Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update

Google

Overview

In its latest security bulletin, Google has patched two actively exploited zero-day vulnerabilities in Android, marking a crucial step toward protecting users from likely spyware attacks.`

 The November update addresses a total of 51 vulnerabilities, including a critical issue in Qualcomm components. Android users are strongly advised to install these updates to secure their devices against potential exploitation.

Key Vulnerabilities in Focus: CVE-2024-43047 and CVE-2024-43093

The two zero-days—tracked as CVE-2024-43047 and CVE-2024-43093—have been identified as exploited in targeted attacks. “There are indications that the following may be under limited, targeted exploitation,” Google said in its November Android Security Bulletin.

These vulnerabilities have raised concerns due to their ability to circumvent Android’s built-in protections and potentially allow remote attackers to access sensitive user data. Although Google has withheld detailed exploitation techniques, the attribution of CVE-2024-43047’s findings to researchers from Amnesty International suggests that it may have been used in spyware attacks, typically deployed in espionage scenarios aimed at high-profile individuals or organizations.

Vulnerability Details and Impact Analysis

1. CVE-2024-43047

Discovered by: Amnesty International researchers.

Impact: This vulnerability could enable attackers to escalate privileges or remotely execute commands on compromised devices. It has likely been used in targeted spyware attacks, allowing threat actors to monitor user activity, intercept communications, and access sensitive data on victims’ device without detection.

Targeted Attack Potential: With signs of exploitation in targeted attacks, CVE-2024-43047 is a potent tool for espionage, likely targeting journalists, activists, or individuals of interest.

2. CVE-2024-43093

Impact: While details remain sparse, this zero-day vulnerability is an elevation of privilege bug in the Android Framework and has also been actively exploited, possibly allowing attackers to gain unauthorized access to devices and control over critical functions. The exploitation may involve initial access through social engineering or phishing, with subsequent remote control of the device.

Risk of Backdoors and Surveillance: This flaw could be used to embed backdoors or spyware, posing a significant threat to user privacy and device integrity.

3. CVE-2024-38408

Impact: This critical flaw affects proprietary Qualcomm components, possibly targeting device hardware responsible for network communications. Hardware-level vulnerabilities are particularly concerning as they bypass OS-level protections, making detection and prevention challenging.

Severity: If exploited, CVE-2024-38408 could allow attackers to manipulate hardware-level functionalities, intercept communications, and even hijack network-based data transmissions.

Google’s November Security Patches: Breakdown and User Guidance

The November security patches address these zero-days and 48 other vulnerabilities across different Android versions, ranging from 12 to 15. The fixes are rolled out through two patch levels:

– November 1 Patch: Focuses on core Android vulnerabilities, addressing 17 issues, including the two zero-days.

– November 5 Patch: Expands to include vendor-specific fixes, covering an additional 34 vulnerabilities affecting components from Qualcomm, MediaTek, and other hardware vendors.

For users, updating to the latest patch level is essential. Android 11 and older devices may no longer receive full support but could get selective patches for critical vulnerabilities through Google Play system updates, though coverage is not guaranteed.

Also read: OEMs Are Urged to Address Vulnerabilities in Device Communication

How to Apply the Latest Android Update

To ensure your device is protected, follow these steps to update your Android device:

– For System Update: Go to Settings > System > Software updates > System update.

– For Security Update: Navigate to Settings > Security & privacy > System & updates > Security update.

A device restart will be required to finalize the update.

Implications of Unpatched Devices

The presence of actively exploited vulnerabilities calls for an urgency in applying these patches. Without updates, devices are at risk of:

– Remote Exploitation: Attackers could gain unauthorized access to data and device functions.

– Data Privacy Threats: Zero-days like CVE-2024-43047 and CVE-2024-43093 are often leveraged in highly targeted campaigns focusing on surveillance and data exfiltration.

– Device Integrity Risks: Hardware-based vulnerabilities (like those affecting Qualcomm components) expose users to potential device malfunctions and even physical security risks. With CVE-2024-38408 affecting Qualcomm components, attackers may gain deep-level control that bypasses typical OS-level protections, making such exploits more severe in their impact and harder to patch.

For Android 11 or older users, consider upgrading to a newer model or using a third-party Android distribution that includes the latest security patches.

Conclusion and Recommendations

Google’s November 2024 security update is a critical release for Android users, addressing zero-day vulnerabilities that could otherwise lead to severe data and privacy breaches. The targeted nature of these attacks suggests a focus on high-value individuals, but the risk extends to all users who remain unpatched.

Timely security updates are essential in defending against sophisticated cyberattacks. Android users should prioritize these patches to safeguard their data, privacy, and device integrity against current and future exploits.

Staying vigilant and promptly applying updates is the best defense against the growing wave of mobile threats, particularly for those in sensitive or high-profile roles. By understanding the nature of these vulnerabilities and their potential impact, users can better appreciate the importance of keeping their devices secure and up-to-date.

Source:

https://source.android.com/docs/security/bulletin/2024-11-01

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38408

The post Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update appeared first on Cyble.

Blog – Cyble – ​Read More

GodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide

GodFather Malware

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has identified a new variant of the GodFather malware, now targeting 500 banking and cryptocurrency apps.
  • Initially focused on regions like the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach to include Japan, Singapore, Greece, and Azerbaijan.
  • The GodFather malware has transitioned the Java code implementation to the Native code for its malicious activities.
  • In its latest version, the GodFather malware uses limited permissions, relying heavily on Accessibility services to capture credentials from targeted applications.
  • This updated variant also includes new commands that enable the malware to automate gestures on infected devices, mimicking user actions.
  • The Threat Actor(TA) behind GodFather malware uses a phishing site to deliver the suspicious app and tracks visitor counts to plan further activity.

Overview

Cyble Research and Intelligence Labs (CRIL) recently identified a phishing site, “mygov-au[.]app,” masquerading as the official MyGov website of the Australian Government. Upon further analysis, this site was found to be distributing a suspicious APK file linked to the GodFather Malware, known for its ability to steal banking application credentials.

Figure 1 – Phishing site impersonating myGov website distributing APK file

The downloaded application, “MyGov.apk”, communicates with the URL “hxxps://az-inatv[.]com/.” This app is programmed to track the number of devices it is installed on, retrieve the device’s IP address, and store this information on the server in a text file. Figures 3 and 4 show the code of index.php and count.php responsible for getting the count and IP address.

Figure 2 – Malware loading URL, which maintains the counter

Figure 3 – Getting counts and IP addresses

Figure 4 – Getting the IP address of an infected device

The URL “hxxps://az-inatv[.]com/” hosted an open directory containing a file named counters.zip, which included the total count of infected devices and a list of IP addresses. Additionally, the directory featured a page labeled “down” that hosted another APK file called “lnat Tv Pro 2024.apk.” Upon analyzing this APK, it was identified as the GodFather Malware.

Figure 5 – Open directory hosting counters.zip and GodFather malware

Upon examining the counters.zip file, we found 151 counts in hit.txt and 59 unique IP addresses, reflecting the targeted device count. While the MyGov application collected this data, we suspect the TA may leverage this visitor information to identify potential victim counts and later use the same website to distribute the GodFather malware.

Figure 6 – Counters.zip content

Notably, we observed that the latest variant of the GodFather malware has moved from Java code to native code implementation. It is now targeting 500 banking and cryptocurrency applications and expanding its reach to Japan, Singapore, Azerbaijan, and Greece. Further details on this new variant of GodFather are provided in the following section.

Technical Details

In the latest version, the GodFather malware operates with minimal permissions, relying heavily on the Accessibility service to carry out its malicious activities.

Figure 7 – Manifest with limited permissions

Native Code Implementation

Starting our analysis with the classes specified in the manifest file, we observed that the malware calls numerous native methods, which were previously implemented in Java code.

Figure 8 – Calls to native methods

These native functions implement various malicious capabilities, including loading an injection URL into the WebView, executing automated gestures, establishing connections with the Command and Control (C&C) server, and keylogging.

Figure 9 – Native code implementation

C&C Server

Similar to the previous variant, the latest samples also connect to the Telegram URL “hxxps://t.me/gafaramotamer,” where the TA has embedded a Base64-encoded C&C URL. The malware retrieves and decodes this URL to “hxxps://akozamora[.]top/z.php.”

Figure 10 – Malware fetches C&C server URL from Telegram Profile

Targeting 500 Crypto and Banking Applications

After decoding the URL, the malware begins communication by sending data such as the list of installed application package names, the device’s default language, model name, and SIM name. In return, it receives a list of 500 targeted application package names associated with banking and cryptocurrency apps. In addition to previous targets in the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach, now including Japan, Singapore, Greece, and Azerbaijan.

Figure 11 – Receives the list of target application package names

When the user tries to interact with the target application, the malware closes the genuine application. Instead, it loads a fake banking or crypto login URL into the WebView or displays a blank screen. It constructs the injection URL using the C&C server “hxxps://akozamora[.]top/” and appends the endpoint “rx/f.php?f=” along with the device name, package name, and default language, then loads the assembled URL in the WebView.

Figure 12 – Loading fake login pages

The GodFather malware has successfully replaced the traditional overlay attack with this technique. Rather than launching the legitimate application, the malware activates itself and loads a phishing page to steal banking credentials.

Commands Added In New Version

The previous version included commands for USSD and SMS operations, which have been removed in the latest version. Additionally, this malware version lacks permission to collect or send SMS messages from the infected device. Instead, the newly added commands focus primarily on automating actions on the infected device. Below is a list of commands observed in the latest version of the GodFather malware.

Command Description
clickposition Malware clicks on the position X and Y received from the server
backed Take the user to the previous screen
home Take the user to the home screen
recents Take the user to the recent screen
scrollforward Malware scrolls the page forward using the given parameter
scrollback It scrolls the page backward till using the provided parameter
opencontrol Perform gestures on the target app
setpattern Receives some value from the server and saves it to a shared preference variable “pc”
screenlight Manages the brightness of the screen
sl2 Setting up a wake lock to keep the device awake
sl3 Similar to sl2
autopattern The value received using “setpattern” command is used to insert on the device screen using the accessibility service.
csn Set the timer to initiate the WebSocket connection
swpfull Perform swipe operation
upswp Perform swipe up
downswp Perform swipe down
leftswp Perform left swipe
rightswp Perform right swipe
vncreset Not Implemented
opnap Open the application whose package name is received from the server
gif Loads Gif from link “hxxps://s6.gifyu.com/images/S8uz3.gif”
opnsttings Opens setting app
opnsound Opens sound setting
opnmsc Opens notification setting
opnpckg Not Implemented
notifyopen Opens notification using Accessibility service

Conclusion

The latest version of the GodFather malware shows how dangerous and adaptable mobile threats have become. By moving to native code and using fewer permissions, the attackers have made GodFather harder to analyze and better at stealing sensitive information from banking and cryptocurrency apps. With its new automated actions and broader targeting of apps in more countries, this malware poses a growing risk to users worldwide. Staying alert and using strong security practices on mobile devices is essential to avoid falling victim to threats like GodFather.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic Technique ID Procedure
Initial Access (TA0027) Phishing (T1660) Malware distributing via phishing site
Execution (TA0041) Native API (T1575) Malware using native code to drop final payload
Persistence (TA0028) Scheduled Task/Job (T1603)   Uses timer to initiate WebSocket connection
Defense Evasion (TA0030) Masquerading: Match Legitimate Name or Location (T1655.001) Malware pretending to be a genuine Music application
Defense Evasion (TA0030) Application Discovery (T1418) Collects installed application package name list to identify target
Defense Evasion (TA0030) Input Injection (T1516) Malware can mimic user interaction, perform clicks and various gestures, and input data
Collection (TA0035) Input Capture: Keylogging (T1417.001) Malware can capture keystrokes
Discovery (TA0032) System Information Discovery (T1426) The malware collects basic device information.
Command and Control (TA0037) Web Service: Dead Drop Resolver (T1481.001) Malware communicates with Telegram to fetch C&C server
Exfiltration (TA0036) Exfiltration Over C2 Channel (T1646) Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e e789b03b60ad99727ea65b52ce931482fb70814e 87ccf62e07cf69c25a204bffdbc89630 SHA256 SHA1 MD5 Analyzed GodFather malware
hxxps://akozamora[.]top/   URL C&C server
hxxps://t.me/gafaramotamer URL Malware fetching C&C from Telegram URL
hxxps://az-inatv[.]com URL URL hosting new GodFather variant
mygov-au[.]app Domain Phishing domain distributing counter app
8ae2fcc8bef4d9a0ae3d1ac5356dbd85a4f332ad497375cd217bd1e945e64692 d57ef894b53f804c97d40c3e365faf729ce2ea7386b280f9909ebc8432008eee d508078368d8775fcfff5a7886392da57fcf757c89687f22c0504c3df9075b00 b3d3019ed0a4602fb7e502e54ac12a59da1a0ed7b6736feb98ce7c417091b2e6 3aa7e2353c2de16734f612eba7b43a2538d96f73702a6c25283d6ef0c9300a4c 1ce2a392dd2c1df22dfeb080c7ad290d63e3afe983729927b2f15c6705861070 d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e 0c9e2ae9c699374f06a6d38cf2ea41232fc8a712e110be8069b08659fdf50514 19ed4f67710d455da42017de28688f5e55ed36809cc70252d825ac81713e95d1 7b4543cc4df1fc57af2cd9a892b2fab3647bdceb027d576217724a8c012a2065 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 72d40ff8ad114724b8d4e0350f81f797866c0f271844aeddc3b92f33faa6fbc0 SHA256 New GodFather variant hashes

The post GodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide appeared first on Cyble.

Blog – Cyble – ​Read More

Release Notes: TI Lookup Notifications, Upgraded Linux Sandbox, STIX Reports, and More 

Welcome to ANY.RUN‘s monthly updates, where we share our latest achievements and improvements. 

October has been another productive month here at ANY.RUN, filled with new features to enhance your cybersecurity toolkit. We’ve introduced TI Lookup Notifications for real-time threat updates, rolled out a newly improved Linux sandbox for smoother malware analysis, and added the ability to export STIX reports for seamless data sharing. 

In addition, we’ve expanded our detection capabilities with a range of new signatures and YARA rules, empowering you with even stronger threat coverage. 

And that’s just the beginning!  

Let’s dive into all the exciting updates from ANY.RUN this month. 

Product Updates

Upgraded Linux Sandbox  

At ANY.RUN, we’re always working to improve our services, and this time, we’ve focused on making our Linux sandbox even better. This upgrade brings a seamless, stable experience on par with our Windows environment, making it easier than ever to analyze Linux malware in real time. 

Upgraded Linux sandbox

We’ve fine-tuned the Linux sandbox with new features and enhancements to boost both performance and usability. Here’s a quick overview of what’s new and how these updates benefit you: 

  • File events tracking: Monitor and log all file actions—whether malware is creating, modifying, or deleting files, you’ll see it all in the analysis report. 
  • Improved process tree: Navigating the process tree is now lag-free, letting you analyze malware behaviors more efficiently. 
  • Real-time file uploads: You can now upload files during an active session, adding flexibility to your investigation without needing to restart. 

See all updates in our blog post.

Try malware and phishing analysis
in ANY.RUN’s Linux sandbox for free 



Try it now


STIX Reports 

In October, we enhanced ANY.RUN’s capabilities by introducing the option to export threat analysis data in the Structured Threat Information eXpression (STIX) format. STIX is a standardized language that facilitates consistent and machine-readable sharing of cyber threat intelligence. 

Click Export → STIX to download threat data 

Key features of STIX reports: 

  • Comprehensive data inclusion: Each STIX report encompasses a wide range of information from your analysis, such as sandbox session links, file hashes, network traffic details, file system modifications, and Tactics, Techniques, and Procedures (TTPs). 
  • Seamless integration: These reports are compatible with Security Information and Event Management (SIEM) systems and other automated tools, promoting efficient threat detection and response. 
  • Enhanced collaboration: By utilizing STIX reports, analysts and incident response teams can effortlessly share threat data across various platforms, improving communication and coordination. 

Discover all types of reports available in the ANY.RUN sandbox.

TI Lookup Notifications 

We have enhanced Threat Intelligence Lookup with Notifications. The new functionality allows users to subscribe to real-time updates on new results related to their specific queries. This includes Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs). 

Notifications in TI Lookup are easy to set up

After subscribing to specific queries, the new results will appear in the dashboard, highlighted in green. This will make it easier for you to notice the fresh updates. 

Why use Lookup Notifications? 

  • Automatically monitor and receive updates for your chosen queries, so you never miss critical threat information. 
  • Tap into threat data sourced from samples uploaded by over 500,000 security pros using ANY.RUN’s Interactive Sandbox, giving you a broad view of global cyber activity. 
  • Keep track of IOCs, IOAs, and IOBs relevant to your organization, helping you verify potential threats and proactively strengthen your defenses. 
  • Use real-time insights to refine detection rules, enrich your data, and stay prepared against emerging threats. 

See a guide on how to set up notifications in TI Lookup.

Enrich your threat investigations with data
from TI Lookup 



Request trial


Export Session Lists from Team History 

We’ve introduced a new feature that allows you to export analysis session lists from your team’s history in a specific JSON format. This export provides a structured list of all sandbox sessions completed by your team. 

This feature is designed to help with record-keeping and reporting, making it easier to manage and track your team’s activities over time. 

Custom Tags for Analysis Sessions via API 

We’ve added the ability to set custom tags for sandbox sessions via the API. Previously, you could assign personalized tags to sessions through the web interface, in addition to the system-generated tags. Now, you can do the same directly through the API, giving you more flexibility in organizing and categorizing your analyses. 

Redesigned Threat Intelligence Home Screen with MITRE ATT&CK Matrix 

We’ve redesigned our Threat Intelligence home screen to give you a clearer and more intuitive view of the threat landscape.

Redesigned Threat Intelligence home screen

The updated home screen now features a MITRE ATT&CK matrix with refined techniques and tactics, helping you better assess and understand threats. 

Threat Coverage Updates 

In October, we’ve significantly expanded our detection capabilities with new and updated signatures and YARA rules. 

New Signatures 

This month, we’ve added 90 new signatures to improve detection and monitoring across various malware types and tools, including:

VOBFUS

BASUN

SYSBOT

TIWI

NESHTA

KMS Tool

Blackshades

Modiloader

Shellrunner

Revenge

GoToHttp

AnyDesk

Emmenhtal

SkypeLogView

LockBit3

Ngrok

PSExec

COBINT

ProcDump 

PowerView

SecretsDump 

We added signatures for actions performed via PowerShell: 

  • Resets Windows Defender malware definitions to the base version  
  • Changes settings for sending potential threat samples to Microsoft servers  
  • Changes settings for reporting to Microsoft Active Protection Service (MAPS)  
  • Changes Controlled Folder Access settings  
  • Changes settings for real-time protection  
  • Changes settings for checking scripts for malicious actions  
  • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)  
  • Changes settings for protection against network attacks (IPS)  
  • Removes files via Powershell 
  • Renames file via Powershell 
  • Hides errors and continues executing the command without stopping  

We also implemented detection for Pafish, aka Paranoid Fish, execution with cohost.exe as a parent process, and encrypted JSE scripts.

YARA Rules 

This month, we’ve expanded our YARA rule set with several new and improved detections, enhancing the ability to identify and monitor specific threats.  

In total, we’ve added 9 new YARA rules, covering various malware families, programming language-based detections, and refinements for better accuracy.

Unknown Stealer (go)  

PureCrypter  

DarkGate  

HijackLoader   

Network Detection Update 

In October, we worked to enrich our database with phishing IOCs, leveraging advanced data analysis within TI Lookup. This effort led to the identification of nearly 6,000 domains, each generating a dedicated Suricata rule

 Most of the rules are now live, strengthening our phishing detection capabilities. 

We also expanded our catalog of detected phishing kits with the addition of Mamba2FA, enhancing our overall threat coverage.

Our external threat intelligence this month focused on proactively detecting phishing campaigns by groups like Storm, allowing us to better track and respond to their evolving tactics. 

Heuristic and Proactive Phishing Detection

This month, our phishing detection capabilities have been enhanced with advanced heuristics and proactive signatures. Here are some examples of recent detections: 

  • Heuristic signature detection: PHISHING [ANY.RUN] Domain chain identified as Phishing (challengepoint). View analysis session 
  • Statistical analysis detection: Using statistical processing of previously detected phishing patterns, we flagged PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain (logbook-annul-srt[.]click) as a high-risk domain. View analysis session 
  • External threat intelligence detection: Through threat intelligence from external sources, we identified PHISHING [ANY.RUN] Suspected AiTM Storm1575 Domain Phishing Infrastructure (eslebrrte[.]com, eslebrrte[.]de), linked to the Storm1575 phishing campaign. View analysis session 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

The post Release Notes: TI Lookup Notifications, Upgraded Linux Sandbox, STIX Reports, <br>and More  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cybersecurity and Influence Operations Threaten Integrity of U.S. Elections, Warns FBI, CISA, and ODNI

CISA

Overview

As the United States nears another election cycle, the nation faces an increased risk of influence operations targeting the democratic process. In a joint statement, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) highlighted growing concerns about foreign interference—particularly from Russia and Iran—in efforts to undermine public trust in the integrity of the U.S. election system.

According to the intelligence community (IC), foreign adversaries, especially Russia, are intensifying their influence campaigns to sow distrust and division among American voters. These activities are expected to escalate as election day draws closer, with Russia’s influence actors primarily focusing on critical swing states, where their efforts could have the most significant impact.

The IC’s assessment reveals that Russian influence actors are engaging in the creation and dissemination of fake media content designed to manipulate public opinion. “Since our statement on Friday, we have observed additional influence operations that seek to stoke divisions and question the legitimacy of the election process,” stated the joint statement. The fabricated videos and articles are part of a broader strategy aimed at generating fear and confusion, particularly around voting procedures.

One recent example includes a video circulating online that falsely portrays an interview with an individual alleging election fraud in Arizona, involving bogus overseas ballots and tampering with voter rolls to favor Vice President Kamala Harris. The Arizona Secretary of State has already debunked this claim as entirely false.

In addition to spreading misinformation, CISA says that the Russian operatives are amplifying the false narrative that U.S. officials across several swing states are orchestrating widespread election fraud, such as ballot stuffing and cyberattacks. These fabricated stories have the potential to incite violence, particularly against election officials. As these false claims continue to spread, Russian influence actors are expected to release more of such content throughout election day and in the aftermath of the vote, exacerbating tensions across the nation.

Iran’s Role in Election Cybersecurity Threats

Iran, while less active than Russia, continues to pose a significant cybersecurity threat to the upcoming elections. As highlighted in previous reports, Iran has been involved in cyber activities targeting U.S. political figures, including former President Donald Trump’s campaign.

The U.S. intelligence community also notes that Iran’s influence operations are likely to include the creation of fake media content designed to suppress voter turnout or incite political violence. Additionally, Iran has maintained a desire for retribution against specific U.S. officials tied to the death of Iranian General Qassem Soleimani in 2020, and this could influence its approach to future election-related activities.

Iranian operatives, like their Russian counterparts, have long sought to manipulate public perception through false narratives, amplifying divisiveness and spreading misinformation. While the Iranian government’s influence operations may not be as widespread or sophisticated as Russia’s, they remain a persistent threat to election integrity.

FBI and CISA’s Call to Action for Election Security

Considering these growing threats, both the FBI and CISA are urging election stakeholders to remain vigilant and proactive in securing election infrastructure and preventing the spread of disinformation. “Voters should seek out information from trusted, official sources, particularly from state and local election officials,” the agencies recommended.

 CISA further emphasized the importance of reporting any suspicious or criminal activity related to election security. Election infrastructure stakeholders, as well as the public, can report cyber incidents or suspicious activity to CISA via its dedicated reporting channels, such as calling 1-844-Say-CISA or emailing report@cisa.dhs.gov.

The FBI and CISA also continue to encourage campaigns, election officials, and other stakeholders to remain in close contact with local Election Crime Coordinators to report potential security threats. These collaborative efforts are essential to counter the growing wave of influence operations and to ensure that the U.S. election process remains free from foreign manipulation.

CISA and EAC’s Support for State and Local Election Officials

In a related statement, CISA, along with the U.S. Election Assistance Commission (EAC), reiterated its support for state and local election officials as they prepare for the election. These officials, often working behind the scenes, play a critical role in ensuring that the election process runs smoothly and securely. “We are proud to support the hard work and dedication of election officials across the country,” CISA Director Jen Easterly said. “They are the heroes of our democracy, and we stand with them as they continue their tireless efforts to safeguard the integrity of our elections.”

The EAC also issued a joint statement, acknowledging the extensive preparation that has gone into ensuring the security of the 2024 election. “Planning for tomorrow’s election began four years ago,” said the EAC, emphasizing the comprehensive efforts made at both the state and local levels to address potential challenges. While operational issues may arise—such as delays at polling locations or power outages—election officials are prepared to handle such contingencies and ensure that every eligible vote is counted accurately.

The statement also addressed the importance of understanding that election night results are unofficial, as media outlets call the races based on preliminary results. “Accurately counting millions of ballots takes time, and we ask Americans to be patient during this process,” the EAC urged. It further emphasized that recounts and audits are standard procedures to ensure election accuracy, which will be conducted in accordance with state and territorial laws.

Fighting Disinformation: A Collective Effort

The growing sophistication of influence operations—especially those linked to Russia—has prompted the U.S. government to take proactive steps in combating foreign disinformation campaigns. The FBI, CISA, and other agencies are working around the clock to track and disrupt foreign interference in U.S. elections. In addition to technical defenses, these agencies are actively engaged in educating the public about the dangers of inauthentic content and misinformation.

The impact of influence operations, particularly in swing states, cannot be overstated. As foreign actors continue to amplify divisive rhetoric and fabricate stories about election fraud, it is essential that Americans rely on trusted sources for accurate information. State and local election officials, supported by CISA and the EAC, will continue to be the primary resources for election integrity.

Voters are encouraged to stay informed by consulting official channels, and to report any suspicious activity or potential cyber threats they encounter. “We are all in this together,” said Easterly. “It is up to every American to help protect the democracy that we all value.”

Conclusion

The U.S. elections are expected to be a critical test of the nation’s resilience against foreign influence operations and cyber threats. With Russia and Iran poised to continue their interference campaigns, it is important that the American public, election officials, and cybersecurity agencies work together to protect the electoral process. As foreign influence actors ramp up their activities, vigilance, awareness, and collaboration will be key to ensuring that the 2024 elections remain secure and free from foreign manipulation.

Sources: https://www.cisa.gov/news-events/news/joint-statement-cisa-and-eac-support-state-and-local-election-officials

https://www.cisa.gov/news-events/news/joint-odni-fbi-and-cisa-statement-1

The post Cybersecurity and Influence Operations Threaten Integrity of U.S. Elections, Warns FBI, CISA, and ODNI appeared first on Cyble.

Blog – Cyble – ​Read More

Critical Vulnerabilities in PTZ Cameras: CISA Adds New Exploits to Its Catalog

PTZ Cameras

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, spotlighting security flaws in Pan-Tilt-Zoom (PTZ) cameras.

The vulnerabilities, which affect specific PTZOptics camera models, pose a considerable risk to organizations that rely on these devices for surveillance, live streaming, and conference automation.

These flaws could be leveraged by malicious actors to execute OS command injections or bypass authentication controls, exposing sensitive systems to potential breaches.

Vulnerabilities in PTZOptics Cameras: CVE-2024-8956 and CVE-2024-8957

The two vulnerabilities—CVE-2024-8956 and CVE-2024-8957—affect the PT30X-SDI/NDI series of PTZ cameras from PTZOptics. These devices, which are also embedded in various white-label AV equipment, are vulnerable to critical security flaws that could allow attackers to gain unauthorized access and execute arbitrary commands. Here’s an overview of each vulnerability:

  1. CVE-2024-8956: Authentication Bypass Vulnerability

  1. CVSS Score: 9.1 (Critical)
    1. Description: This authentication bypass vulnerability affects the PTZOptics PT30X-SDI and PT30X-NDI-xx-G2 cameras running versions prior to 6.3.40. Due to improper authorization, attackers can remotely access the cameras without authentication. This allows them to leak sensitive data, including usernames, password hashes, and device configuration details. Additionally, attackers can modify or overwrite the configuration files, compromising the system’s integrity.

    1. Impact: The vulnerability provides attackers with the ability to access critical configuration files and potentially disrupt operations by altering camera settings.

  • CVE-2024-8957: OS Command Injection Vulnerability
    • CVSS Score: 9.8 (Critical)
    • Description: This OS command injection vulnerability arises from insufficient validation of the ntp_addr configuration value in the PTZOptics cameras. When the ntp_client service is started, the flaw allows remote attackers to execute arbitrary commands on the affected devices. When combined with the previous authentication bypass vulnerability (CVE-2024-8956), an attacker could leverage both vulnerabilities to perform even more damaging actions, such as executing malicious commands remotely.

    • Impact: Attackers can exploit this flaw to compromise the camera’s operating system, potentially allowing them to gain full control over the device and even spread their attack within a network.

CISA’s Action: Immediate Attention Required

PTZ cameras are widely used across various industries for surveillance, broadcasting, and remote monitoring, making them a prime target for cybercriminals. The authentication bypass vulnerability and OS command injection vulnerability in these cameras represent frequent attack vectors for malicious cyber actors, who often exploit such flaws to gain unauthorized access, exfiltrate sensitive data, or even take control of critical systems.

Organizations that utilize PTZ cameras in their infrastructure are strongly advised to patch these vulnerabilities immediately to mitigate potential security risks. The vulnerabilities disclosed in PTZOptics cameras are part of a broader trend of vulnerabilities in Pan-Tilt-Zoom (PTZ) cameras, which have increasingly become targets for attackers due to their prevalence in critical systems. OS command injection vulnerabilities and authentication bypass vulnerabilities in cameras expose organizations to severe security risks, especially when these devices are connected to the internet without proper safeguards.

PTZ cameras, like many IoT devices, often operate with limited built-in security measures. These devices typically have embedded software and firmware that can be vulnerable to attack, especially when manufacturers fail to release timely security updates. Additionally, the growing use of white-label AV equipment based on third-party camera firmware further complicates the security landscape, as these devices may not receive adequate vendor support.

Both CVE-2024-8956 and CVE-2024-8957 are acknowledged by ValueHD Corporation, the vendor behind the PTZOptics camera models. The company has released a patch for the affected camera models to address these vulnerabilities. Customers using PTZOptics PT30X-SDI and PTZOptics PT30X-NDI-xx-G2 cameras should immediately upgrade to version 6.3.40 or later to prevent exploitation.

Recommendations and Mitigating for PTZ Camera Vulnerabilities

To address the risks by vulnerabilities in PTZ cameras, organizations should implement several best practices to protect their systems from potential exploitation:

  1. As soon as a vendor releases a patch addressing critical vulnerabilities like authentication bypass or OS command injection, organizations should prioritize its installation. Delays in patching can expose devices to active attacks.
  2. Critical devices, including PTZ cameras, should not be exposed directly to the internet. Organizations should segment their networks to isolate critical assets and use firewalls and access controls to limit exposure.
  3. Implementing a patch management process that includes inventory management, patch assessment, testing, and deployment can help ensure that vulnerabilities are addressed in a timely manner across the entire infrastructure.
  4. Organizations should have a clear and tested incident response plan in place to quickly detect, respond to, and recover from security incidents. This plan should be aligned with current threat landscapes and should include procedures for addressing vulnerabilities like those found in PTZ cameras.
  5. Continuous monitoring and logging are essential for identifying suspicious activity and detecting potential threats. Security Information and Event Management (SIEM) systems can help aggregate and correlate logs for real-time threat detection.
  6. Organizations should assess the criticality of any End-of-Life (EOL) products, including PTZ cameras, and plan for timely upgrades or replacements. Using outdated devices increases the risk of exploitation, as they may no longer receive security patches.

Conclusion

The critical vulnerabilities in PTZ cameras, including the OS command injection and authentication bypass vulnerabilities, highlight the importance of securing embedded devices used in modern enterprise environments.

As PTZ camera vulnerabilities become a vector for cyberattacks, organizations must act quickly to patch affected devices and adopt stronger security practices. Timely patching, network segmentation, and comprehensive monitoring are key to protecing systems against the growing threat posed by such vulnerabilities in Pan-Tilt-Zoom cameras.

With active exploitation of these vulnerabilities in the wild, organizations that rely on PTZ cameras should prioritize security assessments and patch management to protect sensitive data and maintain system integrity.

Sources: https://ptzoptics.com/firmware-changelog/

https://www.cisa.gov/news-events/alerts/2024/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog

The post Critical Vulnerabilities in PTZ Cameras: CISA Adds New Exploits to Its Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in ASICS Runkeeper | Kaspersky official blog

We’ve already discussed how most tracking apps provide minimal protection for your personal data by default. Routes and workout times, your fitness data and photos from your runs are usually publicly available online unless you explicitly block them. The consequences, as we’ve written, can be disastrous — ranging from leaks of secret facility locations to stalking and even attempted murder.

To avoid this, you need to configure both your smartphone in general and running apps in particular. You can find our instructions for the most popular running trackers via these links: Strava, Nike Run Club, MapMyRun, adidas Running.

Today, wrapping up our review of training-app privacy settings, we’ll explain how to properly configure ASICS Runkeeper (for both Android and iOS).

Like other major sportswear brands like Nike and adidas, the Japanese company ASICS, well-known for its running shoes, didn’t try to reinvent the wheel. Instead, it just acquired the popular running tracking app Runkeeper, and didn’t even rename it — simply adding its brand name to give us ASICS Runkeeper.

The privacy settings in ASICS Runkeeper — like in the other running apps — are not so easy to find. If you click on the gear icon in the upper left corner of the main screen, you won’t find them there — those are activity settings. Instead, click Me in the lower left corner, then click the gear icon in the upper right corner, and on the next page, select Privacy Settings.

Privacy settings in the ASICS Runkeeper running app

Where to find privacy settings in ASICS Runkeeper: Me → Settings → Privacy Settings

These settings are basic — there are only three items on the page. The key thing to do here is to make sure the switch next to Public Account is turned off. I also recommend going into the Maps and Activities sections and changing the visibility from Followers to Only Me (in Runkeeper, the Everyone option appears only for public accounts).

All privacy settings in ASICS Runkeeper

ASICS Runkeeper’s privacy settings are quite minimal

It’s also a good idea to adjust the types of notifications ASICS Runkeeper can send you (there are many in the settings) by going back to Settings and choosing Push Notifications. Next to that option, there’s an Email Notifications section where you can turn off email notifications from the app.

Finally, if you decide to stop using Runkeeper, don’t forget to delete your data from the app. You can do this by going to SettingsAccount SettingsDelete Account. You can also download your data before deleting it.

If you use other tracking apps for your workouts, you can configure their privacy settings using our guides:

To learn how to configure privacy in other apps — from social networks to browsers — visit our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and prevent digital identity theft across all your devices.

Don’t forget to subscribe to our blog to get more instructions and useful articles so that scammers will always… eat your dust.

Kaspersky official blog – ​Read More

Expert Q&A: Dr. Jim Furstenberg on Cybersecurity Education and Practice 

Dr. Jim Furstenberg is a distinguished faculty member in the Ferris State University Information Security and Intelligence program. Since joining the faculty in 2014, he has combined his extensive industry experience — including roles as Chief Information Officer, Cybersecurity Consultant, and Chief Operating Officer — with his passion for teaching. 

With an information technology/security career spanning sectors such as retail, healthcare, and nonprofit organizations, Dr. Furstenberg brings a wealth of practical knowledge to the classroom. He is not only a licensed Private Investigator specializing in digital forensics and cyber investigations but also the founder of Kalos Cybersecurity LLC. As a retired team leader in Michigan’s Cyber Partners Incident Response (MIC3), he has played a pivotal role in educating and responding to cyber incidents across public and private sectors. 

In this interview, Dr. Furstenberg shares insights into how his real-world experience shapes his teaching methods, the differences between educating students and training professionals, and the critical importance of hands-on learning in cybersecurity. He discusses the integration of tools like ANY.RUN‘s interactive malware sandbox into his curriculum, the evolving landscape of cybersecurity education, and the essential skills students need to thrive in this dynamic field.  

Join us as we explore Dr. Furstenberg’s approach to fostering the next generation of cybersecurity experts. 

On the approach to teaching 

Q: As someone coming from a practical background, how does your industry experience shape your teaching methods? 

Dr. Jim Furstenberg: My industry experience informs my teaching methods in several ways. First, it allows me to provide real-world experiential learning and examples that make cybersecurity concepts more relatable and engaging for students. I emphasize hands-on-keyboard practical applications of theoretical knowledge; helping students understand how their learning can be applied in actual work environments.  

I also foster a collaborative learning environment, similar to what they would experience in a professional setting, i.e., group projects that prepare them for teamwork and communication in their careers. I draw on industry best practices to create relevant assignments and projects, encouraging students to develop skills that are in demand. 

Additionally, our Information Security and Intelligence (ISIN) program’s faculty team draws on over 20 years of work experience ranging from leadership positions in multibillion-dollar corporations, healthcare, nonprofits, law enforcement, and licensed professional investigators.  

ISIN Faculty includes a Distinguished Professor, Michigan Professor of the Year, multiple Fulbright Scholars, and International Educator of the Year. Our faculty team has taught on four continents, including teaching digital forensics to the entire federal cybercrime units in Chile and Perú. In 2023,  I was nominated for Outstanding Professor of the year by students; although I did earn the award, just the nomination meant a lot to me.   

Finally, I am still active and, in the cybersecurity, and digital forensics profession and industry. I own my own cybersecurity business, and those firsthand client engagements and experiences help me stay updated on industry trends and challenges, allowing me to incorporate current topics into the curriculum and ensure that students are equipped for the future job market. 

Q: What are the main differences you see in how you tailor your approach to educating students versus training employees in cybersecurity? 

Dr. Jim Furstenberg: When tailoring my approach to educating students versus training employees in cybersecurity, several vital differences emerge: 

  • Learning Objectives: For students, the focus is often on foundational knowledge and theory, while employee training is more about practical skills and immediate application. I emphasize real-world scenarios and problem-solving in corporate training. 
  • Curriculum Depth: Student programs may explore a broader range of topics to provide a comprehensive understanding, whereas employee training is typically more targeted, addressing specific skills or compliance requirements relevant to their roles. 
  • Engagement Strategies: Students may benefit from various teaching methods, including lectures, discussions, and group projects, to foster critical thinking. In contrast, employee training often involves hands-on workshops, simulations, and table top exercises to engage them in real-life situations. 
  • Assessment Methods: Student assessments might include exams, essays, and projects to gauge theoretical and skill understanding. For employees, assessments, such as hands-on tests or simulations, are often more practical to measure their ability to apply skills in real-world scenarios. 
  • Feedback and Adaptation: In an academic setting, feedback can focus on personal and professional growth and deeper understanding, while in corporate training, it is crucial to provide immediate, actionable feedback to improve job performance quickly. 
  • Motivation and Mindset: Students may be motivated by grades and learning for the sake of knowledge, while employees are often driven by career advancement, job performance, and the application of skills, which can shape how I present material and relate it to their goals. 

Q: As cyber threats keep changing, how do you balance providing a broad foundation in core cybersecurity principles with keeping your curriculum up-to-date on the latest threats? 

Dr. Jim Furstenberg: It is undoubtedly challenging, but since I am actively involved in the profession and not just teaching, I often look for and bring the business reality into the classroom by engaging top-notch vendor solutions into the classroom for practical skills engagement.  

I am grateful for partnerships with vendors like ANY.RUN, which allows me to do this. While many vendors focus solely on short-term profits, several best-in-class companies we partner recognize the importance of providing low or no-cost access to their products for students. This approach enables real world application/learning and helps create future advocates for their solutions. 

Learn about ANY.RUN’s educational program
Security Training Lab
Get a quote for your university 



Get a quote


Q: How do you measure the success of your cybersecurity curriculum? Is it based on student feedback, job placement rates, or other factors? 

Dr. Jim Furstenberg: We measure success by assessing our students’ employability, gathering feedback from their internships, and the overall feedback from the government and industry regarding our alums. Additionally, our program holds national recognition and rigorous accreditations. For instance, in 2017, the ISI undergraduate program earned ABET Engineering Accreditation for Cybersecurity, becoming one of the first seven universities in the nation to achieve this distinction.  

Moreover, the National Security Agency and the Department of Homeland Security have designated Ferris State University as a National Center of Academic Excellence in Cyber Defense Education, as well as The Department of Defense Cyber Crime Center (DC3) and the Air Force Office of Special Investigations has named Ferris State University as the first university in the United States to obtain designation as a National Center of Digital Forensics Academic Excellence. 

On training methods and hands-on practice 

Q: Which methods have you found work best for teaching complex cybersecurity concepts?  

Dr. Jim Furstenberg: In short, experiential learning is essential—it involves hands-on experience while bridging the gap between academia and real-world realities. Our profession requires both knowledge and skills (technical & professional), along with a lifelong commitment to continuous learning and re-skilling oneself as it is constantly evolving, and our adversaries are highly skilled. 

Q: How do you incorporate real-world scenarios and hands-on labs into your teaching? 

Dr. Jim Furstenberg: There are numerous ways, but I will focus on three 

  • Hands-On Labs: Practical exercises allow students to engage with real tools and scenarios, helping them understand abstract concepts through direct experience. 
  • Case Studies: Analyzing real-world incidents provides context and relevance, illustrating the implications of cybersecurity practices and failures. 
  • Interactive Simulations: Using cyber warfare games and simulations, immerse students in threat detection, incident response, and other critical areas, enhancing their problem-solving skills. 

Q: Where does ANY.RUN’s interactive malware sandbox come into play in your curriculum? 

Dr. Jim Furstenberg: ANY.RUN provides students with access to a top-tier interactive malware sandbox, allowing them to understand the intricacies of malware hands-on. We integrate ANY.RUN labs with MITRE ATT&CK mapping and process enumeration, a collaboration made possible by ANY.RUN’s partnership and generosity.  

Students gain experience with a best of breed vendor and tools they are likely to encounter in the industry. ANY.RUN’s partnership with our program affords students to observe firsthand the full interaction of malware and its consequences. This real-world application enhances their understanding of how to respond to incidents with concrete artifacts and facts.  

Ultimately, ANY.RUN helps students articulate their findings and teaches them to adopt a pragmatic approach when creating defensive solutions and more importantly the ability to communicate visually what is happening and why to leadership and executives.


ANY.RUN cloud interactive sandbox interface

Security Training Lab

Discover ANY.RUN’s educational program for universities:

  • 30 Hours of Academic Content
  • Access to ANY.RUN Sandbox
  • Practical Learning



On advice to cybersecurity students 

Q: Students often struggle with balancing specialization and being a jack-of-all-trades. What advice do you give them for managing this throughout their career? 

Dr. Jim Furstenberg: This profession is not…Tube Socks… “one size does NOT fit all.” We emphasize the importance of self-discovery for students to seek out what they are genuinely passionate about. In cybersecurity, there are numerous horizontal and vertical paths to explore, all based on individual interests and passion. This passion for the profession makes it feel less like work and more of a mission. You have to be passionate about what you do…or why do it? 

However, a significant challenge is the vast knowledge domain and hands-on practical skills required. Students must navigate to their strengths to find their niche within it. This profession may not be for everyone, as it can lead to high burnout rates due to the extensive knowledge, skills, and the never-ending reality of “Cyber never sleeps”… an adage that continues to remain true as we face relentless attacks on our nation’s infrastructure and industries. 

I advise that a student’s approach to college should be to learn a profession, not just earn a degree. As professionals, we are passionate about our work, continually applying and updating our skills constantly, learning and even unlearning… as our profession constantly changes exponentially. In this profession, one never really “arrives,” but it is possible to be passionate about and master a specific niche. 

Q: What technical and soft skills do you notice students often lack when they enter the workforce? 

Dr. Jim Furstenberg: Get your face up from the device, look around, and actually talk to people. Behind all the cyber…there are real people. As time passes, I see students who are more introverted and anxious, often challenged to look at the person talking to them. After all, this is still a people business and people skills are critical. 

Technical Skills can be taught, however interpersonal and team player skills are acquired by first having a willingness to understand that interpersonal skills matter… and matter a lot; it’s a huge mistake to think that its only about the technical.  

Q: What essential recommendations would you give to students looking for their first job in cybersecurity? 

Dr. Jim Furstenberg: What separates a good cybersecurity analyst from a poor one is a combination of critical thinking, creativity, and persistence;  the emotional courage to keep going when things don’t work as expected. In cybersecurity, giving up is never an option. You need to buckle down and figure things out. 

Notice how technical skill is not on my list – because it can be learned; the attributes I listed above are a conscious choice. Furthermore, if cybersecurity were easy, anyone could do it. The truth is, it’s not easy, and not anyone can succeed in this field. 

As a student, it’s crucial to go beyond basic instructions and not give up when the first problem arises. Effective cybersecurity work often demands that you dig deeper to uncover issues that are not immediately obvious, as things are constantly changing. It’s about being resourceful, thinking critically, and persevering through challenges rather than stopping at the surface.  This mindset and discipline are essential for identifying and solving real-world security threats. They will set you apart as you grow in the field. 

On the future of cybersecurity education and work 

Q: How do you see AI affecting both the education and the tools and techniques used in professional cybersecurity settings? 

Dr. Jim Furstenberg: We have used AI for years in the infrastructure backend of appliances, so this is not new in my opinion. Only now is AI consumable so to say…  AI is and has been critical in cybersecurity to do what we do.  

I see more integration into areas where perhaps we had low to no visibility and time saving so the analyst can get Good Findings Fast (GFF)… AI’s speed and its ability to sort signal from noise more provides deeper integration pragmatically.  

Q: What factors, trends, or technologies do you see having the most significant impact on how we approach cybersecurity in the next three years? 

Dr. Jim Furstenberg: I see a deeper integration of Zero Trust. Companies finally understand that Cybersecurity is not an IT problem; it is an enterprise privacy and security issue, and it deserves a seat at the boardroom table.  

Cybersecurity is and should not be a department within IT — it is an integrated whole enterprise approach toward everything in the enterprise, not some bolted-on blinky appliance that IT manages; thankfully, this Luddite mentality appears to be finally waning. GDPR put some teeth into cybersecurity at the board and ownership level, and rightly so.

About ANY.RUN   

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.    

With ANY.RUN you can:  

  • Detect malware in under 40s.  
  • Interact with samples in real time.  
  • Save time and money on sandbox setup and maintenance  
  • Record and study all aspects of malware behavior.  
  • Collaborate with your team  
  • Scale as you need.  

Try all features of ANY.RUN for 14 days by requesting a free trial → 

The post Expert Q&A: Dr. Jim Furstenberg on Cybersecurity Education and Practice  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

ICS Vulnerability Intelligence Report: Key Insights and Recommendations

ICS Vulnerability

Overview

Cyble Research & Intelligence Labs (CRIL) has investigated key ICS vulnerabilities this week, providing critical insights issued by the Cybersecurity and Infrastructure Security Agency (CISA), focusing on multiple flaws in several ICS products.

During this reporting period, CISA issued four security advisories targeting vulnerabilities across various Industrial Control Systems, including those from ICONICS, Mitsubishi Electric, VIMESA, iniNet Solutions, and Deep Sea Electronics. These advisories pinpoint ICS vulnerabilities that security teams should prioritize for immediate patching to mitigate potential risks.

The recent vulnerability assessment has revealed a high-severity path traversal vulnerability in SpiderControl SCADA. The Deep Sea Electronics DSE855 has also been identified as susceptible to a configuration disclosure vulnerability. This issue enables unauthorized access to stored credentials via an HTTP GET request directed at the Backup.bin file.

ICS Vulnerabilities Overview

The Cyble Research & Intelligence Labs (CRIL) analysis details several critical vulnerabilities, providing essential information to help organizations prioritize their mitigation efforts. The following vulnerabilities were identified as the most vulnerable ones to look out for and patch immediately, if susceptible:

  • CVE-2024-7587: This vulnerability affects the ICONICS Suite, including products like GENESIS64 and Hyper Historian. This vulnerability is categorized as an issue of incorrect default permissions, which poses a high-severity risk to control systems such as DCS, SCADA, and BMS. A patch is available for this vulnerability.
  • CVE-2024-9692: This vulnerability relates to the Blue Plus Transmitter from VIMESA. It involves improper access control and is rated as medium severity, impacting communication units and transmitters. A link to the patch is provided for this issue as well. 
  • CVE-2024-10313: This vulnerability highlights a path traversal vulnerability in the SpiderControl HMI Editor from iniNet Solutions. This vulnerability is also classified as high severity and affects human-machine interface systems. A corresponding patch is accessible.
  • CVE-2024-5947: The last vulnerability, CVE-2024-5947, is related to DSE855 from Deep Sea Electronics. This medium-severity vulnerability is characterized by missing authentication, affecting communication units and transmitters. A patch link is available for users to address this vulnerability.

The severity overview reveals that all disclosed vulnerabilities fall into medium and high severity categories but need urgent attention.

Recommendations and Mitigations

To effectively address the identified vulnerabilities and upgrade defenses, organizations should consider the following best practices:

  1. Staying informed about security/patch advisories from vendors and regulatory bodies is crucial for timely updates.
  2. Organizations should implement a risk-based vulnerability management strategy to minimize the potential for exploitation.
  3. Threat intelligence analysts should actively monitor critical vulnerabilities published in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those that are being actively exploited in the wild.
  4. Effective network segmentation can prevent attackers from conducting reconnaissance and lateral movements, thereby reducing the exposure of critical assets.
  5. Frequent vulnerability assessments and penetration testing are essential for identifying and rectifying security weaknesses.
  6. Implement physical barriers to prevent unauthorized access to devices and networks.
  7. An effective incident response plan outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates ensure its relevance to current threats.
  8. Ongoing cybersecurity training for all employees, particularly those with access to OT systems, is crucial. Training should cover recognizing phishing attempts, proper authentication practices, and adherence to security protocols.

Conclusion

The vulnerabilities identified in this ICS vulnerability intelligence report call for urgent prioritization from organizations to take apt cybersecurity measures. With threats continuously evolving and exploits discussed in underground forums, staying vigilant and proactive is essential.

Implementing the recommendations outlined above will help organizations protect their critical infrastructure and maintain system integrity, ultimately reducing the risk of potential exploitation of ICS vulnerabilities.

Sources: https://www.cisa.gov/news-events/alerts/2024/10/31/cisa-releases-four-industrial-control-systems-advisories

The post ICS Vulnerability Intelligence Report: Key Insights and Recommendations appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Warns of Critical Vulnerabilities in Rockwell Automation’s FactoryTalk ThinManager

Rockwell Automation

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about new vulnerabilities in Rockwell Automation FactoryTalk ThinManager. The alert, designated ICSA-24-305-01, outlines serious security risks that could affect users of the software. With a CVSS v4 score of 9.3, these vulnerabilities demand immediate attention from security teams to safeguard industrial control systems.

The vulnerabilities identified in Rockwell Automation’s FactoryTalk ThinManager include “Missing Authentication for Critical Function” and “Out-of-Bounds Read.” These issues can allow remote attackers to manipulate databases or cause denial-of-service conditions.

The successful exploitation of these vulnerabilities poses a risk to users. Attackers could send specially crafted messages to FactoryTalk ThinManager devices, which might lead to serious consequences, including unauthorized database modifications or service disruptions.

Technical Details

Several versions of Rockwell Automation’s FactoryTalk ThinManager have been identified as vulnerable, including versions 11.2.0 to 11.2.9, 12.0.0 to 12.0.7, 12.1.0 to 12.1.8, 13.0.0 to 13.0.5, 13.1.0 to 13.1.3, 13.2.0 to 13.2.2, and version 14.0.0.

The first critical vulnerability, CVE-2024-10386, is categorized as “Missing Authentication for Critical Function” (CWE-306) and assigned a CVSS v3.1 base score of 9.8. This flaw allows network-accessible attackers to send crafted messages to FactoryTalk ThinManager, which could potentially result in database manipulation.

The second vulnerability, CVE-2024-10387, relates to an “Out-of-Bounds Read” (CWE-125) and poses a denial-of-service risk. It enables attackers with network access to send crafted messages that could disrupt FactoryTalk ThinManager’s operations. This vulnerability carries a CVSS v3.1 base score of 7.5 and a CVSS v4 score of 8.7, indicating a serious security concern.

Rockwell Automation has acknowledged these vulnerabilities, which significantly impact critical infrastructure sectors, particularly in manufacturing, and are deployed globally. To address the risks associated with these vulnerabilities, Rockwell Automation has made patches available for the affected versions on the FactoryTalk ThinManager download site and urges users to apply these updates without delay.

Additionally, users are advised to implement network hardening by restricting communications to TCP port 2031 only to necessary devices that require connection to the ThinManager. Following Rockwell Automation’s guidelines for security best practices is also encouraged to minimize risks in industrial automation control systems.

Recommendations from CISA

The Cybersecurity and Infrastructure Security Agency (CISA) recommends several defensive measures:

  1. Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.
  2. Isolate control system networks and remote devices behind firewalls.
  3. Utilize secure methods for remote access, such as Virtual Private Networks (VPNs), while recognizing that these should be updated regularly.
  4. Perform comprehensive impact analysis and risk assessment before implementing defensive measures.
  5. Regularly review and apply security advisories from credible sources.

Conclusion

CISA encourages organizations to report any suspected malicious activity for tracking and correlation with other incidents. Currently, there have been no known public exploitations targeting these vulnerabilities.

Given the high severity of the vulnerabilities associated with Rockwell Automation’s FactoryTalk ThinManager, organizations must prioritize addressing these issues to maintain security within their industrial environments.

By adhering to recommended practices and implementing available patches, companies can reduce the risk of exploitation and protect their critical infrastructure.

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-24-305-01

The post CISA Warns of Critical Vulnerabilities in Rockwell Automation’s FactoryTalk ThinManager appeared first on Cyble.

Blog – Cyble – ​Read More

Improvements to our SIEM for Q3 2024 | Kaspersky official blog

Clearly, the sooner malicious actions come to the attention of security solutions and experts, the more effectively they’re able to minimize, or even prevent damage. Therefore, while working on new detection rules for our SIEM system named the Kaspersky Unified Monitoring and Analysis Platform, we pay special attention to identifying attackers’ activity at the very initial stage of an attack, when they try to collect information about infrastructure. We’re talking about activity related to the discovery tactics according to the Enterprise Matrix MITRE ATT&CK Knowledge Base classification.

Modern attackers are increasingly paying attention to containerization infrastructure, which is where rather dangerous vulnerabilities are sometimes found. For example, our May report on exploits and vulnerabilities describes the CVE-2024-21626 vulnerability, which allows for a container escape. That’s why in our Q3 2024 SIEM system update, among the rules for identifying atypical behavior that may indicate attacker activity at the initial data collection stage, we’ve added detection rules that catch (i) attempts to collect data on the containerization infrastructure, and (ii) traces of various attempts to manipulate the containerization system itself.

This was done by adding detection rules R231, R433, and R434, which are already available to Kaspersky Unified Monitoring and Analysis Platform users through the rule update system. In particular, they’re used to detect and correlate the following events:

  • access to credentials inside a container;
  • launching a container on a non-container system;
  • launching a container with excessive privileges;
  • launching a container with access to host resources;
  • collecting information about containers using standard tools;
  • searching for weak spots in containers using standard tools;
  • searching for security vulnerabilities in containers using special utilities.

Considering the above-described update, there are now more than 659 rules available on the platform, including 525 rules with direct detection logic.

We continue to align our detection rules with the Enterprise Matrix MITRE ATT&CK Knowledge Base, which today describes 201 techniques, 424 sub-techniques, and thousands of procedures. As of today our solution covers 344 MITRE ATT&CK techniques and sub-techniques.

In addition, we’ve improved many old rules by correcting or adjusting conditions – for example, to reduce the number of false positives.

New and improved normalizers

In the latest update, we’ve also added to our SIEM system normalizers that allow you to work with the following event sources:

  • [OOTB] OpenLDAP
  • [OOTB] Avaya Aura Communication Manager syslog
  • [OOTB] Orion soft Termit syslog
  • [OOTB] Postfix
  • [OOTB] Barracuda Web Security Gateway syslog
  • [OOTB] Parsec ParsecNET
  • [OOTB] NetApp SnapCenter file
  • [OOTB] CommuniGate Pro
  • [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
  • [OOTB] Yandex Cloud
  • [OOTB] Barracuda Cloud Email Security Gateway syslog

Our experts have also improved normalizers for these sources:

  • [OOTB] Yandex Browser
  • [OOTB] Citrix NetScaler syslog
  • [OOTB] KSC from SQL
  • [OOTB] Microsoft Products for KUMA 3
  • [OOTB] Gardatech Perimeter syslog
  • [OOTB] KSC PostgreSQL
  • [OOTB] Linux auditd syslog for KUMA 3.2
  • [OOTB] Microsoft Products via KES WIN
  • [OOTB] PostgreSQL pgAudit syslog
  • [OOTB] ViPNet TIAS syslog

You can find the full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform version 3.2 in the technical support section of our web site, where you can also get more information about correlation rules. We’ll continue to write about improvements to our SIEM system in future posts that can be found via the SIEM tag.

Kaspersky official blog – ​Read More