Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities

Cyble Malware

Overview

Cyble has identified multiple instances of exploitation attempts, malware intrusions, financial fraud, and brute-force attacks. The data is captured in real-time via Cyble’s comprehensive network of Honeypot sensors, providing valuable insights into the nature of cyber threats.

Cyble’s latest Sensor Intelligence report from December 4th to December 10th, 2024, provides in-depth analysis on a range of vulnerabilities, including high-profile malware variants, phishing scams, and CVE (Common Vulnerabilities and Exposures) attempts.

Cyble’s Global Sensors Intelligence (CGSI) network has detected several attack vectors, many of which target critical vulnerabilities in Internet of Things (IoT) devices and widely used software platforms.

The report covers a broad spectrum of threats, including well-known Linux malware variants such as Mirai and Gafgyt, along with exploitation attempts involving the Telerik UI and Cisco ASA. Below are some key insights into the most prevalent vulnerabilities observed during the reporting period.

Case Studies on Vulnerabilities and Exploits

  1. PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
    A critical vulnerability in PHP configurations has been detected, enabling attackers to execute arbitrary commands through specially crafted URL parameters. This vulnerability could lead to severe system compromise if left unpatched. Organizations are urged to patch PHP configurations and restrict access to vulnerable systems to mitigate potential exploitation.
  2. OSGeo GeoServer Eval Injection Vulnerability (CVE-2024-36401)
    Cyble identified a remote code execution (RCE) vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. This issue arises from the unsafe evaluation of request parameters, allowing unauthenticated users to execute arbitrary code. To mitigate the threat, the report recommends updating to the latest GeoServer versions and removing the vulnerable gt-complex library.
  3. Ruby SAML Improper Signature Verification (CVE-2024-45409)
    The Ruby-SAML library, a widely used tool for implementing the client side of SAML authentication, was found to have improper cryptographic signature verification in versions 12.2 and 1.13.0 to 1.16.0. Attackers could exploit this vulnerability to forge SAML responses and gain unauthorized access to systems. Updating to Ruby-SAML versions 1.17.0 or 1.12.3 is recommended to mitigate this risk.
  4. Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198, CVE-2023-20273)
    Cyble has reported ongoing exploitation of the web UI feature in Cisco IOS XE Software. The initial compromise occurs via the CVE-2023-20198 vulnerability, which allows attackers to gain access and escalate privileges to root. Organizations are advised to implement Cisco’s recommended patches to secure their systems.
  5. Joomla Improper Access Check-in Webservice Endpoints (CVE-2023-23752)
    An improper access check vulnerability was discovered in Joomla versions 4.0.0 through 4.2.7, allowing unauthorized access to webservice endpoints. This can expose sensitive information and allow attackers to execute malicious actions. Updating Joomla to the latest version is critical for organizations using this content management system.
  6. ownCloud GraphAPI Information Disclosure (CVE-2023-49103)
    A vulnerability in the ownCloud GraphAPI app can disclose sensitive system information, including environment variables, which may contain credentials and other sensitive data. To prevent data leaks, the app must be disabled or updated to the latest patched version.
  7. Apache OFBiz SSRF Vulnerability (CVE-2023-50968)
    Apache OFBiz was found to have a server-side request forgery (SSRF) vulnerability that attackers could exploit to read arbitrary file properties. Upgrading to version 18.12.11 is recommended to eliminate this threat.
  8. Citrix NetScaler ADC Buffer Overflow Vulnerability (CVE-2023-4966)
    Citrix NetScaler ADC and Gateway devices were found to be vulnerable to sensitive information disclosure due to a buffer overflow. This can lead to unauthorized access to internal network resources. Patch management and network monitoring are crucial to protecting against this vulnerability.

Malware and Attack Analysis

Cyble’s analysis also focuses on various malware threats observed across different regions. One notable example is the emergence of a new anti-banking Trojan called AppLite Banker. This sophisticated malware is distributed through phishing campaigns disguised as CRM applications. Once installed, it abuses Android’s Accessibility Services to overlay fake login screens on legitimate applications, tricking users into revealing their credentials.

AppLite employs advanced evasion techniques, such as manipulating APK file structures to avoid detection by static analysis tools. After installation, it can execute commands remotely, exfiltrate financial data, and even control infected devices through features like screen unlocking and interaction simulation. The malware’s global reach is further evidenced by its multilingual capabilities, making it a persistent threat to users worldwide.

CVE Attack Attempts: A Closer Look

In the past week, Cyble observed a high volume of exploit attempts targeting several CVEs. The most frequently attempted CVE was CVE-2020-11899, which saw 25,736 attack attempts. This vulnerability affects the Treck TCP/IP stack and can lead to an IPv6 out-of-bounds read. Other notable CVEs include CVE-2019-0708, a remote code execution flaw in Remote Desktop Services, and CVE-2021-44228, the infamous Log4j vulnerability, which continues to be a major vector for attacks.

Cyble’s extensive network of sensors detected these attacks and provided critical data to help organizations understand and defend against these vulnerabilities. As CVE-2020-11899 continues to be a primary target for cybercriminals, organizations are urged to patch vulnerable systems to prevent potential breaches.

Recommendations and Mitigations

To mitigate the risks highlighted in this report, Cyble recommends the following actions:

  1. Regularly update software and hardware systems to patch known vulnerabilities. This includes applying updates for CVEs and software-specific flaws identified in the report.
  2. Use threat intelligence feeds to block IP addresses associated with known attackers and malware distribution.
  3. Enforce the use of strong passwords and implement multi-factor authentication (MFA) to reduce the risk of brute-force and credential-stuffing attacks.
  4. Continuously monitor for Indicators of Compromise (IoCs), such as suspicious IP addresses, URLs, and file hashes, to detect potential attacks early.
  5. Regularly audit systems, networks, and devices for vulnerabilities and misconfigurations that attackers could exploit.

Conclusion

The findings in Cyble’s Sensor Intelligence report highlight the growing sophistication and persistence of cyber threats. Through its AI-powered intelligence, Cyble provides essential insights that help organizations protect their digital assets.

With AI-powered platforms like Cyble Vision and Cyble Hawk, businesses can access real-time threat intelligence, monitor vulnerabilities, and receive automated remediation advice. Cyble’s solutions empower enterprises, governments, and individuals to stay protected from cybercriminals at all times.

The post Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Romania Urges Energy Sector of Proactive Scanning Amid LYNX Ransomware Threat

Cyble LYNX Ransomware

Overview

The Romanian National Cyber Security Directorate (DNSC) has issued a critical advisory urging all entities, especially those in the energy sector, to scan their IT and critical infrastructure for malicious binaries associated with the LYNX ransomware cybercrime group. This recommendation follows a ransomware attack targeting the Electrica Group, Romania’s leading energy provider.

DNSC said even organizations unaffected by the attack must act proactively to detect and mitigate potential risks. The Directorate advised using the provided YARA scanning scripts to identify the malicious binary and prevent further infiltration.

The Electrica Group Ransomware Incident

On December 9, 2024, the Electrica Group reported a ransomware attack to DNSC and claimed that the ‘cyberattack was in progress.’ The incident prompted immediate intervention from DNSC specialists and other national authorities. While critical power supply systems remain operational, investigations into the attack are ongoing.

Electrica Group, in its notification to the London Stock Exchange, reassured its commitment to managing the incident swiftly and transparently. CEO Alexandru Aurelian Chirita told stakeholders that the company’s primary focus is maintaining the continuity of electricity distribution and protecting sensitive data.

The Group urged consumers to remain vigilant against potential scams and avoid sharing personal information through unsecured channels.

Validated Indicators of Compromise (IOCs)

DNSC has released critical technical details to aid entities in identifying LYNX ransomware activity. Key IOCs include:

  • File hash: c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72
  • Malicious URL: hXXp://lynxblog.net/

The accompanying YARA rules were specifically designed to detect LYNX ransomware binaries. Entities should use these rules to perform thorough scans of their IT environments.

YARA Rules:

rule ransomware_LYNX_1 {

   meta:

      description = “Detect LYNX ransomware”

      author = “DNSC”

      date = “2024-12-10”

      hash1 = “c02b014d88da4319e9c9f9d1da23a743a61ea88be1a389fd6477044a53813c72”

   strings:

      $s1 = “[+] Successfully decoded readme!” fullword ascii

      $s2 = “[-] Failed to get service information for %s: %s” fullword wide

      $s3 = “–file C:\temp.txt,D:\temp2.txt” fullword ascii

      $s4 = “–file C:\temp.txt” fullword ascii

      $s5 = “AppPolicyGetProcessTerminationMethod” fullword ascii

      $s6 = “[-] Failed to open service manager for %s: %s” fullword wide

      $s7 = “[-] Failed to open service handle for %s: %s” fullword wide

      $s8 = “[-] Failed to enum dependent services for %s: %s” fullword wide

      $s9 = “[-] Failed to kill dependent services for %s: %s” fullword wide

      $s10 = “[%s] Try to stop processes via RestartManager” fullword wide

      $s11 = “[%s] Kill processes and services” fullword wide

      $s12 = “Load hidden drives (will corrupt boot loader)” fullword ascii

      $s13 = “README.txt” fullword wide

      $s14 = “[-] Failed to mount %s: %s” fullword wide

      $s15 = “[-] Failed to decode readme: %s” fullword ascii

      $s16 = “Try to stop processes via RestartManager” fullword ascii

      $s17 = “Kill processes/services” ascii fullword

      $s18 = “–stop-processes ” ascii fullword

      $s19 = “–stop-processes” fullword wide

      $s20 = “[%s] Encrypt network shares” fullword wide

      $op0 = { e8 22 c8 01 00 01 46 30 6a 00 11 56 34 6a 13 ff }

      $op1 = { 23 d1 89 55 d0 8b 55 e4 81 f2 ff ff ff 03 f7 d2 }

      $op2 = { 23 d1 89 55 d4 8b d7 81 f2 ff ff ff 01 f7 d2 8b }

condition:

      uint16(0) == 0x5a4d and file size < 500KB and

      ( 8 of them and all of ($op*) )

}

rule ransomware_LYNX_2 {

   meta:

      description = “Detect LYNX ransomware”

      score = 80

                md5 = “2E8607221B4AB0EB80DE460136700226”

   strings:

      $s1 = “tarting full encryption in” wide

      $s2 = “oad hidden drives” wide

      $s3 = “ending note to printers” ascii

      $s4 = “successfully delete shadow copies from %c:/” wide

      $op1 = { 33 C9 03 C6 83 C0 02 0F 92 C1 F7 D9 0B C8 51 E8 }

      $op2 = { 8B 44 24 [1-4] 6A 00 50 FF 35 ?? ?? ?? ?? 50 FF 15}

      $op3 = { 57 50 8D 45 ?? C7 45?? 00 00 00 00 50 6A 00 6A 00 6A 02 6A 00 6A 02 C7 45 ?? 00 00 00 00 FF D6 FF 75 ?? E8?? ?? ?? ?? 83 C4 04 8B F8 8D 45 ?? 50 8D 45 ?? 50 FF 75 ?? 57 6A 02 6A 00 6A 02 FF D6 }

      $op4 = { 6A FF 8D 4? ?? 5? 8D 4? ?? 5? 8D 4? ?? 5? 5? FF 15?? ?? ?? ?? 85 C0 }

      $op5 = { 56 6A 00 68 01 00 10 00 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 74 ?? 6A 00 56 FF 15 ?? ?? ?? ?? 68 88 13 00 00 56 FF 15 ?? ?? ?? ?? 56 FF 15}

   condition:

      uint16(0) == 0x5A4D and

      (

         3 of ($s*)

         or 3 of ($op*)

         or (2 of ($s*) and 2 of ($op*) )

      )

}

Recommendations for Incident Containment

DNSC advises all organizations, particularly in the energy sector, to adopt the following steps immediately:

Scan and Isolate:

  • Use the YARA scanning script to identify the malicious binary.
    • Isolate affected systems from the network to prevent further spread.

Preserve Evidence:

  • Retain copies of ransom notes and communications from attackers for investigative purposes.
    • Collect relevant logs from affected devices, network equipment, and firewalls.

Analyze and Secure:

  • Examine system logs to identify the initial compromise vector.
    • Update all software, applications, and operating systems to address known vulnerabilities.

Notify Stakeholders:

  • Inform employees, customers, and business partners about the incident.
    • Remain vigilant against phishing messages purporting to be from trusted entities.

Leverage Available Resources:

Broader Call to Action

DNSC’s proactive measures highlight the escalating threats facing critical infrastructure. The energy sector, often targeted due to its vital role, must remain vigilant. The Directorate stresses that paying the ransom is strongly discouraged, as it fuels criminal activities and does not guarantee data recovery.

DNSC’s collaboration with national authorities underscores the importance of a united response to cyber threats. Organizations must implement robust security practices and participate in information-sharing initiatives to strengthen collective defenses.

A Critical Reminder

The LYNX ransomware attack shows the vulnerabilities within IT and operational technology infrastructures. While Electrica Group’s critical systems remain intact, the incident showcases the importance of proactive measures, including scanning for IOCs, isolating threats, and updating defenses.

Organizations across all sectors should act decisively to safeguard their operations. DNSC’s guidance is a roadmap for preventing ransomware attacks and minimizing their impact on critical infrastructure. By taking these steps, entities can strengthen their cybersecurity posture and contribute to a safer digital ecosystem.

References:

https://dnsc.ro/citeste/alerta-lynx-ransomware-indicators-of-compromise-iocs

https://www.londonstockexchange.com/news-article/ELSA/cyber-attack-in-progress/16802405

The post Romania Urges Energy Sector of Proactive Scanning Amid LYNX Ransomware Threat appeared first on Cyble.

Blog – Cyble – ​Read More

Something to Read When You Are On Call and Everyone Else is at the Office Party

Something to Read When You Are On Call and Everyone Else is at the Office Party

Welcome to this week’s edition of the Threat Source newsletter. 

The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us.

To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.

Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.

If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.

Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.

If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.

This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.

The one big thing 

Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.

Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.

Why do I care?

Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.

So now what?

Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.

Top security headlines of the week 

Presidential Elections in Romania hit by Cyber Campaign

The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.

(BBC News 1 & 2)

 

Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement

The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.

(The Register)

 

Wanted Russian Suspected Ransomware Actor Arrested

Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.

(SecurityWeek)

 

Can’t get enough Talos? 

Upcoming events where you can find Talos

Cisco Live EMEA (February 9-14, 2025)

Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week  

SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Win.Worm.Bitmin-9847045-0

 

SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

MD5: b6bc3353a164b35f5b815fc1c429eaab

VirusTotal:

https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi

Claimed Product: n/a 

Detection Name: Simple_Custom_Detection

 

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

MD5: 71fea034b422e4a17ebb06022532fdde

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

Typical Filename: VID001.exe

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: img001.exe

Claimed Product: n/a 

Detection Name: Win.Trojan.Miner-9835871-0

 

SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Cisco Talos Blog – ​Read More

CISA Enhances Public Safety Communications with Seven New Resources in Cyber Resiliency Toolkit 

CVE-2024-49138

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Public Safety Communications and Cyber Resiliency Toolkit, adding seven new resources aimed at enhancing the resilience and security of public safety communications across the nation. This update comes as part of CISA’s ongoing effort to support public safety, national security, and emergency preparedness communities in ensuring seamless and secure communications during both everyday operations and emergency situations. 

Public safety agencies rely heavily on communication systems to coordinate responses and deliver critical services. Any disruption in these communication systems can have disastrous consequences, delaying response times and potentially compromising lives. For this reason, Cyber Resiliency is a key focus for public safety organizations, which need to ensure that their communication networks can withstand and recover from cyberattacks and other disruptions. 

CISA’s toolkit is designed to support public safety agencies in supplementing these capabilities. It provides tools to assess current systems, identify vulnerabilities, and implement strategies to protect the infrastructure against online threats, including cyber incidents, ransomware, and even natural disasters like electromagnetic pulse (EMP) events. 

Recent Updates to the Public Safety Communications and Cyber Resiliency Toolkit 

As of December 2024, the toolkit has received its latest update—Version 24.2—which includes seven new resources. These resources have been specifically designed to help public safety agencies address emerging challenges in communications resilience and cyber security. The update is timely, as it follows the release of new CISA guidelines and continues the agency’s efforts to provide the most up-to-date information to the public safety sector. 

The toolkit now features resources addressing critical issues such as: 

  • Cybersecurity and Cyber Incidents: The toolkit now includes enhanced guidance on protecting communication systems from cyberattacks, including the rising threat of ransomware. With ransomware attacks becoming more sophisticated, public safety agencies need resources that help them prevent, respond to, and recover from these types of incidents. The toolkit provides a comprehensive Cyber Resiliency strategy that emphasizes preparedness and swift recovery. 

  • Next Generation 911 (NG911): NG911 represents the future of emergency communications, enabling more advanced features such as text-to-911, multimedia messaging, and real-time data sharing. However, NG911 systems also come with increased vulnerabilities. The updated toolkit includes new resources focused on securing NG911 systems and preventing cyber risks that may target them. For example, the Cyber Risks to Next Generation 911 guide is designed to familiarize public safety managers with the risks associated with NG911 and offers best practices to improve cybersecurity in these systems. 

  • Power and Infrastructure Dependencies: Power disruptions and dependency on critical infrastructure are persistent challenges for public safety agencies. The updated toolkit includes resources like the Infrastructure Dependency Primer, which helps planners better understand the complex web of dependencies that can impact community resilience. By identifying and mitigating potential weaknesses in critical infrastructure, public safety organizations can strengthen their overall Cyber Resiliency. 

  • Electromagnetic Pulse (EMP) and Jamming: Both EMP and radio frequency (RF) jamming can significantly disrupt public safety communications, especially during emergencies. The toolkit now provides updated guidance on how to protect communication systems from these emerging threats. The Radio Frequency Interference Best Practices Guidebook offers public safety organizations practical advice on recognizing, responding to, and mitigating the effects of jamming and interference. 

Key Resources in the Toolkit 

The Public Safety Communications and Cyber Resiliency Toolkit has become an important tool for public safety agencies across the country, offering resources that cover a wide range of critical topics: 

  1. Resiliency Planning: Tools such as the Infrastructure Resilience Planning Framework help state, local, tribal, and territorial governments develop effective strategies to identify vulnerabilities and build resilient communication networks. This framework is crucial for ensuring that public safety agencies can maintain their operations during both normal and emergency conditions. 

  1. Priority Services and Telecommunications: The Priority Telecommunications Services section offers detailed information on how public safety agencies can ensure priority access to communication networks during times of crisis. Services such as Wireless Priority Services (WPS) and Government Emergency Telecommunications Service (GETS) enable emergency personnel to maintain communication when networks are overloaded. 

  1. Cyber Resiliency for Public Safety: The toolkit includes resources designed to help agencies assess their cybersecurity posture. The Cyber Resiliency Resources for Public Safety document, for example, compiles tools and programs from federal agencies, industry, and trade associations to help agencies improve their cybersecurity defenses. This resource is especially valuable in light of increasing cyber threats targeting critical infrastructure. 

  1. Public Safety Communications Ecosystem: The toolkit offers an interactive graphic that outlines key components of the emergency communications ecosystem, helping users understand the interplay between various systems and technologies. This visualization aids public safety officials in recognizing potential vulnerabilities in their networks. 

  1. Procurement and Vendor Guidance: New documents, such as the Connected Communities Procurement and Implementation Guidance, provide public safety leaders with questions to ask when selecting vendors. These resources ensure that vendors’ products and services align with the public safety agency’s cybersecurity policies and operational needs. 

A Living Document 

One of the most valuable features of CISA’s Public Safety Communications and Cyber Resiliency Toolkit is its ability to evolve in response to new threats and emerging technologies. As new resources are developed and identified, the toolkit is regularly updated to reflect the latest best practices and recommendations for public safety agencies. 

Since its last major update in April 2024, CISA has added several key resources, highlighting the agency’s commitment to providing public safety agencies with the tools they need to protect their networks and systems. Users are encouraged to revisit the toolkit regularly to ensure they are leveraging the most current and relevant information available. 

Conclusion 

The Public Safety Communications and Cyber Resiliency Toolkit remains an indispensable resource for public safety agencies seeking to protect their communication systems against cyber threats. 

By using the toolkit, agencies can better prepare for the challenges of today and tomorrow, ensuring that they remain resilient in the face of natural disasters, cyberattacks, and other disruptions.  

For more information, public safety officials and decision-makers are encouraged to explore the CISA toolkit and make use of the new resources now available in Version 24.2. 

The post CISA Enhances Public Safety Communications with Seven New Resources in Cyber Resiliency Toolkit  appeared first on Cyble.

Blog – Cyble – ​Read More

Access and Use ANY.RUN’s TI Feeds via MISP

As cybersecurity threats grow more sophisticated, collaboration becomes a cornerstone of effective defense strategies. This is where MISP, an open-source threat intelligence sharing platform, comes into play.  

Recognizing its value, we are excited to announce the launch of our own MISP instance, enabling users to access and use indicators of compromise (IOCs) from ANY.RUN’s Threat Intelligence Feeds

What is MISP? 

MISP, which stands for Malware Information Sharing Platform, is a free, open-source platform designed to facilitate the exchange, storage, and correlation of threat intelligence data. MISP lets organizations and researchers: 

  • Exchange critical data points to identify cyber threats. 
  • Share signals or attributes indicating the compromise of information systems. 
  • Automate the process of data sharing and find correlations between threat data. 

Benefits of ANY.RUN’s MISP Instance 

With ANY.RUN’s MISP instance, you can: 

1. Access ANY.RUN’s TI Feeds 

Receive a direct stream of the latest malicious IPs, URLs, domains, ports, file names, and hashes. These are extracted from public malware and phishing samples, including ones not found elsewhere, submitted and analyzed in ANY.RUN’s Interactive Sandbox by security professionals worldwide. IOCs are pulled from different sources, including network activities and malware configurations. 

Want to integrate TI Feeds via MISP?
Reach out to us and we’ll help you set it up 



Contact us


2. Integrate It with Your Security Tools via API 

MISP attributes dashboard in Elastic Search

Connect your own monitoring and triage tools and systems, such as SIEM/XDR solutions, to ANY.RUN’s MISP instance via API. 

3. Improve Threat Detection  

Correlate and enrich your IOCs with ANY.RUN’s to develop a more comprehensive understanding of the threat landscape. 

4. Generate IDS Rules 

Export indicators (attributes) from ANY.RUN’s MISP instance in NIDS-compatible formats and import them in your detection tools like IDS/IPS or NGFW to improve network security of your organization and ensure proactive defense against current threats. 

5. Create Custom Workflows 

Leverage ANY.RUN’s indicators in your automated threat analysis workflows. 

6. Synchronize MISP Instances 

Synchronize your MISP instance with ANY.RUN’s to get relevant threat data. 

7. Visualize Threat Intelligence Data

Visual representation of IOC data

Ensure a more convenient view of relevant threats by visualizing ANY.RUN’s TI Feeds data. 

8. Enrich with Your Threat Data 

Add your IOCs to the ones provided by ANY.RUN to gain a better picture of the threats at hand.

How to Integrate with ANY.RUN’s MISP Instance 

ANY.RUN offers demo feeds samples in STIX and MISP formats 

To get started with ANY.RUN’s MISP instance, simply contact our team via this page

You can test MISP feeds by getting a free demo sample here

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post Access and Use ANY.RUN’s TI Feeds via MISP appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Hacktivist Alliances Target France Amidst Political Crisis

Hacktivist

Executive Summary

On December 6, 2024, Cyble Research & Intelligence Labs (CRIL) observed that the hacktivist alliance known as the “Holy League” on their Telegram channel declared cyberattacks against France. According to the alliance, these operations were executed in retaliation to France’s continued support of Ukraine and Israel. Prominent members of the alliance, including the pro-Russian group NoName057(16), the pro-Islamic threat actor Mr. Hamza, and the pro-Palestinian collective Anonymous Guys, amplified the announcement across their platforms. Shortly after, these groups actively participated in coordinated attacks, demonstrating a unified effort among ideologically diverse threat actors to target French assets.

The timing of the attacks coincides with a political crisis in France and the visit of U.S. President-elect Donald Trump. On December 5, the French Parliament passed a no-confidence vote against Prime Minister Michel Barnier. President Emmanuel Macron now faces mounting pressure to appoint a successor, with some calling for his resignation.

This political turmoil has created a vulnerable environment, providing hacktivist groups with an opportunity to sow chaos, disrupt public order by disrupting public and critical infrastructure, and amplify uncertainty within the nation.

Another startling development observed during the campaign is the collaboration between pro-Islamic and pro-Russian hacktivist collectives, especially when pro-Islamic groups are supporting revolutionary movements in Syria that have led to the ousting of erstwhile President Bashar-al-Assad, previously staunchly supported by Russia. This alliance highlights a pragmatic convergence of interests, where shared objectives in destabilizing common adversaries outweigh ideological differences.

“Holy League” members initiated sustained attacks on France from December 7, 2024. CRIL investigated these cyberattacks on France distinctively in two categories: coordinated attacks by the alliance members and systematic attacks individually by each group as per their modus operandi. Moreover, the “Holy League” has threatened to launch similar attacks against other countries, such as Germany.

Observations and Analysis

In a post on the Telegram channel on December 6, 2024, “Holy League” announced the campaign against France immediately after December 4, 2024, when Prime Minister Michel Barnier was ousted through a no-confidence vote. The agenda seems evident: to reap this opportunity to stir public unrest.

Figure 1 – Holy League Announces Attack on France

Between December 7 and December 10, 2024, hacktivists executed DDoS attacks, compromised Industrial Control Systems (ICS), conducted website defacements, and claimed data breaches of several French entities. This analysis will dissect each attack vector and attribute activities to specific threat groups where possible.

DDOS Attacks

Several hacktivists launched a wave of DDoS attacks on French entities from December 7 to December 10, 2024, prominent ones being NoName057(16), People’s Cyber Army, and Mr. Hamza.

Hacktivist, DDoS
Figure 2 – DDoS claims by different hacktivist groups

NoName057(16) and the People’s Cyber Army primarily focused on the official websites of French cities and other private entities, including the major French financial corporation AXA.

Mr. Hamza concentrated on high-value governmental targets, including the Ministry of Foreign Affairs, the French Directorate-General for External Security (DGSE), the French National Nuclear Energy Commission (CEA), and the French National Cybersecurity Agency (ANSSI).

Anonymous Guys directed their efforts towards several key ministries and government departments, such as the Ministry of Armed Forces, the Ministry of Agriculture and Food, and the Ministry of Solidarity and Health, among others.

According to CRIL, more than 50 separate DDoS attacks were identified against French websites over these four days, affecting multiple sectors of the economy and government. 

Hacktivist

Defacement

The pro-Russian group Z-Pentest’s defacement attacks were primarily focused on small-to-medium enterprises (SMEs) from diverse industries in France, including Energy and utilities, Agriculture and livestock, Automotive, and Hospitality. Notably, Energy and Utility firms such as Atlantic Energies Pose and Electricité Générale Lespiau and 10 other websites were defaced with pro-Russian statements.

Hacktivist, Defacement
Figure 3 – Defaced webpage of egp-peinture-decoration.fr

Unauthorized Access to CCTV and SCADA

Four Holy League members—Hunt3rKill3rs, Shadow Unit, EvilNet, and KozSec—have claimed unauthorized access to several systems in France.

Hacktivist, CCTV
Figure 4 – CCTV Access

Shadow Unit, a pro-Islamic hacktivist collective, claimed the breach of the SCADA systems of Corus Nuclear Power Plant and the French Marne Aval station.

SCADA, Critical Infrastructure, Hacktivist

Hacktivist
Figure 5 – Shadow Unit Hacktivist Group Claims Access to French SCADA Systems

KozSec, A pro-Russian collective, claimed to target an undisclosed French industry. The hacktivist group shared screenshots and videos of the intrusion, emphasizing their successful access to sensitive industrial systems.

Hacktivist
Figure 6 – ICS of Unknown French Facility Targeted by KozSec

Data Breaches

Two groups associated with the Holy LeagueShadow Unit and UserSec, claimed separately. Compromising the website plubioclimatique.paris.fr and exfiltrating over 50 PDF documents and over 100GB of data from French Government websites, respectively.

Hacktivist, Holy League, Shadow Unit

Hacktivist, Data Breach
Figure 7 – UserSec & Shadow Unit Claims about Data Breaches

Conclusion

The recent cyberattacks by the “Holy League” underscore a new, broader geopolitical landscape where hacktivist alliances can sow and exploit discord for their objectives. The collaboration between ideologically diverse groups, such as pro-Islamic and pro-Russian hacktivists, signals a shift in how adversaries may align their interests against common targets. The implications extend beyond France, as similar threats loom over other nations, signaling a new era of cyber conflict where common adversaries may overshadow ideological differences.

The post Hacktivist Alliances Target France Amidst Political Crisis appeared first on Cyble.

Blog – Cyble – ​Read More

The evolution and abuse of proxy networks

The evolution and abuse of proxy networks

As long as we’ve had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

Proxy Chain Services

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

  • VPN and TOR: These services provide the user anonymity, but the defender can, for the most part, determine that it’s receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
  • Commercial residential services: These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
  • Malicious proxy services: Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

History

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn’t the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

State of the Art

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we’ve seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

Network Resiliency Coalition

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks’ reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

Impact on Defenders

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

  • Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
  • Are they logging on during their typical hours? (e.g., 9-5 M-F)
  • Are there other managed devices in proximity?
  • Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it’s expensive, and for many organizations not practical, but for those with the budgets and the concern, it’s a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it’s assumed you’ve already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

Cisco Talos Blog – ​Read More

Which encrypted file storage to choose? | Kaspersky official blog

No one can deny the convenience of cloud file-storage services like Dropbox or OneDrive. The one drawback is that cybercriminals, intelligence agencies, or the hosting provider itself can view your cloud-based files without authorization. But there’s a more secure alternative: encrypted cloud file-storage. Some call it end-to-end encryption (E2EE) — similar to Signal and WhatsApp. According to the marketing blurb, files are encrypted on your device and sent to the cloud already in secure form — the encryption key remaining in your possession and no one else’s. Not even the provider can sniff this information. But is that really the case?

Swiss-cheese encryption

The Applied Cryptography Group at ETH Zurich took apart the algorithms of five popular encrypted storage services: Sync.com, pCloud, Icedrive, Seafile, and Tresorit. In each of them, the researchers found errors in the implementation of encryption allowing, to varying degrees, file manipulation, and even access to fragments of unencrypted data. Earlier, they’d discovered flaws in two other popular hosting services —  MEGA and Nextcloud.

In all cases, attacks are carried out from a malicious server. The scenario is as follows: the intruders either hack the encrypted hosting servers, or, by manipulating routers along the client-to-server path, force the victim’s computer to connect to another server mimicking the genuine encrypted hosting server. If this tricky maneuver succeeds, the attackers can theoretically:

  • In the case of com, plant folders and files with incriminating information, and change the file names and metadata of stored information. Also, the hacked server can send new encryption keys to the client, then decrypt any files downloaded afterwards. Plus, the built-in share function allows the malicious server to decrypt any file shared by the victim, since the decryption key is contained in the link that’s sent when the server is accessed.
  • In the case of pCloud, plant files and folders, arbitrarily move files and swap file names, delete file fragments, and decrypt files downloaded post-hack.
  • In the case of Seafile, force the client to use an older version of the protocol, making it easier to bruteforce passwords, swap or delete file fragments, plant files and folders, and modify file metadata.
  • In the case of Icedrive, plant files consisting of fragments of other files already uploaded to the cloud, change the name and location of stored files, and reorder file fragments.
  • In the case of Tresorit, manipulate the metadata of stored files— including authorship.
  • In the case of Nextcloud, manipulate encryption keys — allowing decryption of downloaded files.
  • In the case of MEGA, restore encryption keys and thus decrypt all files. It’s also possible to plant incriminating files.

The malicious server in each case is a hard-to-implement but not blue-sky component of the attack. In light of the cyberattacks on Microsoft and Twilio, the possibility of compromising a major player is real. And of course, E2EE by definition needs to be resistant to malicious server-side actions.

Without going into technical details, we note that the developers of all the services seem to have implemented bona fide E2EE and used recognized, strong algorithms like AES and RSA. But file encryption creates a lot of technical difficulties when it comes to document collaboration and co-authoring. The tasks required to overcome these difficulties and factor in all possible attacks involving modified encryption keys remain unsolved, but Tresorit has done a far better job than anyone else.

The researchers point out that the developers of the various services made very similar errors independently of each other. This means that the implementation of encrypted cloud storage is fraught with non-trivial cryptographic nuances. What’s needed is a well-developed protocol thoroughly tested by the cryptographic community — such as TLS for websites or the Signal Protocol for instant messengers.

Costly fixes

The biggest problem with fixing the identified bugs is that not only do the applications and server software need updating, but also, in many cases, user-saved files need re-encrypting. Not every hosting provider can afford these huge computational outlays. What’s more, re-encryption is only possible in cooperation with each user — not unilaterally. Which is probably why fixes are slow in coming:

  • com responded to the researchers after six months, and only after the appearance of press reports. Having finally woken up, they announced a fix for the problem of key leakage when sharing links, and said they’d to patch the other flaws as well — but without giving a time frame.
  • Tresorit promised to fix the issue in 2025 (but the problem is less acute for them).
  • Seafile fixed the issue of protocol version downgrade without commenting on the other flaws.
  • Icedrive decided not to address the identified issues.
  • pCloud didn’t respond to the researchers until the appearance of press reports, then announced that the attacks are theoretical and don’t require immediate action.
  • Nextcloud fixed the issue and majorly reworked the overall approach to E2EE in version 3.12. The updated encryption scheme has yet to be researched.
  • MEGA significantly lowered the likelihood of an attack by introducing client-side checks.

What users need to do

Although the issues identified by the Applied Cryptography Group cannot be called purely theoretical, they do not represent a mass threat readily exploitable by cybercriminals. Therefore, hasty action isn’t required; rather — a sober assessment of your situation is needed:

  • How sensitive is the data in your storage, and how tempting is it to outsiders?
  • How much data do you store in the encrypted service, and is it easy to move to another?
  • How important are the collaboration and file-sharing features?

If collaboration isn’t important, while the data stored is critical, the best option is to switch to local file encryption. You can do this in a variety of ways — for example, by storing data in an encrypted container file or an archive with a strong password. If you need to transfer data to another device, you can upload an already encrypted archive to the cloud hosting service.

If you want to combine collaboration and convenience with proper security guarantees, and the amount of stored data isn’t that great, it’s worth moving the data to one of the services that better withstood ETH Zurich’s testing. That means Tresorit first and foremost, but don’t discount MEGA and Nextcloud.

If none of these solutions fits the bill, you can opt for other encrypted hosting services, but with additional precautions: avoid storing highly sensitive data, promptly update client applications, regularly check your cloud drives, and delete outdated or extraneous information.

In any case, remember that the most likely attack on your data will take the shape of an infostealer simply compromising your computer or smartphone. Therefore, encrypted hosting must go hand in hand with full anti-malware protection for all smartphones and computers.

Kaspersky official blog – ​Read More

CISA Adds CVE-2024-49138 to the Known Exploited Vulnerabilities Catalog, Urgency for Microsoft Users

CISA

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability, CVE-2024-49138, to its Known Exploited Vulnerabilities (KEV) catalog based on evidence that this flaw is being actively exploited. The vulnerability, identified in the Microsoft Windows Common Log File System (CLFS), is a heap-based buffer overflow issue that has the potential to allow attackers to escalate privileges on vulnerable systems. As part of Microsoft’s Patch Tuesday release, this flaw was patched alongside other critical vulnerabilities.

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the CLFS driver. This driver is used by both user-mode and kernel-mode software in Windows for general-purpose logging. This vulnerability affects several versions of Microsoft Windows operating systems, including Windows 10 and 11, as well as several Windows Server versions.

Heap-based buffer overflow vulnerabilities, like CVE-2024-49138, are common attack vectors for cybercriminals. These flaws can result in system crashes, denial of service, or even allow malicious actors to execute arbitrary code. In the case of CVE-2024-49138, it allows attackers to escalate their privileges to the SYSTEM level, enabling them to take full control of a compromised system.

This issue was actively exploited in the wild before it was addressed by Microsoft, which makes it particularly dangerous. The flaw has been assigned a CVSSv3.1 score of 7.8 (high severity).

CVE-2024-49138 Impact on Affected Systems

The vulnerability affects a broad range of Windows operating systems. Specifically, it impacts Windows 11 versions 22H2, 23H2, and 24H2 for both x64 and ARM64-based systems. In addition, Windows 10 versions from 1607 to 22H2 are vulnerable, including x64, ARM64, and 32-bit systems.

Furthermore, several Windows Server versions are also impacted, spanning from 2008 to 2025. This includes versions such as Windows Server 2012, 2016, 2019, and 2022, with both Core and full installations being affected. These widespread vulnerabilities increase the potential for exploitation across various systems in both personal and enterprise environments.

Active Exploitation and Patch Release

Given that CVE-2024-49138 was actively exploited before the patch was released, Microsoft’s Patch Tuesday update for December 2024 was critical in addressing the issue. Microsoft rated this vulnerability as important, reflecting the immediate threat posed to organizations and users who have not yet applied the patch.

An official security update was issued for all affected systems, and users are encouraged to install it as soon as possible to mitigate the risk of attack. CISA’s inclusion of CVE-2024-49138 in its Known Exploited Vulnerabilities Catalog highlights the growing focus on vulnerabilities that attackers are actively targeting.

By cataloging such issues, CISA aims to increase awareness and ensure that organizations prioritize the application of patches for vulnerabilities that are under active exploitation.

Recommendations and Mitigation Strategies

To protect systems from CVE-2024-49138, organizations, and individual users should follow these best practices:

  1. The Microsoft Patch Tuesday update for December 2024 addresses CVE-2024-49138. Ensure that all affected systems are updated with the latest patches. Microsoft provides an official patch link for direct updates.
  2. Implement a consistent patch management strategy to ensure all vulnerabilities are patched as soon as updates are available. Automating patching processes can reduce the risk of missed updates, especially for critical vulnerabilities like CVE-2024-49138.
  3. Organizations should use Security Information and Event Management (SIEM) systems to detect unusual activities associated with privilege escalation. Monitoring network traffic and system logs can help identify attempts to exploit CVE-2024-49138 before damage occurs.
  4. An effective incident response plan is essential. Organizations should regularly test their response procedures for various vulnerabilities, including those that target Microsoft Windows components like the CLFS driver.
  5. Users running older, unsupported versions of Windows should prioritize upgrading to supported versions to reduce their exposure to vulnerabilities such as CVE-2024-49138.

Conclusion

CISA’s inclusion of this flaw in its Known Exploited Vulnerabilities Catalog emphasizes the urgency of applying the December 2024 Patch Tuesday update. Organizations should adopt automated patch management, use SIEM systems for early detection, and have an incident response plan in place. Users running outdated Windows versions should upgrade to reduce vulnerability.

The post CISA Adds CVE-2024-49138 to the Known Exploited Vulnerabilities Catalog, Urgency for Microsoft Users appeared first on Cyble.

Blog – Cyble – ​Read More

NCSC Q3 2024 Report Highlights Cyber Incidents Surge By 58%, Highlighting Cyber Threats to New Zealand

NCSC

Overview

New Zealand’s National Cyber Security Centre (NCSC) has revealed its Cyber Security Insights Report for Q3 2024, offering a detailed overview of the cyber threats impacting New Zealand. The third-quarter report highlights an increase in cyber incidents, providing a deeper understanding of threat actors targeting individuals, businesses, and organizations across the country.

According to the NCSC’s Cyber Security Insights Report, the number of reported incidents surged to 1,905 in Q3 2024, marking a 58% increase compared to the previous quarter. While this rise might initially seem disconcerting, the NCSC noted that such an increase is actually a positive development. It reflects more New Zealanders and businesses taking proactive steps by reporting cyber incidents, thereby contributing to the country’s overall security posture.

The report stresses several key trends, with incidents of unauthorized access almost doubling. Additionally, phishing and credential harvesting incidents jumped by 70%, illustrating the heightened efforts of cybercriminals trying to trick victims into clicking malicious links.

Overview of the NCSC’s Cyber Security Insights Report

The NCSC’s report highlighted various online threats that New Zealanders faced in Q3-2024. Threat Actors have increasingly targeted routers, attempting to break into home and business networks.

Another threat identified is the Adversary-in-the-Middle (AitM) phishing attack, which compromises session cookies to bypass traditional security measures. Furthermore, the report introduces dynamic CVVs—a new technology aimed at curbing online fraud and offering more security for card transactions.

As the holiday season approaches, the NCSC also warns of common scams designed to steal personal information and money. New Zealanders are encouraged to visit the NCSC’s Own Your Online website for additional guidance on recognizing and avoiding these scams.

Financial Impact and Incident Breakdown

The NCSC’s analysis of financial losses in Q3 2024 reveals a 19% decrease compared to the previous quarter, with reported direct financial losses totaling $5.5 million. However, 25% of all incidents reported still resulted in some form of financial loss.

A closer look at the types of incidents shows that phishing and credential harvesting continue to be the most prevalent types of cybercrime. These incidents accounted for 43% of all reported incidents. Other categories include scams and fraud (31%) and unauthorized access (16%).

Here is the breakdown of incidents by category for Q3 2024:

Incident Category Incident Count Percent Change from Q2 2024
Phishing and Credential Harvesting 823 +70%
Scams and Fraud 596 +37%
Unauthorized Access 300 +80%
Website Compromise 56 +65%
Malware 29 +61%
Ransomware 13 +86%
Botnet Traffic 4 +300%
Suspicious Network Traffic 2 -50%
Denial of Service 1 -75%
C&C Server Hosting 1 0%
Attack on a System 0 0%
Other 80 +63%

Phishing Disruption Service: Combatting Cybercrime

The Phishing Disruption Service (PDS), a free service provided by the NCSC, continues to play an important role in protecting New Zealanders. By collecting and analyzing phishing links reported by the public, the NCSC actively publishes verified phishing indicators for organizations to block. In Q3 2024, the NCSC processed over 20,500 phishing indicators, with more than 6,200 of those being added to the PDS.

In Q3 2024, postage and shipping services were the industries most commonly impersonated by phishing scammers, reflecting an increasing trend in scams targeting the e-commerce and logistics sectors.

Conclusion

The NCSC Q3 2024 report highlights 98 incidents affecting national organizations, ranging from minor to notable in severity. No incidents are categorized as highly national emergencies.

The rising number of cyber incidents emphasizes the need for improved cybersecurity measures as cybercriminals adapt their tactics. Phishing attacks and unauthorized access continue to be prominent threats, highlighting the importance of strong security practices like multi-factor authentication and advanced threat detection.

References

The post NCSC Q3 2024 Report Highlights Cyber Incidents Surge By 58%, Highlighting Cyber Threats to New Zealand appeared first on Cyble.

Blog – Cyble – ​Read More