More

Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report

Cyble ICS Vulnerabilities

Overview 

This week’s ICS vulnerability report sheds light on multiple flaws detected between January 01, 2025, to January 07, 2025. The report offers crucial insights into the cybersecurity challenges faced by organizations. It draws attention to the vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA), which has issued multiple advisories highlighting the risks that need urgent mitigation.

CISA’s latest advisories target two specific vulnerabilities affecting a wide range of ICS devices and systems. These advisories are crucial, given that vulnerabilities in ICS systems can have serious consequences for the safety and efficiency of critical infrastructure. In total, 27 vulnerabilities were reported, affecting products from vendors such as ABB and Nedap Librix. These vulnerabilities span multiple series, including ASPECT-Enterprise, NEXUS, and MATRIX, as well as the Nedap Librix Ecoreader.

Several Common Weakness Enumerations (CWEs) have been identified across the affected products, including CWE-1287 (improper validation), CWE-552 (insufficient access control), CWE-770 (resource exhaustion), CWE-943 (improper validation of input), and CWE-521 (insufficient access control). These CWEs highlight recurring issues that undermine the security of critical systems, such as improper input validation and insufficient access control measures.

One of the more interesting aspects of these vulnerabilities is that 12 out of the 27 reported have publicly available proof-of-concept (PoC) exploits. This greatly increases the risk for organizations, as cybercriminals can easily leverage these exploits to target vulnerable systems, potentially resulting in severe damage.

Breakdown of the Weekly ICS Vulnerability Report 

The ICS vulnerabilities reported during the week are mostly categorized as critical, with a small proportion classified as high-severity. Critical vulnerabilities are those that have the potential to cause severe damage or compromise sensitive systems, while high-severity vulnerabilities still present cyber risks but may be less immediately impactful.

Among the affected vendors, ABB stands out with 26 vulnerabilities reported in its ASPECT-Enterprise, NEXUS, and MATRIX series products. The remainder of the vulnerabilities, one in total, was reported for Nedap Librix devices. The vulnerabilities reported by CISA affect a variety of critical infrastructure sectors, with a particularly high concentration in the Critical Manufacturing sector.

This sector, which plays an important role in national security and economic stability, accounted for 96.3% of the reported vulnerabilities, highlighting its importance and vulnerability. On the other hand, the Commercial Facilities sector reported just 3.7% of the vulnerabilities, reflecting comparatively lower exposure.

Recommendations for Mitigating ICS Vulnerabilities 

The CRIL report highlights the need for proactive measures to mitigate these vulnerabilities and enhance the overall security of ICS systems. Below are some key recommendations: 

  1. It is essential for organizations to stay on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy is crucial for minimizing exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification is vital. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing can identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan is vital. Organizations should ensure that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion  

The ongoing vulnerabilities within Industrial Control Systems (ICS) pose cyber threats to critical infrastructure sectors, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. The ICS vulnerability report and advisories from CISA are crucial in helping organizations stay informed and address these risks proactively.  

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report appeared first on Cyble.

Blog – Cyble – ​Read More

Do we still have to keep doing it like this?

Do we still have to keep doing it like this?

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

  • Global scale identity management 
  • Insider threat 
  • Availability of time critical systems 
  • Building scalable secure systems 
  • Attack attribution and situational understanding 
  • Information provenance 
  • Security with privacy 
  • Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. “People are your greatest asset, if you treat them that way.” 

I’m seeing a lot of “how to thrive in 2025!” posts right now. For anyone who isn’t ready for that, or tired of it all, I just want to say, I’m right there with you. But if you’re also feeling like it’s “new year, same problems”  perhaps there’s one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I’d thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

The one big thing

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

 Why do I care?  

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats – primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

So now what?  

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

Top security headlines of the week   

  • CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
  • FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading
  • Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

Can’t get enough Talos?  

  • Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

Upcoming events where you can find Talos     

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

Most prevalent malware files of the week

SHA 256:
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

SHA 256:
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector  
Detection Name: W32.File.MalParent  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376 

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal:  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
MD5: d86808f6e519b5ce79b83b99dfb9294d  

VirusTotal: https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 
Typical Filename: n/a 
Claimed Product: n/a  
Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8  

Cisco Talos Blog – ​Read More

HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption

HexaLocker, Ransomware, Skuld Stealer

Key Takeaways

  • HexaLocker was first discovered in mid-2024, with version 2 introducing significant updates and enhanced functionalities.
  • HexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution after the affected system reboots.
  • The updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system before encryption.
  • Unlike its predecessor, HexaLocker V2 exfiltrates victim files before encrypting them, following the double extortion method of data theft and file encryption.
  • HexaLocker V2 utilizes a combination of advanced encryption algorithms, including AES-GCM for string encryption, Argon2 for key derivation, and ChaCha20 for file encryption.
  • HexaLocker V2 replaces the TOXID communication method with a unique hash, enabling victims to communicate with the Threat Actors’ (TA’s) site. 

Executive Summary

On August 9th, the HexaLocker ransomware group announced a new Windows-based ransomware on their Telegram channel. The post highlighted that the ransomware was developed in the Go programming language and claimed that their team included members from notable groups like LAPSUS$ and others. Following this announcement, researchers from Synacktiv analyzed this ransomware variant and published their findings shortly after.

On October 21st, cybersecurity researcher PJ04857920 shared a post on X, revealing that the admin behind HexaLocker had decided to shut down the operation and put the ransomware’s source code and web panel up for sale based on information from the HexaLocker group’s Telegram channel.

Later, on December 12th, they provided another update on X, stating that the HexaLocker ransomware had been revived, with signs of ongoing development and activity. The Telegram post also mentioned that the upgraded version of HexaLocker would feature enhanced encryption algorithms, stronger encryption passwords, and new persistence mechanisms.

Cyble Research and Intelligence Labs (CRIL) came across a new version of the HexaLocker ransomware. Upon execution, it copies itself to the %appdata% directory, creates a run entry for persistence, encrypts files, and appends the “HexaLockerv2” extension to them.

Prior to encryption, the ransomware also steals the victim’s files and exfiltrates them to a remote server. Notably, in this new version, the ransomware downloads an open-source stealer named Skuld to collect sensitive information from the victim’s machine before encryption. The figure below shows the Hexalocker Ransomware Site used for Victim’s communication.

Ransomware. Hexalocker
Figure 1 – Ransomware login page

Technical Details

Persistence

Upon execution, the HexaLocker ransomware creates a self-copy named “myapp.exe” in the “%appdata%MyApp” directory and establishes persistence by adding an AutoRun entry at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with the value “MyAppAutostart” ensuring the ransomware binary executes upon system reboot.

Task Manager, AutoRun
Figure 2  – AutoRun entry

Obfuscation

All string references, including the Stealer URL, file paths, folder names, environment variable names, WMIC commands, and ransom notes, are generated during runtime through multiple layers of AES-GCM decryption. This approach effectively obfuscates the strings, making them harder to detect by security solutions. In contrast, all strings in the previous version were statically visible.

String decryption
Figure 3 – String Decryption

Stealer

Prior to initiating the encryption process, the ransomware downloads a stealer binary, a Go-compiled program, from the URL hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe and executes it from the current directory. This stealer functionality was absent in the previous version of HexaLocker.

The downloaded stealer, identified as Skuld, is an open-source tool designed to target Windows systems and steal user data from various applications such as Discord, browsers, crypto wallets, and more.

Skuld Stealer
Figure 4 – Skuld Stealer’s features

In this case, the TA has utilized only the browser module from the many available in the open-source Skuld Stealer. The image below shows function names corresponding only to the browser module from the Skuld project.

Github, Browser
Figure 5 – Browser modules

The stealer collects various sensitive data stored by Chromium and Gecko-based browsers, such as cookies, saved credit card information, downloads, browsing history, and login credentials. Skuld Stealer targets the following web browsers in this campaign.

Gecko-based browsers

Firefox SeaMonkey
Waterfox K-Meleon
Thunderbird IceDragon
Cyberfox BlackHaw
Pale Moon mercury

Chromium browsers

Chrome SxS ChromePlus 7Star
Chrome Chedot Vivaldi
Kometa Elements Browser Epic Privacy Browser
Uran Fenrir Inc Citrio
Coowon liebao QIP Surf
Orbitum Dragon 360Browser
Maxthon3 K-Melon CocCoc
BraveSoftware Amigo Torch
Sputnik Edge DCBrowser
YandexBrowser UR Browser Slimjet
Opera    

The stolen data is compressed into a ZIP archive named ‘BrowsersData-*.zip’ and stored in the AppDataLocalTemp directory before being exfiltrated to the remote server “hxxps://hexalocker[.]xyz/upload.php”. The image below shows the console output of the stealer upon completing each stage.

Infostealer, Malware
Figure 6 – Stealer Console Output

Exfiltration

Upon executing the stealer payload, the ransomware exfiltrates the victims’ files by scanning all folders starting from “C:” to find files with extensions matching those listed in the table below. The identified files are compiled into a single ZIP archive named “data_*.zip”, stored in the “%localappdata%DataHexaLocker” directory, and subsequently transmitted to the attacker’s remote server via “hxxps[:]//hexalocker.xyz/receive.php”.

Category File Types
Documents .pdf, .doc, .docx, .rtf, .txt, .wps, .xls, .xlsx, .csv, .ppt, .pot, .xps, .xsd, .xml
Images .jpg, .jpeg, .png, .bmp, .gif, .tif, .tiff, .ico, .jpe, .dib, .raw, .psd, .exr, .bay
Audio .mp3, .wav, .wma, .m4a, .m4p, .flac, .aac, .amr, .ogg, .adp
Video .mp4, .mkv, .avi, .mov, .wmv, .flv, .3gp, .m4v, .amv, .swf
Compressed Files .zip, .rar, .7z, .tar, .gz, .bz2, .cab, .iso, .lzh, .ace, .arj
Code & Scripts .php, .asp, .htm, .html, .js, .jsp, .css, .py, .java, .c, .cpp, .asm, .vbs, .cmd, .bat
Executable Files .exe, .msi, .dll, .apk, .lnk
Database Files .db, .dbf, .mdb, .sql, .odc, .odm, .pst, .mdf, .myi, .tab
3D/Design Files .3ds, .dae, .stl, .max, .dwg, .dxf, .obj, .r3d, .kmz, .opt
Web/Markup Files .html, .htm, .xml, .xsl, .rss, .cfm, .xsf
System/Backup Files .bak, .cer, .crt, .pfx, .p12, .p7b, .log, .cfg, .ini, .lnk
Others .sum, .sln, .dif, .dmg, .p7c, .opt, .sie, .key, .vob

Encryption

The ransomware generates a key and the salt needed for encryption and sends them to a remote server at “hxxps[:]//hexalocker.xyz/index[.]php,” along with host-specific details such as the IP address, computer name, and ID. This information is used to identify the victims and facilitate the recovery of the encrypted files.

PII, Exfiltration
Figure 7 – Victim’s Details

Once the gathered information is transmitted to the attacker, HexaLocker proceeds to scan the “C:Users<username>” directory on the victim’s machine. It searches for files that match a specific set of extensions, as listed in the table below.

Category Extensions
Text Documents .txt, .doc, .odt, .rtf, .wps, .dot
Databases .sql, .mdb, .dbf, .pdb, .mdf, .mdw, .myi
Spreadsheets .xls, .ods, .csv, .xla, .xlw, .xlm, .xlt, .slk
Presentations .ppt, .odp, .pps, .pot
Programming Files .cpp, .css, .php, .asp, .ini, .inc, .obj, .bat, .cmd, .vbs, .jsp, .asm, .cfm
Archives .zip, .rar, .tar, .iso, .bz2, .cab, .lzh, .ace, .arj
Images .jpg, .png, .bmp, .gif, .tif, .ico, .psd, .raw, .svg, .jpe, .dib, .iff, .dcm, .bay, .dcr, .nef, .orf, .r3d
Audio .mp3, .mka, .m4a, .wav, .wma, .flv, .pls, .adp
Video .mp4, .mkv, .avi, .mov, .wmv, .3gp, .m4v, .amv, .m4p, .vob, .mpv, .3g2, .f4v, .m1v
Web Files .htm, .html, .xml, .css, .js, .jsp, .rss
Executables .exe, .jar, .msi, .dll
Scripts .php, .asp, .vbs, .cmd, .bat
Backup/Logs .bak, .log
3D/CAD .3ds, .dae, .dwg, .max, .geo
Compressed .zip, .rar, .tar, .bz2, .gz
Configuration .ini, .cfg, .xml
Emails .msg, .oft, .pst, .dbx
Fonts .ttf, .otf, .woff
Certificates .crt, .cer, .pfx, .p12, .p7b, .p7c
Others .lnk, .dat, .sum, .opt, .dic, .tbi, .xps, .key, .tab, .stm, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .opt

The ransomware reads the content of the original file and uses the ChaCha20 algorithm to encrypt the data. Once the encryption is complete, it creates a new file with the “.HexaLockerV2” extension and writes the encrypted content to this newly created file. The ransomware then proceeds to delete the original file using the os.Remove function, leaving only the encrypted file behind. The figure below shows the chacha20 encryption algorithm used by the ransomware binary.

Chacha20
Figure 8 – Chacha20 Algorithm

The figure below illustrates the files encrypted by the HexaLocker Ransomware, which have the “.HexaLockerV2” extension.

Figure 9 – User files after encryption

Finally, the ransomware displays a ransom note to the victim, instructing them to contact the TA through their communication channels, such as Signal, Telegram, and Web Chat, as shown below.

Ransom Note
Figure 10 – Ransom note

The ransom note contains a unique personal hash, which the victim uses to communicate with the TA through a chat window provided by the attacker, as shown below.

Hexalocker, Chat
Figure 11 – Web Chat Window

Conclusion

The new version of HexaLocker ransomware represents a significant upgrade, incorporating enhanced encryption logic and a customized stealer component. Developed in Go, this ransomware benefits from Go’s efficiency, making it more challenging to detect by endpoints.

Before initiating the encryption process, the ransomware employs the Skuld stealer to collect sensitive information from the victim’s machine. This strategic combination of the Skuld stealer and the ransomware highlights the continuous evolution and sophistication of the HexaLocker group, posing an ongoing threat to targeted systems.

The Yara rule to detect HexaLocker Version 2 is available for download from the linked Github repository.    

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: 

Safety Measures to Prevent Ransomware Attacks 

  • Regularly back up important files to offline or cloud storage, ensuring they are stored securely and not connected to the main network.
  • Enable automatic updates for your operating system, applications, and security software to ensure you receive the latest patches and security fixes.
  • Implement endpoint protection with reputable anti-virus and anti-malware software to detect and block potential ransomware threats.
  • Educate employees or users about phishing attacks and suspicious email links, which are common ransomware delivery methods.
  • Restrict user privileges and avoid running unnecessary services to minimize the attack surface, ensuring users only have access to the resources they need.

MITRE ATT&CK® Techniques

Tactic Technique ID Procedure
Execution (TA0002)
User Execution (T1204.002)  
User executes the ransomware file.
Persistence (TA0003)   Registry Run Keys / Startup Folder (T1547.001) Adds a Run key entry for execution on reboot.
Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140 Ransomware Decrypts strings using the AES algorithm
Discovery (TA0007) File and Directory Discovery (T1083) Ransomware enumerates folders for file encryption and file deletion. 
Impact (TA0040) T1486 (Data Encrypted for Impact)  Ransomware encrypts files for extortion. 
Credential Access (TA0006 Credentials from Password Stores: Credentials from Web Browsers (T1555.003 Retrieves passwords from Login Data
Credential Access (TA0006 Steal Web Session Cookie (T1539 Steals browser cookies 
Collection (TA0009 Archive via Utility (T1560.001 Zip utility is used to compress the data before exfiltration 
Exfiltration (TA0010 Exfiltration Over C2 Channel (T1041 Exfiltration Over C2 Channel

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 SHA-256 Stealer
0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a SHA-256 HexaLockerV2
28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 SHA-256 HexaLockerV2
d0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 SHA-256 HexaLockerV2
hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe URL Stealer download url
hxxps[:]//hexalocker[.]xyz/upload[.]php URL NA
hxxps[:]//hexalocker[.]xyz/receive[.]php URL NA

References

https://www.trellix.com/en-in/blogs/research/skuld-the-infostealer-that-speaks-golang

https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html

The post HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption appeared first on Cyble.

Blog – Cyble – ​Read More

How vulnerable Ecovacs robot vacuums are being hacked | Kaspersky official blog

Imagine: you get up in the night for a glass of water, walk across the unlit landing, when out of the darkness a voice starts yelling at you. Not nice, you’d surely agree. But that’s the new reality for owners of vulnerable robot vacuums, which can be commanded by hackers to turn from domestic servants into foul-mouthed louts. And that’s not all: hackers can also control the robot remotely and access its live camera feed.

The danger is clear and present: recently, cases of cyberhooligans hijacking vulnerable robot vacuums to prank people (and worse) have been seen in the wild. Read on for the details…

How a robot vacuum works

Let’s start with the fact that a modern robot vacuum is a full-fledged computer on wheels, usually running on Linux. It comes with a powerful multi-core ARM processor, a solid chunk of RAM, a capacious flash drive, Wi-Fi, and Bluetooth.

Schematic of a typical robot vacuum

Today’s robot vacuum is a full-fledged computer on wheels Source

And of course, the modern robot vacuum has sensors everywhere: infrared, lidar, motion, camera (often several of each), and some models also have microphones for voice control.

Camera and microphones in the Ecovacs DEEBOT X1

The Ecovacs DEEBOT X1 has not only a camera, but an array of microphones Source

And naturally, all modern robot vacuums are permanently online and hooked up to the vendor’s cloud infrastructure. In most cases, they communicate aplenty with this cloud — uploading piles upon piles of data collected during operation.

Vulnerabilities in Ecovacs robot vacuums and lawn mowers

The first report of vulnerabilities in Ecovacs robot vacuums and lawnmowers surfaced in August 2024, when security researchers Dennis Giese (known for hacking a Xiaomi robot vacuum) and Braelynn Luedtke gave a talk at DEF CON 32 on reverse engineering and hacking Ecovacs robots.

Ecovacs GOAT G1 robot lawnmower

The Ecovacs GOAT G1 can also be equipped with GPS, LTE and a long-range Bluetooth module Source

In their talk, Giese and Luedtke described several methods for hacking Ecovacs robot vacuums and the mobile app that owners use to control them. In particular, they found that a potential hacker could access the feed from the robot’s built-in camera and microphone.

This is possible for two reasons. First, if the app is used on an insecure network, attackers can intercept the authentication token and communicate with the robot. Second, although in theory the PIN code set by the device owner secures the video feed, in practice it gets verified on the app side — so it can be bypassed.

Attackers accessing the video feed from an Ecovacs robot vacuum

The PIN code for securing the video feed from an Ecovacs robot vacuum is verified on the app side, which makes the mechanism extremely vulnerable Source

The researchers also managed to gain root access to the robot’s operating system. They found it was possible to send a malicious payload to the robot via Bluetooth, which in some Ecovacs models gets turned on after a scheduled reboot, while in others it’s on all the time. In theory, encryption should protect against this, but Ecovacs uses a static key that’s the same for all devices.

Armed with this knowledge, an intruder can get root privileges in the operating system of any vulnerable Ecovacs robot and hack it at a distance of up to 50 meters (~165 feet) — which is precisely what the researchers did. As for robot lawnmowers, these models are hackable at more than 100 meters (~330 feet) away, since they’ve got more powerful Bluetooth capabilities.

Add to that that, as mentioned already, today’s robot vacuums are full-fledged Linux-based computers, and you can see how attackers can use one infected robot as a means to hack others nearby. In theory, hackers can even create a network-worm to automatically infect robots anywhere in the world.

Bluetooth vulnerability could potentially be used to create a worm

Bluetooth vulnerability in Ecovacs robots could lead to a chain of infection Source

Giese and Luedtke informed Ecovacs about the vulnerabilities they found, but received no response. The company did try to close some of the holes, say the researchers, but with little success and ignoring the most serious vulnerabilities.

How the Ecovacs robot vacuums were hacked for real

It appears that the DEF CON talk generated great interest in the hacker community — so much so that someone seems to have taken the attack a step further and deployed it on Ecovacs robot vacuums out in the real world. According to recent reports, owners in several U.S. cities had been hit by hackers and made to suffer abuse from their robot servants.

In one incident in Minnesota, an Ecovacs DEEBOT X2 started moving by itself and making strange noises. Alarmed, its owner went into the Ecovacs app and saw that someone was accessing the video feed and remote-control feature. Writing it off as a software glitch, he changed the password, rebooted the robot and sat down on the couch to watch TV with his wife and son.

But the robot kicked back into life almost straight away — this time emitting a continuous stream of racial slurs from its speakers. Not knowing what to do, the owner turned off the robot, took it into the garage and left it there. Despite this ordeal, he is grateful that the hackers made their presence so obvious. Far worse, he says, would have been if they’d simply secretly monitored his family through the robot without revealing themselves.

 Video feed from an Ecovacs robot vacuum

Hijacking a live video feed of an Ecovacs robot vacuum Source

In a similar case, this time in California, another Ecovacs DEEBOT X2 chased a dog around the house, again shouting obscenities. And a third case was reported from Texas, where, you guessed it, an Ecovacs robot vacuum went walkabout and hurled abuse at its owners.

The exact number of hacks of Ecovacs robot vacuums is unknown. One reason for this, alluded to above, is that the owners may not be aware of it: the hackers may be quietly observing their daily lives through the built-in camera.

How to guard against robot vacuum hacking?

The short answer is: you can’t. Unfortunately, there’s no universal method of protecting against robot vacuum hacking that covers all bases. For some models, in theory, there’s the option of hacking it yourself, getting root access, and unlinking the machine from the vendor’s cloud. But this is a complex and time-consuming procedure that the average owner won’t consider attempting.

A serious problem with IoT devices is that many vendors, sadly, still pay insufficient attention to security. And they often prefer to bury their heads in the sand — even declining to respond to researchers who helpfully report such issues.

To reduce the risks, try do your own research on the security practices of the vendor in question before purchasing. Some actually do a pretty good job of keeping their products safe. And, of course, always install firmware updates: new versions usually remove at least some of the vulnerabilities that hackers can exploit to gain control over your robot.

And remember that a robot connected to home Wi-Fi, if hacked, can become a launchpad for an attack on other devices connected to the same network — smartphones, computers, smart TVs, and so on. So it’s always a good idea to move IoT devices (in particular, robot vacuums) to a guest network, and install reliable protection on all devices where possible.

Kaspersky official blog – ​Read More

Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience

Lithuanian Cyber Command

Overview 

On January 1, Lithuania marked a pivotal moment in its national defense strategy with the official launch of the Lithuanian Cyber Command (LTCYBERCOM). Spearheaded by the Ministry of National Defence, this new military unit aims to enhance the country’s cybersecurity posture while strengthening its collaboration with NATO and other international partners. 

A New Era in Cyber Defense with Lithuanian Cyber Command 

LTCYBERCOM is tasked with conducting cyberspace operations and managing strategic communications and information systems (CIS). Its creation reflects Lithuania’s recognition of the growing importance of cyberspace in modern warfare and national security. By consolidating cyber defense resources under one command, LTCYBERCOM ensures a unified and efficient approach to countering digital threats. 

The command structure includes: 

  • Command Headquarters: Responsible for planning and executing cyber operations. 

  • Lithuanian Great Hetman Kristupas Radvila Perkūnas CIS Battalion: Focused on delivering robust communication and information services. 

  • IT Service of the Cyber Defence Command: A revamped entity from the Ministry of National Defence’s former IT service. 

This restructuring consolidates Lithuania’s cyber capabilities, aligning them under the Cyber Command’s mandate. Some functions, however, remain with the National Cyber Security Centre and the Core Centre of State Telecommunications, ensuring seamless coordination across all levels of cyber defense. 

Strengthening National and Allied Defense 

Vice Minister of National Defence Tomas Godliauskas called out the importance of LTCYBERCOM in modern defense strategies. “The Lithuanian Cyber Command is critical as an enabler of military planning and action coordination in cyberspace. Strengthening cyber defense and effective cyber incident management are cornerstone steps in protecting against emerging threats and safeguarding national security,” he said. 

The command also ensures interoperability with NATO’s cyber defense framework. As a NATO member since 2004, Lithuania has actively contributed to collective defense efforts. LTCYBERCOM will enhance Lithuania’s ability to respond to cyber threats while aligning its strategies with NATO’s broader objectives. 

Responding to Growing Cyber Threats 

Lithuania’s investment in cyber defense comes amid a surge in digital threats driven by geopolitical tensions. Cyberattacks, particularly from neighboring Russia, have targeted NATO allies, including Lithuania, with the goal of disrupting critical infrastructure and sowing division. 

A 2024 report from Google highlighted an uptick in Russian cyber operations against NATO nations, coinciding with Russia’s ongoing invasion of Ukraine. These attacks showcase the need for robust cyber defenses to protect not just national interests but also the stability of the NATO alliance. 

By establishing LTCYBERCOM, Lithuania is taking a proactive stance against these challenges. The new command will focus on preventing and mitigating cyber incidents, securing critical infrastructure, and ensuring rapid responses to digital threats. 

Complementary Roles of National Agencies 

While the Lithuanian Cyber Command assumes responsibility for military cyber operations, the National Cyber Security Centre under the Ministry of Defence continues to play a vital role in civilian cybersecurity. This year, the NCSC invited more than 500 organizations providing critical services to participate in the annual cybersecurity exercise “Cyber ​​Shield”. In addition, all residents had the opportunity to deepen their knowledge in various cybersecurity training programs. 

The center also provides incident response services, enhances resilience across government agencies, and supports critical sectors. Together, these entities form a comprehensive defense framework that addresses both military and civilian cybersecurity needs. 

Conclusion 

The legal foundation for LTCYBERCOM was laid in July 2024 when Lithuania’s Seimas approved amendments to the structure of the Armed Forces. This legislative milestone paved the way for the January inauguration, signaling Lithuania’s commitment to adapting its defense strategies for the digital age. 

Looking ahead, LTCYBERCOM is poised to become a cornerstone of Lithuania’s national defense strategy. With cyberattacks becoming an integral part of modern conflict, LTCYBERCOM equips Lithuania with the tools and strategies needed to safeguard its sovereignty and support its allies. By focusing on cyber capabilities, the country ensures its readiness to counter emerging threats while contributing to NATO’s collective security framework. 

References: 

The post Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Releases Two New Industrial Control Systems Advisories for 2025

Cyble | Industrial Control Systems

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) released two critical Industrial Control Systems (ICS) advisories. These advisories, ICSA-25-007-01 and ICSA-25-007-02, aim to inform users and administrators about vulnerabilities in key ICS products. The goal is to mitigate potential risks to vital infrastructure sectors by highlighting existing security weaknesses that could be exploited by cyber attackers

ICSA-25-007-01: ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products 

The first advisory, ICSA-25-007-01, addresses multiple vulnerabilities within ABB’s ASPECT-Enterprise, NEXUS, and MATRIX series products. ABB, a leading provider of industrial automation and control systems, has reported numerous security flaws that could severely impact system integrity. These vulnerabilities range from weak passwords to critical code injection weaknesses, and they pose a significant risk to critical manufacturing sectors. 

Key Vulnerabilities 

Several vulnerabilities have been identified within ABB’s products, which include: 

  • Files or Directories Accessible to External Parties (CVE-2024-6209) 

  • Improper Validation of Specified Type of Input (CVE-2024-6298) 

  • Cleartext Transmission of Sensitive Information (CVE-2024-6515) 

  • Cross-site Scripting (XSS) (CVE-2024-6516) 

  • Server-Side Request Forgery (SSRF) (CVE-2024-6784) 

  • Code Injection (CVE-2024-48839) 

  • Weak Password Requirements (CVE-2024-48845) 

  • Unrestricted Upload of Dangerous Files (CVE-2024-51548) 

The most severe vulnerabilities carry a CVSS v3 score of 10.0, indicating they are highly exploitable and could lead to remote code execution, unauthorized access, or denial of service (DoS). These vulnerabilities were present across multiple versions of ABB products, including ASPECT-Enterprise (ASP-ENT-x), NEXUS Series (NEX-2x), and MATRIX Series (MAT-x), with affected versions prior to 3.08.02. 

Affected Products 

The following products are affected by these vulnerabilities: 

  • ABB ASPECT-Enterprise (ASP-ENT-x <= 3.08.02) 

  • ABB NEXUS Series (NEX-2x, NEXUS-3-x) 

  • ABB MATRIX Series (MAT-x) 

These products are deployed worldwide and are critical to operations in sectors like critical manufacturing. The vulnerabilities affect systems in both industrial and commercial environments, making them high-priority targets for cybersecurity professionals. 

Mitigations 

ABB has recommended users upgrade their systems to version 3.08.02 or later, which resolves many of these issues. Additionally, users are urged to apply security patches and adopt stronger password policies to mitigate the risk of unauthorized access. 

CISA’s advisory highlights that these vulnerabilities could be exploited remotely, with low complexity and without requiring direct access to the devices. Exploits could allow attackers to execute arbitrary code, gain unauthorized access to sensitive data, or disrupt operations. Thus, the ICSA-25-007-01 advisory serves as a critical call to action for administrators to update their systems and implement security best practices immediately. 

ICSA-25-007-02: Nedap Librix Ecoreader 

The second advisory, ICSA-25-007-02, addresses vulnerabilities in the Nedap Librix Ecoreader. Nedap is a well-known provider of RFID solutions, and the Ecoreader is used in access control and inventory management. The advisory highlights several flaws in the system that could expose sensitive data and allow attackers to manipulate access controls. 

While the ICSA-25-007-02 advisory lacks the extensive list of vulnerabilities that appear in the ABB advisory, it still outlines critical risks, particularly in environments where physical security and data integrity are paramount. 

Conclusion  

The release of CISA’s ICS advisories, ICSA-25-007-01 and ICSA-25-007-02, highlights the critical need for prompt action to secure industrial control systems against emerging cyber threats. These advisories identify vulnerabilities in ABB’s and Nedap’s products that could compromise ICS integrity, leading to operational disruptions and data breaches.  

With cyberattacks on infrastructure becoming more sophisticated, organizations must prioritize security updates and proactive measures. Cybersecurity experts like Cyble can help organizations better defend against cyber threats, ensuring the protection of critical infrastructure and operations. 

References:

The post CISA Releases Two New Industrial Control Systems Advisories for 2025 appeared first on Cyble.

Blog – Cyble – ​Read More

The Commonwealth Cyber Security Posture 2024: A Deep Dive into Australia’s Cyber Defense Measures

Commonwealth Cyber Security Posture

Overview 

The Australian Government has shared its latest report for commonwealth cyber security. The Commonwealth Cyber Security Posture in 2024 report provides an essential update on the measures and progress related to cyber security across Australian Government entities. Tabled before the Australian Parliament, the report is a key tool for understanding the implementation and effectiveness of cyber security protocols for the 2023–24 financial year. As part of the government’s ongoing efforts to protect national security, public trust, and the economy, the Commonwealth Cyber Security Posture in 2024 highlights areas of improvement, challenges, and recommendations for enhancing Australia’s cyber defenses.

According to the report, the Australian Government consists of 1002 non-corporate Commonwealth entities (NCEs), 74 corporate Commonwealth entities (CCEs), and 16 Commonwealth companies (CCs), summing up to 190 government entities as of June 30, 2024. The report draws from the Australian Signals Directorate’s (ASD) Cyber Security Survey for Commonwealth Entities, which revealed an impressive 94% participation rate in 2024—the highest to date. This marks an important step towards understanding and mitigating cyber security risks across Australian Government entities. 

Cyber security is assessed in the report using three primary criteria: 

  1. Cyber Security Hardening: The implementation of technical mitigations to reduce the likelihood of system compromises. 

  1. Incident Preparedness and Response: The readiness and actions of entities when a cyber incident occurs. 

  1. Leadership and Planning: The involvement of leadership in fostering a strong cyber security culture and ensuring the overall security of systems. 

Key Findings of the Commonwealth Cyber Security Posture in 2024 

The report illustrates that while substantial progress has been made, there are areas in need of improvement. One notable concern is the declining number of entities meeting Maturity Level 2 across the Essential Eight mitigation strategies. In 2024, only 15% of entities reached Maturity Level 2—a decrease from 25% in 2023.  

The Essential Eight strategies, a set of cyber security practices developed by ASD, aim to reduce vulnerabilities and enhance cyber resilience across government systems. These strategies form the backbone of the Commonwealth Cyber Security Posture in 2024, and their implementation is a crucial factor in assessing the security posture of government agencies. 

Despite this decline, there are encouraging signs of progress in certain areas. In 2024, 75% of entities had a cyber security strategy in place, an increase from 73% in 2023. Moreover, 86% of entities had incorporated cyber security disruptions into their business continuity and disaster recovery plans, a notable improvement from 83% in the previous year. These strategies are crucial for maintaining continuity of government services, ensuring that cyber threats do not derail essential functions. 

Another positive development is that 88% of entities had a planned body of work to improve their cyber security, with 82% of these plans being funded. This reflects a proactive stance toward addressing vulnerabilities and strengthening security defenses. Furthermore, 86% of entities now have an incident response plan in place, an increase from 82% in 2023, signaling better preparedness to handle cyber threats when they arise. 

Training and Workforce Development 

The role of training and awareness in strengthening the Commonwealth Cyber Security Posture is also highlighted in the report. In 2024, 78% of government entities provided annual cyber security training to their workforce, maintaining the same percentage as in 2023. More encouragingly, the provision of privileged user training increased with 51% of entities offering this specialized training, up from 39% in 2023. This reflects the growing recognition of the critical need to educate personnel about advanced threats, such as phishing and unauthorized access attempts, which remain prevalent across government networks. 

The presence of legacy IT systems remains a persistent challenge for the Commonwealth Cyber Security Posture. These outdated systems pose cyber security risks due to their vulnerability to modern cyberattacks. In April 2024, ASD published guidance on managing the risks of legacy IT, offering low-cost mitigations to help entities manage these risks alongside their current cyber security strategies. 

Cyber security Incident Reporting and Supply Chain Risk 

Despite the improvements in cyber security governance, there are still gaps in incident reporting. Only 32% of entities reported at least half of the cyber security incidents observed on their networks to ASD. This highlights a critical area for further improvement, as comprehensive incident reporting is important for identifying online threats and improving national cyber security resilience. 

Supply chain risks also remain an important concern. In 2024, 74% of entities conducted supply chain risk assessments for applications, ICT equipment, and services, underscoring the importance of evaluating the security of third-party services and software that could pose risks to government systems. 

Addressing the Commonwealth Cyber Security Posture Going Forward 

To enhance Australia’s cyber security defenses, the report recommends that entities: 

  1. Continue to implement the Essential Eight strategies across their networks to reach at least Maturity Level 2. 

  1. Increase cyber security incident reporting and share cyber threat information with ASD to improve overall situational awareness. 

  1. Implement strategies for managing legacy IT, ensuring that both old and new systems are protected against cyber threats.  

  1. Maintain incident response plans and conduct exercises at least every two years to ensure readiness. 

These recommendations are vital for building a more resilient Commonwealth Cyber Security Posture, ensuring that Australian Government entities are well-prepared to respond to the online threats.  

Conclusion  

The Commonwealth Cyber Security Posture in 2024 highlights both the progress and challenges in strengthening Australia’s cyber security defenses. The Essential Eight mitigation strategies continue to play an important role in reducing vulnerabilities and enhancing the resilience of government ICT systems. With updates to these strategies addressing cyber threats, the Australian Signals Directorate (ASD) remains at the forefront of protecting against increasingly sophisticated cyber adversaries.  

While strides have been made, ongoing vigilance, collaboration, and the continuous refinement of cybers ecurity practices are crucial for protecting Australia’s critical infrastructure. Moving forward, the nation’s commitment to improving incident response, workforce training, and adopting best practices will be vital in overcoming the growing complexities of cyber threats, ensuring a secure and resilient digital future. 

References:

The post The Commonwealth Cyber Security Posture 2024: A Deep Dive into Australia’s Cyber Defense Measures appeared first on Cyble.

Blog – Cyble – ​Read More

MyCERT Advisory Recommends Cybersecurity Practices for Water Systems

Cyble | MyCERT advisory

Overview 

The water sector is experiencing a rise in cyber threats, with critical infrastructure, including both IT and operational technology (OT) systems, becoming primary targets for malicious actors. These attacks, which exploit vulnerabilities in internet-facing OT systems and industrial control systems (ICS), pose cybersecurity risks to public health, business continuity, and national security.  

MyCERT, the Malaysian Computer Emergency Response Team, has issued MA-1228.012025, an advisory aimed at raising awareness of cybersecurity risks in the water sector and providing recommendations to mitigation stratergies. While there have been no cyber incidents reported in Malaysia’s water systems, the MyCERT advisory stresses the importance of vigilance and proactive defense strategies. 

MyCERT Advisory Highlights the Growing Cybersecurity Threat to Water Systems 

Water systems control essential services such as pumping stations, chlorination processes, and valves, all of which are critical to public health and safety. However, older systems with outdated software and weak security measures are increasingly susceptible to cyber-attacks. Many of these attacks exploit simple security weaknesses, such as default passwords and unprotected access points, enabling attackers to gain unauthorized access to sensitive systems. 

Cyberattacks targeting water systems can take many forms, from ransomware attacks demanding payment to prevent data exposure, to more insidious breaches targeting programmable logic controllers (PLCs) and other ICS devices. While large utilities have strengthened their defenses, smaller systems remain especially vulnerable. 

The recent cyber incident in October 2024, involving American Water in New Jersey, is one of such examples of these attacks. Although the attack did not result in operational disruptions at American Water’s facilities, it stresses the importance of cybersecurity vulnerabilities in the sector. The attack primarily affected computer networks and administrative systems, underlining the necessity for water utilities worldwide, including those in Malaysia, to enhance their security measures. 

Potential Impacts of Cyberattacks on Water Systems 

Cybersecurity incidents in the water sector can have a wide range of destructive consequences, both direct and indirect. Among the most concerning impacts are: 

  • Cyberattacks can interfere with the normal functioning of water systems, leading to delays in water treatment, pumping, and distribution processes. 
  • If attackers gain control of critical water system functions, they could contaminate drinking water or improperly manage chemicals, posing serious risks to public health. 
  • Industries relying on water, such as agriculture and manufacturing, could face operational shutdowns, leading to economic losses. 
  • Attackers who gain access to sensitive water system data could compromise confidential information, resulting in reputational damage and erosion of public trust. 
  • These attacks exploit vulnerabilities in water systems to hold sensitive data hostage. If ransoms are not paid, attackers may leak confidential data, including trade secrets and personal information, leading to further harm. 
  • Recovering from a cyberattack often involves substantial costs, including expenses for system restoration, legal fees, and potential fines for data breaches. 

MyCERT Advisory for Securing Water Systems 

To mitigate the cybersecurity risks facing water systems, MyCERT has outlined a series of best practices aimed at improving resilience and reducing the likelihood of successful attacks. Water system administrators are encouraged to follow these guidelines to protect critical assets: 

  1. Immediately replace default passwords with strong, unique passwords. This is one of the most basic yet effective steps to secure systems. 
  2. Minimize the number of critical systems exposed to the public internet, thereby reducing the attack surface for potential threats. 
  3. Ensure that user accounts have access only to the data and systems necessary for their role. This can limit the damage caused by compromised accounts. 
  4. MFA provides an added layer of security by requiring additional verification steps before granting access to critical systems. 
  5. Apply network segmentation in water treatment facilities to isolate key systems from non-essential systems, preventing widespread damage in the event of an attack. 
  6. Ensure that all systems, both OT and IT, are updated with the latest security patches and antivirus definitions. This is crucial to defending against known vulnerabilities. 
  7. Perform daily backups of both OT and IT systems and store backup copies in remote locations. Regularly test backup processes to ensure they function correctly during a disaster recovery scenario. 
  8. Provide annual cybersecurity training for all staff members, ensuring they understand the latest threats and how to avoid common pitfalls like phishing or clicking on malicious links. 
  9. Regularly update disaster recovery and business continuity plans to account for emerging threats and vulnerabilities. Ensure these plans are well-practiced in the event of an actual breach. 

Conclusion  

The MyCERT advisory emphasizes the need to strengthen cybersecurity in Malaysia’s water systems, which are crucial for public health and the economy. As these systems become more digital and interconnected with sectors like agriculture and manufacturing, their exposure to cyber risks grows. 

By adopting best practices like updating passwords, using multi-factor authentication, and applying security patches, water utilities can improve defenses against cyber threats. MyCERT encourages staying updated on cybersecurity developments and conducting regular assessments. While Malaysia has not faced major cyber incidents in water systems, the rising threats require vigilance. Platforms like Cyble, with AI-driven threat intelligence, help protect these vital infrastructures. 

References 

The post MyCERT Advisory Recommends Cybersecurity Practices for Water Systems appeared first on Cyble.

Blog – Cyble – ​Read More

Tenable Nessus Bug and LDAP RCE: What You Need to Know

Cyble | JoCERT

Overview 

JoCERT has alerted the global cybersecurity community about two critical issues requiring urgent attention from IT professionals and system administrators. The first involves Tenable Nessus Agents, a widely-used vulnerability scanning tool, while the second concerns a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP), potentially leading to remote code execution (RCE). Both incidents emphasize the need for prompt action and a proactive approach to cybersecurity

This blog will provide a detailed overview of the incidents, their impacts, and recommended resolution steps to help organizations mitigate potential risks. 

Incident 1: Tenable Nessus Agent Outage 

Incident Overview 

On December 31, 2024, Tenable Nessus Agent versions 10.8.0 and 10.8.1 encountered a critical issue due to a faulty differential plugin update. This bug disrupted systems across multiple regions, including the Americas, Europe, and Asia, leaving Nessus agents offline and unable to perform their core function—vulnerability scanning. The root cause was a rare race condition triggered during plugin updates, which led to the simultaneous compilation of interdependent libraries. 

Impact 

  • Nessus agents running versions 10.8.0 and 10.8.1 stopped functioning, rendering them incapable of conducting vulnerability scans. 

  • Tenable temporarily disabled plugin feed updates for these versions to prevent further issues. 

  • Organizations relying on these agents for vulnerability management faced significant disruptions. 

Resolution Steps 

To address the issue, Tenable provided the following guidance: 

  1. Upgrade or Downgrade Agents 

  • Upgrade to Nessus Agent version 10.8.2. 

  • Downgrade to version 10.7.3 if upgrading is not feasible. 

  1. Plugin Reset 

  • If using agent profiles for updates, a plugin reset is necessary to recover offline agents. This can be achieved using the following methods: 

  • Use a script provided in the Tenable release notes. 

  • Execute the nessuscli reset command. 

  1. Manual Upgrade Process 

  • Download the Tenable Nessus Agent 10.8.2 or 10.7.3 installation package. 

  • Manually upgrade or downgrade agents using the install package. 

  1. Recommendations for Long-Term Management 

  • Maintain vigorous change management processes to minimize risks associated with tool updates. 

  • Consider retaining older, stable software versions for quick rollback scenarios. 

Key Fixes in Nessus Agent Version 10.8.2 

  • Resolved issues causing agents to crash under specific error conditions. 

  • Addressed the race condition that caused agents to go offline following a plugin update. 

Additional Notes 

Organizations should review their network configurations to ensure uninterrupted communication between Nessus agents and Tenable’s infrastructure. For instance, domain allow lists must include *.cloud.tenable.com to ensure compatibility with Tenable’s new domains, reducing operational overhead. 

Incident 2: Windows LDAP Remote Code Execution Vulnerability (CVE-2024-49113) 

Incident Overview 

Microsoft disclosed a critical vulnerability, CVE-2024-49113, impacting the Lightweight Directory Access Protocol (LDAP). LDAP is integral to Microsoft’s Active Directory, facilitating the access and maintenance of directory services. The vulnerability could potentially allow Remote Code Execution (RCE), enabling attackers to exploit directory services and compromise sensitive systems. 

Impact 

An attacker could exploit the vulnerability to: 

  • Execute arbitrary code on the targeted system. 

  • Disrupt directory services, leading to a Denial of Service (DoS). 

  • Compromise sensitive organizational data stored in Active Directory. 

Mitigation Steps 

Microsoft has provided mitigations to reduce the risk associated with this vulnerability. Organizations are advised to: 

  1. Apply Patches Immediately 

  • Ensure the latest security patches are applied to all systems using LDAP services. 

  1. Enhance Security Configurations 

  • Limit access to LDAP servers to trusted entities. 

  • Implement mutual authentication to verify both the server and client identities. 

  1. Monitor for Malicious Activity 

  • Regularly audit LDAP logs for suspicious activity. 

  • Deploy intrusion detection/prevention systems (IDS/IPS) to monitor LDAP traffic. 

  1. Train Employees 

  • Educate users on identifying and avoiding phishing attempts that could lead to LDAP exploitation. 

Key Recommendations 

Applying these mitigations will reduce the likelihood of attackers successfully convincing victims to connect to malicious servers. Organizations should regularly review and update their security protocols to address evolving threats. 

Technical Analysis and Key Learnings 

Tenable Nessus Incident 

The Tenable Nessus outage point out the importance of thorough testing before deploying updates to critical systems. The race condition caused by simultaneous compilation of interdependent libraries could have been identified with more comprehensive testing under varied conditions. This incident highlights the need for: 

  • Strong QA Processes: Test updates across different environments before release. 

  • Fail-Safe Mechanisms: Implement automatic rollbacks or sandboxing for plugin updates to prevent widespread outages. 

Windows LDAP Vulnerability 

The Windows LDAP vulnerability illustrates the critical need for: 

  • Proactive Patch Management: Timely patching is essential to mitigate known vulnerabilities. 

  • Layered Defense Strategies: Relying solely on patching is insufficient. Organizations must adopt a multi-layered approach that includes firewalls, access controls, and continuous monitoring. 

Conclusion 

The Tenable Nessus Agent outage and the Windows LDAP vulnerability (CVE-2024-49113) emphasize the critical importance of proactive vulnerability management and swift response strategies. These incidents highlight the need for vigorous patch management, effective change controls, and the ability to quickly roll back in times of disruption. 

Staying ahead in today’s cybersecurity landscape requires vigilance, routine updates, and strategic planning to mitigate evolving threats. By learning from these events and prioritizing system resilience, organizations can strengthen their defenses and minimize risks. 

References:

The post Tenable Nessus Bug and LDAP RCE: What You Need to Know appeared first on Cyble.

Blog – Cyble – ​Read More