New Report Highlights Critical Cybersecurity Challenges Facing the U.S.

U.S

The U.S. has never faced a more challenging time for cybersecurity, with critical infrastructure under siege, nation-state threat actors emboldened, and a new Presidential Administration that could usher in policy changes and a possible government restructuring.

A new Cyble report highlights the cyber threats and challenges facing the U.S., offering critical insights into the biggest threats that organizations must grapple with. The report examines the top threats, threat actors, and attack targets; hacktivism trends; more than 50 actively exploited IT and ICS vulnerabilities; Dark Web and cybercrime trends; and recommendations for security teams.

Major U.S. Cyber Challenges

The challenges that will help define the U.S. cybersecurity direction in the coming months include:

Disinformation: Efforts to influence the U.S. election escalated significantly in the final weeks of the campaign. The main foreign actors involved in influence campaigns—notably Russia, China, and Iran—will likely continue to try to influence U.S. policy and discourse.

The Future of CISA: The Republican “Project 2025” agenda includes proposals to reorganize the top U.S. cybersecurity agency and its responsibilities at a time when critical infrastructure is facing significant challenges.

Nation-State Threats: Concern about foreign adversaries escalated when China-linked threat actors successfully infiltrated U.S. telecom systems to access wiretap data and the phone data of top U.S. officials. As China is believed to have significantly infiltrated critical infrastructure in the U.S. and elsewhere, national cyber agencies must do more to detect and remove these threats.

AI in Social Engineering: The proliferation of AI technology is enhancing the effectiveness of social engineering attacks, enabling more personalized and convincing tactics that have scammed average citizens as well as multi-national corporations. To help combat this rising threat, Cyble has added AI deepfake detection and takedown services to its threat intelligence suite.

Dark Web and Cybercrime: Dark Web activity remains a major threat, as exploits are under discussion on cybercrime forums within hours after vulnerabilities are publicly revealed, and zero-day vulnerabilities can frequently be found for sale on these forums.

Healthcare and OT/ICS environments: Threat actors continue to heavily target healthcare and critical infrastructure, with Manufacturing, Energy, Oil and Gas, and Building Automation being the leading attack targets detected by Cyble.

Ransomware: The U.S. is by far the biggest ransomware target, and data exfiltration is increasingly a goal of ransomware groups.

Infostealers continue to grow in frequency and sophistication, threatening the accounts and credentials of both enterprises and consumers.

Most Active Threat Groups and Ransomware Targets

Cyble detected four of the most active threat groups in October: ransomware groups. RansomHub was the top threat actor, followed by DragonForce, Lockbit, and Storm-0501. An APT group, UNC5812, rounded out the top five.

According to Cyble data, the U.S. remains the biggest ransomware target, with October attack volumes 10 times higher than in any other country (chart below).

Healthcare is being increasingly targeted by ransomware groups, and the effects on patient care are predictably dire. Texas Tech Health Sciences Center, Aspen Healthcare Services, and Boston Children’s Health Physicians were among the bigger ransomware targets in October.

The full report examines more than 30 threat groups, more than 50 IT and ICS vulnerabilities, and 52 malware families. The top malware families observed by Cyble in October were:

  • Hydra
  • Lynx
  • Nitro
  • RansomHub
  • Rhysida
  • Hellcat Ransomware
  • Cactus
  • Everest
  • Medusa
  • Interlock

Hacktivism Trends

Hacktivism remained significantly active heading into the election, both in the U.S. and elsewhere. Israel and Palestinian concerns were by far the most dominant – and played a surprisingly pivotal role in the U.S. election in some states, most notably in Michigan and Wisconsin.

Some of the most active hacktivist groups in October included:

  • XYZ/Alpha Wolf
  • Key Group
  • NoName
  • Cyber Operation Alliance
  • Anon Black Flag

Dark Web and Cybercrime Activity

The dark web has become a democratizing force in cybercrime, giving less experienced threat actors and hacktivists access to more sophisticated exploits, leaked files, credentials, stolen credit cards, compromised endpoints, and more.

Cyble dark web researchers typically see ten or more vulnerability exploits discussed each week on cybercrime forums, many of which have available Proof of Concept (PoC) exploits that can be easily deployed.

Cyble’s AI-powered threat intelligence tool detected 1.5 million data exposures, 48,000 compromised endpoints, and 178,000 leaked credentials in October, all readily available for a price.

The report also looked at 34 IT and 20 ICS vulnerabilities targeted by attackers, many of which were discussed on dark web forums. Network devices are frequently a starting point for cyberattacks, but the list touches a wide range of systems that hackers use to move laterally, elevate privileges, and establish persistence.

Cyble Recommendations

The threat landscape may appear overwhelming at times, but good cybersecurity practices performed regularly can do much to reduce your attack surface. Patching, network segmentation, air-gapped backups, monitoring and logging, vulnerability assessments, and a strong incident response plan are all essential practices that take time but don’t necessarily carry a high price tag. Cyble can help with cost-effective vulnerability intelligence and scanning services targeted to individual environments.

The post New Report Highlights Critical Cybersecurity Challenges Facing the U.S. appeared first on Cyble.

Blog – Cyble – ​Read More

Combatting Counterfeit Goods in E-Commerce with Cyble Brand Protection Strategies

Counterfeit

Overview

The rapid growth of e-commerce has revolutionized the way consumers shop, with global e-commerce revenues expected to exceed $6 trillion in 2024. However, this surge in online transactions has also created fertile ground for counterfeit goods, with fraudulent sellers exploiting online platforms to deceive shoppers and tarnish brand reputations.

The problem intensifies during peak shopping periods like Black Friday and Cyber Monday, where high online traffic increases opportunities for counterfeiters to take advantage of consumer demand for discounted products. Cyble’s latest report examines the current state of counterfeit threats in e-commerce, the challenges brands face in detecting and responding to these threats, and the best practices companies can adopt to protect themselves.

Counterfeit goods pose a threat to both consumers and brands, causing financial and reputational damage. According to estimates, counterfeit goods accounted for $500 billion in global trade in 2023, equating to 3.3% of world trade. In addition to harming consumer trust, counterfeit goods cost companies an average of $3.8 billion annually. Small businesses, which often lack the resources to monitor and fight counterfeiting effectively, are especially vulnerable.

The generality of counterfeit goods has become a critical concern in the e-commerce industry. This issue has grown more complex with the rise of online marketplaces such as Amazon, eBay, and Alibaba, where sellers can set up accounts with minimal verification. During high-volume shopping events, counterfeiters intensify their activities, taking advantage of the surge in consumer interest and the pressure on platforms to process transactions quickly.

Key Drivers of the Counterfeit Goods Market

Several factors contribute to the rapid proliferation of counterfeit goods in the digital marketplace. One of the primary reasons is the ease of entry for sellers on e-commerce platforms. Many online marketplaces have minimal barriers to setting up seller accounts, which allows counterfeiters to quickly create profiles and list fake products.

These counterfeit listings can often go unnoticed for extended periods, giving fraudsters ample time to profit before their activities are discovered. The lack of stringent vetting and seller monitoring also allows counterfeiters to operate with relative impunity, further encouraging their presence in the marketplace.

Another key factor enabling the growth of counterfeit goods is anonymity. Counterfeiters often exploit weak identity verification processes and poorly regulated seller protocols on e-commerce platforms, making it difficult to trace their operations. These sellers can easily mask their identities and operate under false information, preventing authorities and brands from taking action.

The growing demand for branded goods, particularly during sales events like Black Friday, also fuels the counterfeit market. Consumers are increasingly drawn to deals on high-demand items, and the temptation of discounted prices can cloud judgment, making them more susceptible to purchasing counterfeit goods unknowingly. Counterfeiters capitalize on this demand by offering fake products that closely resemble legitimate branded items, often priced much lower than the original, which makes it difficult for buyers to spot the difference.

As counterfeit products become more sophisticated, distinguishing them from legitimate goods becomes even more difficult. Counterfeiters commonly use high-quality replicas, fraudulent packaging, and deceptive marketing tactics. These items often appear to be of the same quality as their authentic counterparts, making it even harder for consumers to recognize they’ve been deceived until it’s too late.

The combination of these factors—easy access, anonymity, heightened demand, and increasing product sophistication—creates a perfect storm that allows counterfeit goods to flourish, particularly during peak shopping periods like Black Friday when online traffic and consumer activity surge.

The Financial and Reputational Toll on Brands

Counterfeit goods have economic consequences. The OECD estimates that counterfeit imports into the UK were worth $8.95 billion in 2021. This leads to a direct revenue loss, as counterfeit goods account for 3% of total sales in some sectors, such as luxury goods and electronics. Small businesses, in particular, face the brunt of these losses, as they lack the resources to monitor and combat counterfeiting effectively.

In addition to the financial toll, counterfeit products severely damage brand reputation. Consumers who unknowingly purchase fake goods may associate the substandard experience with the original brand, undermining trust. Furthermore, counterfeit goods can lead to consumer health risks, especially in sectors like pharmaceuticals and health products. The presence of counterfeit goods in fast-moving consumer goods (FMCG), including food and cosmetics, further exacerbates the problem, raising concerns about safety.

E-Commerce Platforms: Key Players in the Fight Against Counterfeiting

Major online marketplaces have recognized the growing threat of counterfeit goods and are increasingly investing in advanced technologies to prevent their proliferation. For example, Amazon has reported blocking over 8 million suspected counterfeit listings in 2024 alone. Cyble’s artificial intelligence-based solutions are invaluable in assisting e-commerce platforms to detect and prevent counterfeit activity during peak shopping events like Black Friday, where fraudulent listings are more likely to surface.

Additionally, platforms like Amazon and eBay have launched brand protection programs such as Amazon’s “Brand Registry” and eBay’s “Verified Rights Owner (VeRO) Program.” These tools allow brands to report and remove counterfeit listings more efficiently. However, detection alone is not enough. Brands must take proactive steps to protect their intellectual property and protect their consumers.

The Role of Technology in Counterfeit Detection and Prevention

Cutting-edge technologies enabling brands to track, authenticate, and remove fake products from online marketplaces are strengthening the fight against counterfeit goods in e-commerce.

  1. Digital Watermarking and Serialization: Brands use unique codes or invisible markers embedded in product packaging to allow consumers and platforms to verify the authenticity of the products. Even if counterfeiters replicate the packaging, these markers can help detect fake goods.
  2. Artificial Intelligence (AI) and Machine Learning: AI algorithms can analyze seller profiles, product descriptions, and reviews to identify suspicious activity. Cyble leverages AI-based solutions to track and authenticate items in real-time, making it easier for brands to monitor listings during busy shopping periods like Black Friday.
  3. Blockchain: This technology offers a tamper-proof system to track product authenticity across the supply chain. By recording every transaction, blockchain creates an immutable trail that verifies the product’s origin, providing greater transparency for brands and consumers.
  4. Image Recognition Tools: These tools scan e-commerce platforms for duplicate images or unauthorized use of brand logos. During peak sales events like Black Friday, counterfeiters often reuse product images to mislead buyers, making image recognition a critical tool for detecting fake listings.
  5. Consumer Empowerment Apps: Brands can deploy apps that allow consumers to verify product authenticity using QR codes or barcodes. Empowering shoppers with tools to check for counterfeit products is an effective way to combat the issue during high-traffic shopping events.

Legal and Policy Measures to Combat Counterfeiting

Alongside technological advancements, legal frameworks are evolving to address the counterfeit threat. For example, the SHOP SAFE Act, reintroduced to Congress in September 2023, aims to hold e-commerce platforms accountable for the sale of counterfeit goods.

The act incentivizes platforms to vet sellers more thoroughly and implement stricter measures to prevent counterfeit products from reaching consumers. In addition, the INFORM Consumers Act passed in June 2023, increases transparency for third-party sellers on e-commerce platforms.

This legislation aims to reduce the prevalence of counterfeit goods and stolen products by enforcing stricter seller identification processes.

Cyble’s Role in Brand Protection

To tackle the growing problem of counterfeit goods, Cyble’s Brand Intelligence services offer a comprehensive suite of tools designed to help businesses monitor and protect their brands from online threats. Cybersecurity solutions like Cyble Vision and Cyble Hawk are particularly effective in identifying and mitigating counterfeit activity during high-risk periods.

Cyble’s Brand Intelligence services include:

  • Social Media Monitoring: Detect unauthorized use of your brand and counterfeit product listings on platforms like Facebook, Instagram, and Twitter, with real-time alerts to help brands respond quickly.
  • Mobile Application Monitoring: Identify counterfeit or malicious apps impersonating your brand on major app stores, protecting your reputation and maintaining customer trust.
  • Phishing Domains: Protect your customers and brand identity by detecting and mitigating phishing domains that mimic your official website.
  • Watchlisted and Suspicious Domains: Continuously track domains linked to counterfeit activities, ensuring constant monitoring of potential threats to your brand.
  • Website Monitoring: Monitor your official website to prevent unauthorized changes, malicious activities, or cloning attempts that could damage your brand’s credibility.
  • Website Watermarking: Enhance security by adding unique watermarks to your website content, preventing unauthorized copying or cloning.
  • Takedown Tracker: This tool simplifies the process of reporting and removing counterfeit listings or domains. It provides real-time updates on takedown request statuses for greater transparency and efficiency.

Cyble’s brand monitoring capabilities provide real-time alerts and data-driven insights that help brands respond effectively to counterfeit threats. By leveraging Cyble’s comprehensive monitoring services, brands can protect their reputation, prevent revenue loss, and ensure that consumers are not deceived by counterfeit products.

The post Combatting Counterfeit Goods in E-Commerce with Cyble Brand Protection Strategies appeared first on Cyble.

Blog – Cyble – ​Read More

German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment

CERT

Overview

Zyxel firewalls have come under scrutiny following a wave of attacks leveraging vulnerabilities to deploy Helldown ransomware. A critical directory traversal vulnerability, tracked as CVE-2024-11667, in the Zyxel ZLD firmware (versions 5.00–5.38) has been linked to these breaches.

Attackers exploit this flaw to steal credentials and execute malicious activities, including creating unauthorized VPN connections and modifying security policies.

CERT Germany (CERT-Bund) and Zyxel have issued urgent advisories detailing these threats and recommending immediate action to mitigate risks.

Understanding the Vulnerability: CVE-2024-11667

CVE-2024-11667 is a directory traversal vulnerability in Zyxel’s firewall firmware. It allows attackers to upload or download files via specially crafted URLs, potentially leading to credential theft and unauthorized access.

This vulnerability impacts:

  • ATP and USG FLEX series firewalls in on-premise mode.
  • Devices running ZLD firmware versions from 4.32 to 5.38 with remote management or SSL VPN enabled.

Devices using Nebula cloud management mode are not affected.

Helldown Ransomware Evolution
Initially observed in August 2024, Helldown has escalated in sophistication, leveraging the CVE-2024-11667 vulnerability in Zyxel USG Flex and ATP firewall series. The vulnerability, though unidentified, appears to allow unauthorized access even on patched systems if account credentials remain unchanged.

Helldown, derived from the infamous LockBit ransomware builder, targets organizations with advanced tactics, including lateral movement within networks. Its leak site has named 32 victims globally, with five German entities suspected as targets, CERT-Bund (BSI) said.

Key Attack Observations

  • Attack Vectors: Exploitation of firewall vulnerabilities for initial access.
  • Post-Exploitation Tactics: Creation of unauthorized accounts (e.g., “SUPPORT87”), lateral movement, and persistent backdoors.
  • Impact: Data exfiltration, encryption of critical assets, and operational disruptions.

Identifying Signs of Compromise

Indicators of a compromised Zyxel firewall include:

  1. Unauthorized SSL VPN Connections:
    • VPN accounts such as “SUPPORT87,” “SUPPOR817,” or “VPN” appear in connection logs.
    • Login attempts from non-recognized IP addresses, often routed through VPN services.

  2. Modified Security Policies:
    • Policies granting unrestricted access (e.g., “ANY to ANY”) between WAN, LAN, and SSL VPN zones.
    • Changes to NAT rules allowing WAN-to-LAN access.

  3. Suspicious Admin Activity:
    • Creation of unauthorized admin accounts.
    • Login attempts from unrecognized IPs.
    • Activity logs in SecuReporter showing unusual administrative actions.

  4. AD Server Targeting:
    • Attackers use stolen administrator credentials to access Active Directory (AD) servers via SSL VPN connections, potentially encrypting files.

Steps to Detect and Remediate a Compromised Firewall

Detection

  • Check for unknown VPN connections or user accounts in logs.
  • Review SecuReporter activity logs for unauthorized admin actions.
  • Inspect firewall rules for unusual access permissions.

Remediation

Upgrade Firmware:
Update to ZLD 5.39 or later to patch CVE-2024-11667 and implement security enhancements.

Change Credentials:

  • Update passwords for all admin and user accounts (local and Active Directory).
  • Change VPN pre-shared keys and external authentication server credentials.

Remove Unauthorized Accounts:

  • Delete unrecognized admin and user accounts.
  • Force logout for all untrusted sessions.

Review Security Policies:

  • Remove rules that allow unrestricted access.
  • Ensure policies restrict WAN, LAN, and SSL VPN traffic as needed.

Monitor Logs:
Continuously analyze logs for suspicious activity and unauthorized access attempts.

Best Practices for Securing Zyxel Firewalls

To prevent future compromises, Zyxel recommends the following measures:

Restrict Access:

  • Disable remote management if not required.
  • Implement IP restrictions for accessing the management interface.

Change Default Ports:

  • Modify default HTTPS and SSL VPN ports to reduce exposure.

Enable Two-Factor Authentication (2FA):

  • Require 2FA for admin and user logins to strengthen access control.

Geo-Restriction Rules:

  • Use Geo-IP filtering to block traffic from untrusted regions.

Encrypt Configuration Files:

  • Add private encryption keys to secure configuration files.

Regular Backups and Monitoring:

  • Maintain updated backups of firewall configurations.
  • Continuously monitor for vulnerabilities using threat intelligence feeds.

Conclusion

The exploitation of Zyxel firewall vulnerabilities underscores the importance of proactive cybersecurity measures. Organizations using affected devices must prioritize firmware updates, strengthen access controls, and actively monitor for suspicious activity.

The Helldown ransomware campaign highlights the dangers of leaving systems exposed to known vulnerabilities. By adopting a layered security approach, including 2FA, IP filtering, and robust monitoring, organizations can effectively safeguard their networks against similar threats.

References:

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-290907-1032.pdf?__blob=publicationFile&v=3

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

https://support.zyxel.eu/hc/en-us/articles/21878875707410-Zyxel-USG-FLEX-and-ATP-series-Upgrading-your-device-and-ALL-credentials-to-avoid-hackers-attacks#h_01J9RQPFVV0YYZY0CG3PJT7MAD

https://community.zyxel.com/en/discussion/26764/ransomware-helldown

The post German CERT Warns Zyxel Firewalls Exploited for Helldown Ransomware Deployment appeared first on Cyble.

Blog – Cyble – ​Read More

Top ICS Vulnerabilities This Week: Schneider Electric, mySCADA, and Automated Logic

ICS

This week’s Cyble ICS vulnerability report includes critical vulnerabilities like CVE-2024-10575 in Schneider Electric’s EcoStruxure IT Gateway, CVE-2024-47407 in mySCADA myPRO Manager/Runtime, and CVE-2024-8525 in Automated Logic that need urgent patching.

Overview

Cyble Research and Intelligence Labs (CRIL) analyzed the latest ICS vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) between November 19–25, 2024. These vulnerabilities highlight pressing security concerns across critical sectors, including manufacturing, energy, and communications.

Key insights include:

  1. CISA issued seven security advisories addressing 15 vulnerabilities in ICS products from Schneider Electric, Automated Logic, CODESYS GmbH, and mySCADA.
  2. A critical “Missing Authorization” flaw (CVE-2024-10575) affecting Schneider Electric’s EcoStruxure IT Gateway could allow attackers unauthorized access to critical systems.
  3. mySCADA and Automated Logic WebCTRL exposures show the growing attack surface, stressing the importance of proactive security measures.

Below, we delve into the most significant vulnerabilities and their implications for security teams.

The Week’s Top ICS Vulnerabilities

Key vulnerabilities identified in this report include:

CVE-2024-10575 (Schneider Electric):

  • Product: EcoStruxure IT Gateway
  • Severity: Critical
  • Issue: Missing Authorization
  • Impact: Unauthorized access to critical systems, risking data breaches and operational disruptions.
  • Patch Link

CVE-2024-47407 (mySCADA):

  • Product: myPRO Manager/Runtime
  • Severity: Critical
  • Issue: OS Command Injection
  • Impact: Remote execution of arbitrary commands compromising SCADA and HMI systems.
  • Patch Link

CVE-2024-8525 (Automated Logic):

  • Product: WebCTRL Server (v7.0)
  • Severity: Critical
  • Issue: Unrestricted File Upload
  • Impact: Uploading malicious files to building automation systems.
  • Patch Link

CVE-2024-8933 (Schneider Electric):

  • Product: Modicon M340, MC80, Momentum
  • Severity: High
  • Issue: Message Integrity Bypass
  • Impact: Potential manipulation of system communications.
  • Patch Link

CVE-2024-50054 (mySCADA):

  • Product: myPRO Manager/Runtime
  • Severity: High
  • Issue: Path Traversal
  • Impact: Unauthorized file access and data compromise.
  • Patch Link

For the complete list of vulnerabilities and their respective mitigations subscribe to Cyble’s AI-powered threat intelligence product suite!

Vendor Spotlight

Schneider Electric reported 50% of vulnerabilities, spanning industrial automation and energy management systems.

mySCADA followed with 33%, reflecting issues in SCADA and HMI platforms.

Automated Logic and CODESYS GmbH accounted for 17%, impacting building automation and PLC software.

Figure 1. Vendors who reported and released patches for ICS vulnerabilities, this week. (Source: Cyble)

Impacted Critical Infrastructure Sectors

Critical Manufacturing dominated the impacted sectors with seven vulnerabilities (50%).

The interconnected sectors of manufacturing, energy, and communications accounted for six vulnerabilities (43%), showcasing the criticality of cross-sector dependencies.

Impacted critical Infrastructure Sectors

Figure 2. Impacted critical infrastructure sectors. (Source: Cyble)

Recommendations

To address these vulnerabilities and reduce exploitation risks, CRIL recommends:

  • Monitor Alerts: Regularly review security advisories from vendors and government agencies like CISA.
  • Implement Zero-Trust: Restrict access to critical systems using risk-based management approaches.
  • Network Segmentation: Isolate sensitive ICS components to prevent lateral movement during attacks.
  • Patch Management: Develop a strategy for inventory, assessment, testing, and deployment of patches.
  • Regular Assessments: Conduct vulnerability assessments, penetration tests, and audits to identify weaknesses.
  • Secure Access: Restrict access to ICS devices, ensuring strong authentication measures are in place.
  • Incident Response Plans: Establish and test procedures for detecting and responding to cyber incidents.
  • Employee Training: Train employees to recognize phishing attempts and adhere to security protocols.

Conclusion

This week’s ICS vulnerability report shows the persistent threats to critical infrastructure. The vulnerabilities in Schneider Electric, mySCADA, and Automated Logic products demonstrate the importance of prioritizing cybersecurity measures to safeguard essential systems.

Organizations must act swiftly to patch critical flaws, enhance monitoring, and strengthen overall cybersecurity posture. Proactive measures are crucial in mitigating risks and maintaining the integrity of critical operations.

The post Top ICS Vulnerabilities This Week: Schneider Electric, mySCADA, and Automated Logic appeared first on Cyble.

Blog – Cyble – ​Read More

Telegram Premium gift subscription scam | Kaspersky official blog

We at Kaspersky recently conducted a study and found that the average person spends $938 a year on 12 subscriptions. This just confirms that in today’s world, being subscribed to numerous services is just as much a part of everyday life as having your smartphone with you at all times.

There are subscriptions for everything: music, movies, fitness, security solutions, and even messaging apps. In this article, we’ll focus on one of the latter — Telegram Premium, a subscription that doubles almost all the messenger’s free-version’s limits. And the coolest thing about it is that you can give it to your friends as a present. If you have a large contact list, Telegram frequently reminds you of this possibility. Of course, scammers are exploiting this feature, sending out fake Telegram Premium gift subscriptions left and right.

So what’s behind these gift subscriptions from cybercriminals — and how can you protect your Telegram account?

How the Telegram gift-subscription scam works

It all starts with an innocent-looking Telegram message from someone in your contact list (actually — an impostor): “You’ve been sent a gift — a Telegram Premium subscription”. Beneath it is a link that, at first glance, seems legitimate. And indeed, it leads to an official-looking Telegram Premium channel. But there’s a catch…

Admit it, receiving a message like this feels great, and in a moment of excitement, it's easy not to cotton on to the trap

Admit it, receiving a message like this feels great, and in a moment of excitement, it’s easy not to cotton on to the trap

The text you see — https://t.me/premium — actually hides a link to a completely different phishing page. It’s a simple trick. Consider this example: here’s a link to the Kaspersky Daily blog homepage — https://kaspersky.com/blog, but it actually redirects to the homepage of our other blog, Securelist. Scammers use the same principle: they mask their phishing links with seemingly legitimate addresses.

Let’s return to the Telegram gift-subscriptions scam. The phishing page looks like a regular Telegram login page in a browser. However, the scam is betrayed by the dodgy URL: the address starts with the familiar https://t.me, but then has something extra, which wouldn’t be there if were a legitimate page:

Nice try, scammers — it looks almost identical to the real site

Nice try, scammers — it looks almost identical to the real site

If you enter your account details here, consider them stolen. Your user name, password, and possibly your two-factor authentication code will end up in bad guys’ hands. Once you’ve handed over your credentials, the scammers display a congratulatory message and start a 24-hour timer, claiming it’s the activation period for Telegram Premium. This delay is a classic cybercriminal tactic. They’re counting on the user either forgetting about the subscription or believing it’s genuinely on its way. Most likely, the only thing that will happen during these 24 hours is that you’ll permanently lose access to your account.

After 24 hours, the timer ends, but the subscription never materializes

After 24 hours, the timer ends, but the subscription never materializes

How else do scammers exploit gift Telegram subscriptions?

Since Telegram Premium launched several years ago, various scam scenarios have emerged. Unsurprisingly, these scams bear similarities to other primitive forms of fraud we frequently discuss on the Kaspersky Daily blog.

For example, cybercriminals might claim to host a free raffle for a three-month Telegram Premium subscription. However, there’s no real drawing of the winning “tickets” — everyone’s a winner; however, the prize isn’t a genuine gift subscription. Victims are directed to click a link and log in to Telegram on a phishing site. And that’s where their accounts get compromised.

Cybercriminals play to your ego with false claims like: "You've been selected as one of seven participants in our exclusive prize draw!"

Cybercriminals play to your ego with false claims like: “You’ve been selected as one of seven participants in our exclusive prize draw!”

Another common tactic involves distributing APK files for supposedly “hacked” Telegram apps bundled with Premium subscriptions. Needless to say, such modified apps are often nothing more than malware in disguise.

Always be skeptical of allegedly hacked or alternative versions of popular apps

Always be skeptical of allegedly hacked or alternative versions of popular apps

Now, you’ll have noticed that the screenshots above are in various languages. The fact is that these scammers operate all over the world, and if this scheme hasn’t reached your region yet, rest assured it surely soon will. Therefore, you should ensure the security of your devices and accounts with reliable protection.

How to protect your Telegram account

To start, we recommend setting up your Telegram security and privacy using our guide. If you’ve already done this, here are some additional tips to help you avoid becoming a victim of these and other scams:

  • Remember that there’s no such thing as a free lunch. Before celebrating a sudden gift, double-check if the sender really has good intentions. At the very least, contact them via a different communication channel — call them, use another messenger, or verify in person. As your personal account is at stake, you’d better err on the side of excessive caution.
  • Purchase subscriptions only through official channels. Telegram, for example, has a designated bot for buying subscriptions.
  • Enable two-factor authentication. This could be your last line of defense in case you fall for a scam. One way to store your 2FA tokens conveniently and securely is in Kaspersky Password Manager.
  • Learn more about other ways scammers can steal your Telegram account. There are countless fraudulent schemes — many of which are more sophisticated than they appear.
  • Slow down, even if you’re being rushed. Scammers love pressuring victims with timers. When it comes to your digital safety, ignore countdowns and take your time.
  • Be cautious about alternative versions of apps. We recommend only using official apps, because unofficial versions are almost always loaded with Trojans.

Kaspersky official blog – ​Read More

CISA Enhances Secure by Design Strategy with AI Red Teaming for Critical Infrastructure Protection

CISA

Overview

CISA has announced new additions to its Secure by Design initiative with the introduction of advanced fields in artificial intelligence (AI). This plan ensures the safety, security, and reliability of AI systems, especially as they are increasingly integrated into critical infrastructure and public safety applications. One of the most effective ways to evaluate and improve the resilience of AI systems is through the process of AI red teaming, which is an integral part of a broader strategy known as Testing, Evaluation, Validation, and Verification (TEVV).

This approach, backed by decades of experience in software security testing, emphasizes the importance of a Secure by Design methodology and aims to protect against both technical and ethical risks associated with AI deployment. The Cybersecurity and Infrastructure Security Agency (CISA), as the national coordinator for critical infrastructure security, has been at the forefront of promoting the Secure by Design approach in the development and testing of AI systems.

This initiative is designed to ensure that AI technologies are not only functional but also resistant to exploitation and capable of operating safely within complex environments. In a recent blog post by Jonathan Spring, Deputy Chief AI Officer, and Divjot Singh Bawa, Strategic Advisor, CISA emphasizes the importance of integrating AI red teaming into the established framework of software TEVV.

Red teaming, in the context of AI, refers to third-party safety and security evaluations of AI systems. It is part of a broader risk-based approach that includes thorough testing to uncover vulnerabilities and potential points of failure. According to the CISA blog, AI red teaming is essential for identifying weaknesses that could lead to critical failures, whether through physical attacks, cyberattacks, or unforeseen system malfunctions. The goal of AI testing is to predict how an AI system may fail and develop strategies to mitigate such risks.

AI Testing, Evaluation, Validation, and Verification (TEVV)

TEVV, a well-established methodology used for testing software systems, is not just relevant but essential for evaluating AI systems. Despite some misconceptions, AI TEVV should not be seen as entirely distinct from software TEVV. In fact, AI systems are fundamentally software systems, and the principles of TEVV are directly applicable to AI evaluations. This approach is particularly important as AI becomes increasingly integrated into safety-critical sectors like healthcare, transportation, and aerospace.

The TEVV framework is built upon three core components: system test and evaluation, software verification, and software validation. These processes ensure that software, including AI systems, functions as intended, meets safety standards, and performs reliably in diverse conditions. AI systems, like traditional software, must be rigorously tested for both validity (whether the system performs as expected) and reliability (how well the system performs under varying conditions).

One of the common misconceptions about AI systems is that their probabilistic nature — which allows them to adapt to changing inputs and conditions — makes them fundamentally different from traditional software. However, both AI and traditional software systems are inherently probabilistic, as demonstrated by issues like race conditions in software, where seemingly minor changes can lead to critical errors.

The Intersection of Software and AI TEVV

The notion that AI systems require entirely new testing frameworks separate from software TEVV is flawed. While AI systems may introduce new challenges, particularly around their decision-making processes and data-driven behaviors, many of the testing methodologies used in traditional software security remain relevant.

For instance, AI systems must undergo similar testing to ensure they are robust against unexpected inputs, exhibit reliability over time, and operate within secure boundaries. These concepts are not new but have been applied to traditional software for decades, particularly in industries where safety is paramount.

Take, for example, automated braking systems in modern vehicles. These systems rely on AI to interpret sensor data and make split-second decisions in critical situations, such as detecting pedestrians or obstacles. To ensure these systems are safe, engineers must test their robustness under a variety of scenarios, from unexpected road conditions to sensor malfunctions. Similarly, AI systems, regardless of their complexity, must undergo similar evaluations to guarantee their safety and reliability in real-world conditions.

CISA’s Role in Advancing AI Red Teaming and Security

CISA’s leadership in AI red teaming and security testing is crucial as AI becomes more prevalent in critical infrastructure. The agency is a founding member of the newly formed Testing Risks of AI for National Security (TRAINS) Taskforce, which aims to test advanced AI models used in national security and public safety contexts. The taskforce will focus on creating new AI evaluation methods and benchmarks to ensure that AI systems meet national security standards and can be securely deployed.

Moreover, CISA is actively involved in post-deployment AI security testing. This includes penetration testing, vulnerability scanning, and configuration testing for AI systems deployed across both federal and non-federal entities. As AI technologies, especially Large Language Models (LLMs), become more integrated into various sectors, CISA expects an increase in demand for these security testing services.

In addition to its technical efforts, CISA works closely with the National Institute of Standards and Technology (NIST) to develop and refine standards for AI security testing, providing expertise on how to make these standards actionable and effective.

Conclusion

As the field of AI testing continues to evolve, integrating AI red teaming into the existing software TEVV framework offers significant benefits. By adapting traditional software security testing methods to address the unique challenges posed by AI, the testing community can build upon proven strategies while incorporating new tools and methodologies specific to AI evaluation. This streamlined approach helps save time, resources, and effort by avoiding the creation of parallel testing processes that may ultimately yield similar results.

References

The post CISA Enhances Secure by Design Strategy with AI Red Teaming for Critical Infrastructure Protection appeared first on Cyble.

Blog – Cyble – ​Read More

PSLoramyra: Technical Analysis of Fileless Malware Loader

In this article, ANY.RUN‘s analyst team will explore a malicious loader known as PSLoramyra. This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access.  

Classified as a fileless loader, PSLoramyra bypasses traditional detection methods by loading its primary payload entirely into memory, leaving minimal traces on the system. 

PSLoramyra Loader: Technical Analysis 

To see PSLoramyra loader in action, let’s have a look at its sample inside ANY.RUN’s sandbox: 

View analysis 

PSLoramyra analysis inside ANY.RUN sandbox

Initial PowerShell script 

Let’s take a closer look at this loader. The infection chain begins with an initial PowerShell script that contains both the main malicious payload and the scripts required to execute it. The script performs the following steps: 

  1. File creation:  

The script generates three files critical to the infection chain: 

  1. roox.ps1 
  1. roox.bat 
  1. roox.vbs 
  1. Execution chain
  1. The roox.vbs script is executed first to initiate the process. 
  1. roox.vbs launches the roox.bat script. 
  1. roox.bat then runs the roox.ps1 PowerShell script. 
  1. Payload execution:  
Execution chain of the attack

The roox.ps1 script loads the main malicious payload directly into memory using Reflection.Assembly.Load.

Process tree generated by ANY.RUN sandbox

It then leverages RegSvcs.exe to execute the payload. In this case, the payload is the Quasar RAT

Black Friday 2024: Get up to 3 sandbox licenses for free 



See details


Establishing Persistence with Task Scheduler 

Script used the malware

The PowerShell script establishes persistence by creating a Windows Task Scheduler task that runs roox.vbs every two minutes. Here’s how it operates step by step: 
 

  1. Creating the scheduler object

The script initializes a Task Scheduler object using the following command: 

New-Object -ComObject Schedule.Service  

It then connects to the Task Scheduler service: $scheduler.Connect() 

  1. Defining a new task: 

A new task is created with: $taskDefinition = $scheduler.NewTask(0)  

The task is described, and its execution is enabled: $taskDefinition.Settings.Enabled = $true 

  1. Setting the Trigger

A trigger is configured to execute the task every two minutes: $trigger.Repetition.Interval = “PT2M”  

  1. Configuring the Task Action

The action specifies the execution of the roox.vbs script: $action.Path = “C:UsersPublicroox.vbs 

  1. Registering the Task

Finally, the task is registered in the Task Scheduler, ensuring it runs continuously: $taskFolder.RegisterTaskDefinition() 

Script Creation 

The initial PowerShell script generates multiple scripts and writes them to the disk. This is achieved using the following command: [IO.File]::WriteAllText(“PATH”, CONTENT) 

The content of these scripts is initially stored in variables such as $Content. 

Script execution shown in the ANY.RUN sandbox

Detailed Script Breakdown 

Roox.vbs script 

This script runs every two minutes and acts as the starting point for executing the other scripts in the malware chain. Essentially, it serves as a link between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses successfully. 

VBS Script

The roox.vbs script launches the next script in the chain, roox.bat, in a hidden window. This ensures that its execution remains invisible to the user, maintaining the stealth of the infection process. 

  1. Error handling: 

The command on error resume next suppresses error messages, allowing the script to continue execution even if exceptions occur. This ensures the script does not fail visibly during the process. 

  1. CreateWshShellObj function 

This function creates a COM object named WScript.Shell. The object is used to execute commands and scripts, which are essential for launching the next stage in the infection chain. 

  1. GetFilePath function 

This function retrieves the path to the next stage in the chain, specifically pointing to the BAT file roox.bat. 

  1. GetVisibilitySetting function 

Configures the visibility settings to ensure that roox.bat runs without displaying a window on the desktop. This stealthy execution minimizes the chances of detection by the user. 

  1. RunFile function

Executes a file at the specified path with the defined visibility settings. In this case, it launches roox.bat in hidden mode. 

  1. Sequence of calls 

The script executes the required functions in the following order to launch roox.bat: 

  • Creates the WScript.Shell object using CreateWshShellObj. 
  • Retrieves the path to roox.bat via GetFilePath. 
  • Configures the visibility mode to hidden (0) using GetVisibilitySetting. 
  • Executes roox.bat in hidden mode through the RunFile function.

ROOX.BAT Script 

BAT script

This script runs roox.ps1 using PowerShell. It employs the following flags to enhance stealth and bypass security measures: 

  • NoProfile: Prevents the loading of user-specific PowerShell profiles 
  • WindowStyle Hidden: Hides the PowerShell window during execution, ensuring that the process remains invisible to the user. 
  • ExecutionPolicy Bypass: Overrides Windows PowerShell execution policies, allowing scripts to run without restrictions imposed by security configurations. 

ROOX.PS1 Script

PowerShell script

The roox.ps1 PowerShell script deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using .NET Reflection and RegSvcs.exe. The script employs simple obfuscation using the # character to make detection more challenging.

The variables $RoXstring_lla and $Mordexstring_ojj store the main malicious payload in the form of HEX strings, with each byte separated by %&% as a means of obfuscation. 

Deobfuscation Process 

The script uses the following commands to convert the obfuscated HEX strings into usable binary code: 

[Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

[Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

What these commands do: 

  • Split the HEX strings: They split the HEX strings $Mordexstring_ojj and $RoXstring_lla into arrays using %&% as a delimiter. 
  • Convert HEX to decimal bytes: Then, each element in the array converts the HEX string into a decimal byte value. 
ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

Form byte arrays: This forms a byte array (Byte[]), representing the binary code of the payload. 

Deobfuscate using -replace
Obfuscated commands are cleaned by removing # symbols using the -replace command. For example, a string like L####o####a####d is transformed into Load. 

Restore the method name
The variable $Fu restores the method name [Reflection.Assembly]::Load, which is used to load a .NET assembly into memory. 

Payload execution in memory: The script dynamically loads the NewPE2.PE type from the .NET assembly and calls its Execute method. The Execute method injects malicious code into a legitimate process, such as aspnet_compiler.exe. In this case, the target process is RegSvcs.exe. 

The initial variable $RoXstring_lla contains the injector for the .NET assembly NewPE2, which is responsible for loading the main payload into the process.

Within this assembly, the script locates the type NewPE2.PE and executes the Execute method. The latter is provided with parameters: the path and the malicious .NET assembly itself. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Use the following query to search for more samples and threat data in TI Lookup:

Conclusion

PSLoramyra is a sophisticated fileless loader. It leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, evading traditional detection methods. Its infection chain begins with an initial PowerShell script that generates essential files and establishes persistence through Windows Task Scheduler. The malware’s stealthy execution and minimal system footprint make it a serious threat.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Explore all Black Friday 2024 offers →

Indicators of Compromise (IOCs)

Hashes 

ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9 

9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e 

d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc 

Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb 

Files 

C:UsersPublicroox.vbs 

C:UsersPublicroox.bat 

C:UsersPublicroox.ps1 

Domain 

Ronymahmoud[.]casacam[.]net 

IP 

3[.]145[.]156[.]44 

The post PSLoramyra: Technical Analysis of Fileless Malware Loader appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The 2023–2024 Annual Cyber Threat Report Reveals Rising Cyber Threat Trends for Individuals and Businesses

Cyber Threat

Overview

The 2023–2024 Annual Cyber Threat Report from the Australian Signals Directorate (ASD) reports a new rise in cyber threats targeting both individuals and businesses in Australia. As global tensions escalate, particularly due to ongoing conflicts such as Russia’s invasion of Ukraine and strife in the Middle East, cybercriminals and state-sponsored threat actors are intensifying their efforts to exploit vulnerabilities across nations.  

The Australia government stresses the growing threat to its critical infrastructure, with malicious actors continuing to engage in espionage, cybercrime, and disinformation campaigns. At the same time, technological advancements are enabling both state and non-state actors to enhance their cyber capabilities, creating new challenges for businesses, individuals, and government entities alike.

In response to these mounting risks, the Australian Government has committed $15–$20 billion to support the nation’s cyber resilience, strengthen infrastructure security, and support offensive operations against cyber threats. Central to this strategy is the importance of public-private partnerships and the ongoing use of cyber sanctions to target adversarial actors such as Russian cybercriminals.

2023–2024 Annual Cyber Threat Report: Key Findings on Cyber Threat Trends for Individuals

In the 2023–2024 Cyber Threat Trends, the report reveals troubling statistics and insights into the personal cyber risks faced by Australians. Over 87,400 cybercrime reports were made in FY2023–24, marking a 7% decrease from the previous year. This equates to an average of one cybercrime report every six minutes. The Australian Cyber Security Hotline responded to over 36,700 calls in the same period, an increase of 12% compared to FY2022–23, signaling that cyber threats targeting individuals are on the rise.

The most prevalent types of cybercrimes reported by individuals were:

  • Identity fraud (26%)
  • Online shopping fraud (15%)
  • Online banking fraud (12%)

The financial impact of these crimes is substantial. The average cost of cybercrime per report for individuals has risen to approximately $30,700, a 17% increase from the previous year. This figure highlights the growing financial burden that cybercrime places on individuals, many of whom find themselves victims of scams, data breaches, and fraud. According to the Australian Institute of Criminology’s Cybercrime in Australia 2023 report, 34% of Australians had their financial or personal information exposed in a data breach in the last year, with 79% of them being notified by the affected company or a government agency.

Cybercriminals continue to exploit various tactics to carry out their attacks, with common methods including phishing, where cybercriminals impersonate trusted businesses to trick individuals into revealing sensitive information, such as passwords or credit card details. Malware is another frequent tool used to infect devices, steal data, or carry out unauthorized transactions.

The main 2023–2024 cyber threats individuals need to be aware of include:

  • Identity fraud: The theft and misuse of personal information for financial gain or to create fake accounts.
  • Online shopping fraud: Scams that occur when individuals purchase goods or services online, only to be defrauded or receive counterfeit products.
  • Online banking fraud: Cybercriminals gain unauthorized access to bank accounts to steal funds or commit fraudulent activities.

2023–2024 Annual Cyber Threat Report: Cyber Threat Trends for Businesses

The 2023–2024 Annual Cyber Threat Report also provides insights into the growing risks faced by businesses in Australia, particularly those that deal with sensitive customer data or proprietary information. In FY2023–24, businesses reported over 87,400 cybercrime incidents, with a slight 7% decrease from the previous year, though the number remains concerningly high. The Australian Cyber Security Hotline received more than 36,700 calls, highlighting that businesses continue to grapple with increasing cyber threats.

The three primary types of cybercrimes reported by businesses were:

  • Email compromise (20%)
  • Online banking fraud (13%)
  • Business email compromise (BEC) fraud, which resulted in financial losses (13%)

The average self-reported cost of cybercrime to businesses showed a mixed picture. For small businesses, the average loss increased by 8%, reaching $49,600, while medium-sized businesses saw a significant 35% decline, down to $62,800, and large businesses experienced an 11% decrease, to $63,600. Despite this overall decrease, BEC remains one of the most financially damaging threats, with Australian businesses reporting losses of nearly $84 million due to these scams.

BEC continues to have a impact, with an average loss of more than $55,000 per confirmed incident. This type of fraud typically involves attackers impersonating trusted figures within an organization to trick employees into authorizing fraudulent transactions or providing sensitive information.

In terms of security incidents, ASD responded to over 1,100 incidents, with 11% of these attacks targeting critical infrastructure, reflecting the growing vulnerability of Australia’s essential services to cyber threats. Ransomware attacks, in particular, have increased by 3% from the previous year, further underscoring the need for businesses to adopt proactive measures to defend against cybercriminals.

Common cyber threats facing businesses today include:

  • Online banking fraud
  • Email compromise, including phishing attacks
  • Business email compromise (BEC) fraud

To mitigate these threats, businesses must implement comprehensive security measures and adopt best practices such as the ASD’s Essential Eight—a set of cybersecurity strategies designed to reduce the risk of cyberattacks. Additionally, organizations should train their employees to recognize phishing attempts and suspicious activity.

The Cyble ANZ Report on Cyber Threat Trends

Along with the 2023–2024 Annual Cyber Threat Report, Cyble recently shared its ANZ Cyber Threat Landscape Report 2024 offering a critical supplement to the annual report, providing additional insights into the threat environment faced by both individuals and businesses in Australia. Cyble’s report highlights the rapid rise of cybercrime-as-a-service (CaaS) platforms, which continue to democratize cybercrime, allowing even less technically skilled individuals to launch devastating attacks. These platforms sell malware, ransomware, and exploits, lowering the entry barriers for criminals and increasing the frequency and sophistication of attacks.

Key Threats Identified in the Cyble ANZ Report

  1. Ransomware: Cyble’s research highlights the growing risk of ransomware attacks across various sectors, with Australian businesses increasingly falling victim to this type of threat. Notably, Conti, LockBit, and Clop are some of the most active ransomware families identified in the region, and their impact continues to grow. These groups have increasingly used tactics such as data exfiltration, threatening to release sensitive data unless a ransom is paid.
  2. Supply Chain Attacks: The report notes an increase in attacks targeting third-party suppliers, leveraging their vulnerabilities to gain access to larger organizations. Attackers often infiltrate smaller organizations with weaker cybersecurity measures, using them as steppingstones to gain access to larger, more lucrative targets. This type of attack is particularly concerning as businesses often rely on third-party suppliers for critical services and infrastructure, making them vulnerable to cascading effects.
  3. Phishing and Business Email Compromise (BEC): Cyble’s analysis of social engineering tactics reveals a rise in phishing attacks, which remain one of the most commonly used methods for infiltrating organizations. BEC campaigns are also on the rise, where attackers impersonate trusted business partners or executives to deceive employees into transferring funds or sharing sensitive information.
  4. Dark Web Activity: The Cyble report emphasizes the growing role of the dark web in facilitating cybercrime. The increasing volume of stolen credentials, malicious tools, and data leaks sold on dark web marketplaces presents a serious risk to both individuals and businesses.

A key focus of both the 2023–2024 Annual Cyber Threat Report and the Cyble ANZ Report is the growing risks to Australia’s critical infrastructure. Cybercriminals, as well as state-sponsored threat actors, continue to target sectors vital to the nation’s security and economic stability, including energy, water, transportation, and telecommunications. These sectors are particularly attractive to cyber adversaries due to the potential for widespread disruption and financial and operational impact.

Conclusion

To effectively mitigate the growing cyber risks highlighted in the 2023–2024 Annual Cyber Threat Report and the Cyble ANZ Cyber Threat Landscape Report 2024, both individuals and businesses must stay alert and adopt proactive security measures. For individuals, practices like multi-factor authentication, strong passphrases, and regular software updates are essential for reducing the likelihood of cybercrime. Businesses should follow the ASD’s Essential Eight guidelines, implement vulnerability management, and maintain strong partnerships with cybersecurity agencies.

References

The post The 2023–2024 Annual Cyber Threat Report Reveals Rising Cyber Threat Trends for Individuals and Businesses appeared first on Cyble.

Blog – Cyble – ​Read More

CERT-In Alert: Multiple Vulnerabilities in Android Impacting Millions of Devices

CERT

Overview

The Computer Emergency Response Team of India (CERT-In) has issued an urgent vulnerability note (CIVN-2024-0349) regarding multiple security flaws in Android. These vulnerabilities, identified as “High” in severity, affect Android versions 12, 12L, 13, 14, and 15, potentially putting millions of devices worldwide at risk.

This advisory serves as a wake-up call for OEMs (Original Equipment Manufacturers), Android users, and cybersecurity professionals. If exploited, the vulnerabilities could lead to unauthorized data access, privilege escalation, arbitrary code execution, and system crashes.

Overview of the Threats

Android is the world’s most widely used mobile operating system. It powers billions of devices globally, including smartphones, tablets, smartwatches, and IoT devices. Its open-source nature and vast ecosystem make it a prime target for attackers.

CERT-In has highlighted that multiple vulnerabilities have been detected in various critical components of Android, including:

  • Framework
  • System
  • Google Play System Updates
  • Kernel and Kernel LTS
  • Chipset Components: MediaTek, Qualcomm, Imagination Technologies
  • Closed-Source Qualcomm Components

The exploitation of these vulnerabilities could allow threat actors to:

  • Extract sensitive information such as user credentials and private data.
  • Gain elevated privileges, enabling unauthorized control over the device.
  • Execute arbitrary code, leading to malware installation or unauthorized actions.
  • Cause Denial of Service (DoS), rendering the device unstable or inoperable.

Implications for Users and OEMs

Risk Assessment

The vulnerabilities have been classified as High Risk, indicating significant potential for widespread damage:

  • Unauthorized Access: Attackers could exploit the flaws to infiltrate devices and access sensitive user data.
  • System Instability: Successful exploitation might cause devices to crash or malfunction, disrupting regular operations.

Impact Assessment

  • Data Breaches: Private user data could be exposed or stolen, posing privacy and financial risks.
  • System Downtime: Affected devices could experience crashes, slowing down productivity and service availability.

This situation demands immediate attention from OEMs, who must release timely patches, and from users, who must ensure their devices remain updated.

The Scope of the Vulnerabilities

The CERT-In advisory lists over 40 vulnerabilities tracked under the Common Vulnerabilities and Exposures (CVE) system. A few of the critical CVEs include:

  • CVE-2023-35659
  • CVE-2024-20104
  • CVE-2024-21455
  • CVE-2024-38402
  • CVE-2024-43093

Each CVE points to a specific flaw in Android’s components. For instance, vulnerabilities in Qualcomm and MediaTek chipsets could allow remote attackers to bypass critical security controls. Kernel vulnerabilities could enable privilege escalation, granting attackers complete control over the device.

Recommended Actions

For Users

  1. Update Your Device: Check for system updates regularly and apply them as soon as they become available. OEMs release patches to mitigate these vulnerabilities.
  2. Download Apps Only from Trusted Sources: Avoid third-party app stores and download apps exclusively from Google Play.
  3. Enable Security Features: Utilize features like biometric authentication, two-factor authentication (2FA), and device encryption.
  4. Avoid Clicking Suspicious Links: Phishing attacks often exploit such vulnerabilities to compromise devices.

For OEMs and Enterprises

  1. Prioritize Patch Management: Ensure timely delivery of security patches to devices running vulnerable Android versions.
  2. Conduct Risk Assessments: Evaluate the potential impact of these vulnerabilities on your devices and systems.
  3. Collaborate with Google: Work closely with Google to address vulnerabilities and maintain the integrity of Google Play system updates.
  4. Communicate with Users: Inform customers about the risks and provide clear instructions on applying updates.

Technical Analysis: Why These Flaws Matter

The vulnerabilities stem from diverse sources, including outdated software components, misconfigurations, and unpatched exploits. Here’s a breakdown:

  1. Framework and System Flaws: These are at the core of Android and may enable attackers to access sensitive OS-level permissions.
  2. Kernel and Kernel LTS Issues: Kernel vulnerabilities are particularly dangerous as they grant low-level access, making privilege escalation easier.
  3. Chipset-Specific Weaknesses: Vulnerabilities in MediaTek and Qualcomm components highlight how third-party hardware can introduce risks into Android devices.
  4. Google Play Updates: An attacker exploiting flaws in Google Play system updates can compromise the very mechanism meant to secure devices.

Attackers typically exploit these flaws via:

  • Remote Code Execution (RCE): Delivering malicious payloads through apps or websites.
  • Privilege Escalation: Gaining unauthorized control of devices.
  • Denial of Service (DoS): Overloading system resources to render the device inoperable.

Looking Ahead: The Role of Collaborative Efforts

The CERT-In advisory emphasizes the need for collaboration among stakeholders, including Google, OEMs, and the cybersecurity community. A comprehensive approach involving timely patching, user education, and proactive risk management is essential to mitigate these risks.

Key Takeaways

  1. Android versions 12 through 15 are vulnerable to multiple high-severity security flaws.
  2. The vulnerabilities could lead to data theft, privilege escalation, or denial of service.
  3. Users must apply updates promptly and exercise caution while browsing or installing apps.
  4. OEMs should expedite patch rollouts to ensure device security.

Even a single unpatched vulnerability can cascade into large-scale cyber incidents. Staying vigilant and acting swiftly is the only way to ensure Android devices remain safe from exploitation.

References

https://www.cert-in.org.in

The post CERT-In Alert: Multiple Vulnerabilities in Android Impacting Millions of Devices appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Releases Seven Critical ICS Advisories to Address Vulnerabilities in Industrial Control Systems

CISA

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) published seven detailed security advisories to address critical vulnerabilities in various Industrial Control Systems (ICS).

These advisories cover a range of products, from web-based control servers to automated management systems, and highlight security risks that could compromise the integrity and functionality of ICS used across various sectors.

The released advisories focus on several key products, with each alert providing specific technical details about the vulnerabilities, their risk ratings, and the corresponding mitigations. The advisories include:

  1. ICSA-24-326-01 – Automated Logic WebCTRL Premium Server
  2. ICSA-24-326-02 – OSCAT Basic Library
  3. ICSA-24-326-03 and ICSA-24-326-04 – Schneider Electric Modicon M340, MC80, and Momentum Unity M1E
  4. ICSA-24-326-05 – Schneider Electric EcoStruxure IT Gateway
  5. ICSA-24-326-06 – Schneider Electric PowerLogic PM5300 Series
  6. ICSA-24-326-07 – mySCADA myPRO Manager

Each security advisory provides critical information on vulnerabilities that could be exploited remotely or locally and highlights potential consequences such as unauthorized access, service disruptions, and the compromise of sensitive data.

Key Vulnerabilities and Mitigations

Automated Logic WebCTRL Server Vulnerabilities

The Automated Logic WebCTRL Premium Server has been found to contain two serious vulnerabilities: CVE-2024-8525 (unrestricted file upload) and CVE-2024-8526 (URL redirection). These vulnerabilities affect WebCTRL, Carrier i-Vu, and SiteScan Web servers, allowing unauthenticated users to upload potentially malicious files or redirect users to harmful sites. These issues could lead to remote code execution or data exposure. CISA recommends updating to the latest version of WebCTRL and using firewalls and VPNs to limit system exposure.

OSCAT Basic Library

The OSCAT Basic Library vulnerability (CVE-2024-6876) is related to an out-of-bounds read issue, which can be exploited by local attackers to read internal PLC data, possibly causing system crashes. The advisory emphasizes updating to OSCAT Basic Library version 3.3.5 to resolve this issue and ensuring proper validation of inputs in PLC programs to mitigate the risk of exploitation.

Schneider Electric Modicon M340, MC80, and Momentum Unity M1E

A series of vulnerabilities in Schneider Electric’s Modicon M340, MC80, and Momentum Unity M1E controllers (CVE-2024-8933 and others) expose the systems to various attacks. These include message integrity issues, authentication bypass, and improper memory buffer handling, which could lead to service disruptions, password hash exposure, or even a complete system compromise.

The advisories strongly recommend network segmentation, firewall application, and ensuring the activation of memory protection on M340 CPUs to prevent unauthorized access.

Schneider Electric EcoStruxure IT Gateway

The EcoStruxure IT Gateway is vulnerable to a missing authorization issue, which could allow unauthorized access to connected systems. This flaw, present in versions 1.21.0.6 through 1.23.0.4, is rated with a CVSS score of 10.0. CISA urges users to update to version 1.23.1.10 and to secure systems by isolating networks and implementing firewalls for access control.

Schneider Electric PowerLogic PM5300 Series

The PowerLogic PM5300 Series from Schneider Electric suffers from an uncontrolled resource consumption issue caused by IGMP packet overload. This vulnerability, found in versions prior to 2.4.0 for PM5320 and 2.6.6 for PM5341, can result in communication losses and device unresponsiveness.

To mitigate this, CISA recommends updating the devices or enabling IGMP snooping, configuring VLAN interfaces, and employing multicast filtering. Additionally, applying best practices such as isolating control systems behind firewalls and using secure remote access methods is essential.

mySCADA myPRO Manager

The myPRO Manager from mySCADA has been found to contain multiple vulnerabilities, including OS command injection, improper authentication, and path traversal. These flaws, present in versions before 1.3 of the Manager and 9.2.1 of the Runtime, are extremely critical, with CVSS scores as high as 10.0 for OS command injection.

Attackers exploiting these vulnerabilities could gain remote access, execute arbitrary commands, and disrupt system operations. Users are advised to update to the latest versions (1.3 and 9.2.1) and secure their systems by implementing network isolation and VPNs for remote access.

Recommendations and Mitigations

In addition to addressing specific vulnerabilities, CISA’s advisories emphasize a set of best practices to protect ICS from potential threats:

  • Firewalls and Virtual Private Networks (VPNs) are crucial for controlling access to ICS networks and limiting exposure to remote threats.
  • Isolating ICS networks from general IT networks is key to minimizing risks from external attacks.
  • Keeping systems up to date with the latest security patches is critical to defending against known vulnerabilities.
  • CISA encourages organizations to conduct impact assessments and apply appropriate cybersecurity strategies before patching systems.

Conclusion

As cyberattacks on industrial control systems continue to rise, CISA’s release of these ICS advisories highlights the critical need for proactive security measures.

To protect their assets and ensure operational continuity, organizations must stay informed about the latest security vulnerabilities, follow best practices, and promptly implement CISA’s recommended solutions.

With cyber threats‘ growing sophistication and interconnectivity, staying up to date on security advisories has never been more important for protecting critical infrastructure.

Sources:

The post CISA Releases Seven Critical ICS Advisories to Address Vulnerabilities in Industrial Control Systems appeared first on Cyble.

Blog – Cyble – ​Read More