Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

The one big thing

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

Why do I care?

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

So now what?

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

Top security headlines of the week

• Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
• Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR [sic] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
• Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

Can’t get enough Talos?

• My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
• In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025) 
Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5
MD5: ff1b6bb151cf9f671c929a4cbdb64d86
VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query
Claimed Product: Endpoint-Collector
Detection Name: W32.File.MalParent

 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_Detection

 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

 

Cisco Talos Blog – ​Read More

Overview 

A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report. 

The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks. 

Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest. 

TCAS II Vulnerabilities 

The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory. 

The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.” 

TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions. 

The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1. 

CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).” 

The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm-A Identity Request, which can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition. 

“After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F,” CISA said, adding that there is currently no mitigation available for CVE-2024-9310. 

CISA said the vulnerabilities in the TCAS II standard were exploited in a lab environment. 

“However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting,” the agency said. “Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.” 

No known publicly available exploit targeting the vulnerabilities has been reported at this time. 

Recommendations for Mitigating ICS Vulnerabilities  

The full Cyble report recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

2. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors. 

6. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

7. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

The TCAS II flaws and other ICS vulnerabilities show the danger that vulnerabilities in critical infrastructure environments can pose, with the potential to disrupt operations, compromise sensitive data, and cause physical damage with potentially tragic outcomes. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability  appeared first on Cyble.

Blog – Cyble – ​Read More

The vulnerability CVE-2025-0411 has been discovered in the popular 7-Zip file archiver software, allowing attackers to bypass the Mark-of-the-Web protection mechanism. CVE-2025-0411 has a 7.0 CVSS rating. The vulnerability was quickly fixed, but since the program doesn’t have an automatic update mechanism, some users may still have a vulnerable version. That’s why we recommend immediately updating the archiver.

What is Mark-of-the-Web?

The Mark-of-the-Web (MOTW) mechanism involves placing a special metadata mark on files obtained from the internet. If such a mark is present, the Windows operating system considers such a file to be potentially dangerous. If the file is executable, the user sees a warning that it can cause harm when trying to execute it. Also, some programs limit the functionality of a file with this mark (for example, MS Office applications block the execution of macros in them). When an archive is downloaded from the internet, when it is unpacked, all the files should inherit this Mark-of-the-Web.

Malefactors have repeatedly been trying to get rid of the MOTW in order to mislead the user. In particular, several years ago we wrote that the BlueNoroff APT group had adopted methods to bypass this mechanism. According to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass.

What is the CVE-2025-0411 vulnerability, and how is it dangerous?

CVE-2025-0411 allows attackers to create an archive in such a way that when it’s unpacked by 7-Zip, the files won’t inherit the MOTW mark. As a result, an attacker can exploit this vulnerability to launch malicious code with user privileges. Of course, such a vulnerability is dangerous not in and of itself, but as part of a complex attack. In addition, to exploit it, the user must launch a malicious file manually. However, as we’ve already mentioned above, attackers often try to remove this mark, so giving them an extra way to do this is clearly a big no-no.

Researchers discovered CVE-2025-0411 back in November last year, and immediately reported it to the author of 7-Zip. This is why version 24.09, published on November 29, 2024, is no longer vulnerable.

How to stay safe

First of all, you should update 7-Zip to version 24.09 or newer. If this file archiver is used in your organization, we recommend updating it centrally (if there are appropriate tools), or at least notifying that it needs urgently updating. Kaspersky products for home users can check a number of widely used software products (including 7-Zip) and update them automatically.

In addition, we recommend all internet users to handle files received from the internet with exceptional caution, and not to open them on computers without a reliable security solution.

Kaspersky official blog – ​Read More

Overview

The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government’s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.

BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.

The term “bulletproof” is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.

How Bulletproof Hosting Providers Operate

BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.

A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.

Another distinctive feature of BPH providers is their location. They often operate from countries with permissive cyber regimes, where local laws either lack the framework to tackle malicious cyber activities or are weakly enforced. This makes it even more challenging for law enforcement, such as the ACSC, to take decisive action.

BPH Providers’ Impact on Australian Cybersecurity

The consequences of BPH’s involvement in cybercrime are damaging, with Australian businesses and individuals often finding themselves targeted by cybercriminals using these services. Ransomware attacks, data extortion, and the theft of sensitive customer information are just some of the incidents that have been traced back to BPH providers.

The presence of these illicit services is not only a local problem but a global one. As these networks expand and evolve, they provide cybercriminals with an easy-to-use platform to launch attacks on a global scale. A single BPH provider can facilitate the activities of hundreds or even thousands of cybercriminals, allowing them to target victims across the globe.

Collaborative Efforts to Combat Cybercrime

In response to this growing threat, law enforcement agencies, including the ACSC, have been stepping up their efforts to identify and dismantle BPH providers. Through enhanced collaboration with global law enforcement, governments, and private sector cybersecurity experts, authorities are targeting these malicious services with increasing frequency. This collective effort aims to disrupt the underlying infrastructure that allows cybercriminals to thrive while complicating their ability to operate securely.

One of the primary methods being employed to target BPH providers is defensive measures, such as proactively blocking internet traffic originating from known BPH services. By identifying and isolating the infrastructure that facilitates cybercrime, investigators can reduce the impact of cybercriminal activities on Australian networks and businesses. In addition, legitimate ISPs and upstream infrastructure providers are being encouraged to adopt practices that prevent BPH providers from accessing their networks.

While BPH providers are a crucial part of the Cybercrime-as-a-Service landscape, they are not the only providers enabling malicious cyber activities. Other illicit services in this underground ecosystem allow cybercriminals to purchase malware, tools for evading security measures, and access to compromised networks. The removal of these services is critical to dismantling the cybercriminal ecosystem and reducing the scope of attacks targeting Australia.

Conclusion

The Australian Cyber Security Centre’s efforts to target Bulletproof Hosting Providers (BPH) highlight the need for a coordinated approach to disrupt the infrastructure enabling cybercrime. By addressing vulnerabilities in BPH services, authorities can disrupt cybercriminal operations and bolster overall cybersecurity resilience.

Australia’s organizations are urged to stay vigilant by updating software, strengthening security protocols, and using multi-layered defenses. Collaboration with law enforcement and cybersecurity experts is essential for detecting and preventing attacks from BPH providers.

To further protect against cyber threats, Cyble, a leader in threat intelligence, offers AI-powered solutions like Cyble Vision to provide real-time insights and enhance cybersecurity efforts. By integrating Cyble’s tools, businesses can strengthen their defenses and stay protected against cybercriminals.

The post Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system.

These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed.

A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action.

Vulnerabilities Overview

HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities:

• CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users.
• CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials.

Both vulnerabilities:

• Require administrative authentication credentials to exploit.
• Allow attackers to gain full control over the device upon successful exploitation.
• Impact the confidentiality, integrity, and availability of the device.

Affected Software Versions

The vulnerabilities affect the following software versions:

• HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below.

Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected.

Severity and Exploitability

• Severity: High (CVSS score: 7.2)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption.
• Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers.

Mitigation and Recommendations

To safeguard against these vulnerabilities, organizations should follow these steps:

1. Upgrade to a Fixed Version:
   • Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal.

2. Restrict Management Interfaces:
   • Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies.

3. Audit Network Devices:
   • Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations.

4. Strengthen Authentication Mechanisms:
   • Enforce strong administrative passwords.
   • Regularly rotate administrative credentials to minimize the risk of unauthorized access.

5. Monitor for Suspicious Activity:
   • Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge.

6. Stay Informed:
   • Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches.

Technical Details of the Vulnerabilities

CVE-2024-54006

• Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials.
• CVSS Base Score: 7.2
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2024-54007

• Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device’s underlying operating system via the web interface.
• CVSS Base Score: 7.2
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita.

Workarounds

For organizations unable to immediately update to the fixed version, the following workarounds are recommended:

• Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet.
• Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces.
• Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities.

These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy.

Final Notes

These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls.

Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems.

Source: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04763en_us&docLocale

The post  JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba Products appeared first on Cyble.

Blog – Cyble – ​Read More