A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks.
Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest.
TCAS II Vulnerabilities
The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory.
The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.”
TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions.
The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1.
CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).”
The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm-A Identity Request, which can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition.
“After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F,” CISA said, adding that there is currently no mitigation available for CVE-2024-9310.
CISA said the vulnerabilities in the TCAS II standard were exploited in a lab environment.
“However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting,” the agency said. “Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.”
No known publicly available exploit targeting the vulnerabilities has been reported at this time.
Recommendations for Mitigating ICS Vulnerabilities
The full Cyble report recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:
Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation.
Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated.
Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets.
Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats.
Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.
Conclusion
The TCAS II flaws and other ICS vulnerabilities show the danger that vulnerabilities in critical infrastructure environments can pose, with the potential to disrupt operations, compromise sensitive data, and cause physical damage with potentially tragic outcomes. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk.
To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-23 13:06:392025-01-23 13:06:39Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability
Lost documents, stolen code, exposed customer data, and a falling stock price are all common consequences of just one click on a ransomware file. To avoid this problem, you need proper security tools and, most importantly, knowledge of how ransomware attacks are carried out.
This quick guide will explain how ransomware works and the simple steps you can take to protect your business.
What is ransomware
Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money (ransom) is paid. It typically encrypts the victim’s files, making them inaccessible, and demands payment to provide the decryption key. The ransom demands can range from hundreds to thousands of dollars, often paid in cryptocurrencies like Bitcoin to maintain anonymity.
What is double extortion ransomware
Double extortion is a technique where attackers not only encrypt the victim’s data but also exfiltrate (steal) it. They threaten to leak the stolen data publicly if the ransom is not paid, adding an additional layer of pressure on the victim to comply.
This technique increases the likelihood of payment, as victims face both data loss and potential reputational damage or legal consequences from data breaches.
Why your company may become a target of ransomware
The chance of your company to become a potential target of ransomware depends on several factors:
Size and Industry: Larger organizations and those in critical industries like healthcare, finance, and government are often targeted due to their sensitive data and higher likelihood of paying substantial ransoms.
Cybersecurity Posture: Companies with weak or outdated cybersecurity measures are more vulnerable. This includes lack of regular software updates, inadequate backup strategies, and insufficient employee training on cybersecurity best practices.
Data Value: Organizations that handle valuable or sensitive data, such as personal information, intellectual property, or confidential business data, are more attractive targets.
Public Profile: High-profile companies or those with a significant public presence may be targeted for the potential reputational damage that a data breach could cause.
Previous Incidents: Companies that have experienced cybersecurity incidents in the past may be seen as easier targets, especially if they have not adequately addressed the vulnerabilities that led to the previous attacks.
How criminals prepare and deliver ransomware
Setup process
Most criminals use ready-made ransomware-as-a-service builders to create and configure their malware. These builders allow them to specify various parameters of the ransomware, such as the ransom message, amount, and Bitcoin address for payment.
Consider the Chaos ransomware, which provides a builder that allows the operator to set up their custom variant of the malware by clicking a few buttons.
The Chaos ransomware builder opened in the ANY.RUN sandbox
To safely examine the Chaos builder and its executable, we need to upload it to a cloud sandbox like ANY.RUN.
As shown by Nico Knows Tech in this YouTube video, attackers can configure their Chaos build to choose the ransom message and amount, as well as set the extension for the encrypted files.
The logo of the malicious file can be changed to any image set by the attacker
As a means of disguise, attackers can change the logo of the main malicious executable file to a PDF one. Coupled with the hidden extension, this can trick users into opening it, thinking it is a standard document.
Advanced options of the ransomware builder provide detection evasion capabilities
To avoid detection by antivirus and other security solutions, the builder makes it possible to enable deleting shadow copies, disabling system recovery, and overwriting files to make them unrecoverable.
Delivery
After this quick setup process, the criminals are ready to distribute the ransomware among their targets. There are many delivery methods, but here are three common ones:
Emails that include malicious file attachments, such as PDFs or Word documents, which execute ransomware when opened.
Emails that contain links to compromised websites or malicious downloads, manipulating users into downloading and executing ransomware.
Malicious advertisements on websites like Google that redirect users to sites hosting ransomware.
A Ransomware Attack Example: Lynx
Let’s now see what happens once the malware file arrives at the target’s system.
The operators behind this threat maintain a public website containing a list of their victims along with samples of stolen documents. One of the latest cases was a large electricity provider from Romania, Electric Group, that serves over 3.8 million people.
Lynx Ransomware analyzed in the ANY.RUN sandbox
Thanks to ANY.RUN’s Interactive Sandbox, we can study the entire chain of attack and see exactly how this threat operates in a safe virtual environment.
The FIles modification tab shows all the file system activity logged during the analysis
As soon as we upload and launch the malicious executable file in ANY.RUN’s cloud-based sandbox, the malware begins encrypting files on the system and changing their extension to .LYNX.
It also drops a ransom note and replaces the desktop wallpaper with the ransom text, which contains a link to a TOR site via which the attackers expect the victim to contact them.
Strengthen proactive threat analysis in your company with ANY.RUN’s Interactive Sandbox
The ransom note features .onion addresses used for communication with the attackers
ANY.RUN’s interactivity lets us manually open the README.txt dropped by Lynx to see the message.
ANY.RUN analysis of the Lynx process
The ANY.RUN sandbox detects all the malicious activities performed by Lynx and marks them with signatures.
ANY.RUN’s report on the Lynx sample
The sandbox also generates a comprehensive report on the analyzed threat sample that can be shared with all the stakeholders in the company.
How Sandboxing Helps Businesses Prevent Ransomware Attacks
As demonstrated by the Lynx analysis, sandbox tools like ANY.RUN provide you with a safe, secure, and private environment for detonating and exploring all the suspicious files and URLs you may come across in your day-to-day activities.
Whether it is a phishing email, an unusual executable, or an office document asking you to enable macros, uploading these to ANY.RUN’s Interactive Sandbox is the best course of action you can take to check these files for any possible threat and quickly make a decision on whether to engage with them further on your own system.
More than 500,000 security professionals use ANY.RUN for proactive analysis to:
Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.
What is Enterprise plan?
Discover all features of the Enterprise plan designed for businesses and large security teams.
See details
Conclusion
Taking proactive measures to understand and mitigate ransomware threats is vital for business security. Tools like ANY.RUN’s Interactive Sandbox offer a fast, simple, and effective solution for analyzing potential threats, enabling businesses to prevent attacks from compromising their infrastructure. By integrating such tools into your security strategy, you can enhance your cybersecurity posture and protect your business from the far-reaching consequences of ransomware attacks.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-23 10:07:242025-01-23 10:07:24How to Prevent a Ransomware Attack on a Business: A Lynx Malware Use Case
The vulnerability CVE-2025-0411 has been discovered in the popular 7-Zip file archiver software, allowing attackers to bypass the Mark-of-the-Web protection mechanism. CVE-2025-0411 has a 7.0 CVSS rating. The vulnerability was quickly fixed, but since the program doesn’t have an automatic update mechanism, some users may still have a vulnerable version. That’s why we recommend immediately updating the archiver.
What is Mark-of-the-Web?
The Mark-of-the-Web (MOTW) mechanism involves placing a special metadata mark on files obtained from the internet. If such a mark is present, the Windows operating system considers such a file to be potentially dangerous. If the file is executable, the user sees a warning that it can cause harm when trying to execute it. Also, some programs limit the functionality of a file with this mark (for example, MS Office applications block the execution of macros in them). When an archive is downloaded from the internet, when it is unpacked, all the files should inherit this Mark-of-the-Web.
Malefactors have repeatedly been trying to get rid of the MOTW in order to mislead the user. In particular, several years ago we wrote that the BlueNoroff APT group had adopted methods to bypass this mechanism. According to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Trust Controls: Mark-of-the-Web Bypass.
What is the CVE-2025-0411 vulnerability, and how is it dangerous?
CVE-2025-0411 allows attackers to create an archive in such a way that when it’s unpacked by 7-Zip, the files won’t inherit the MOTW mark. As a result, an attacker can exploit this vulnerability to launch malicious code with user privileges. Of course, such a vulnerability is dangerous not in and of itself, but as part of a complex attack. In addition, to exploit it, the user must launch a malicious file manually. However, as we’ve already mentioned above, attackers often try to remove this mark, so giving them an extra way to do this is clearly a big no-no.
Researchers discovered CVE-2025-0411 back in November last year, and immediately reported it to the author of 7-Zip. This is why version 24.09, published on November 29, 2024, is no longer vulnerable.
How to stay safe
First of all, you should update 7-Zip to version 24.09 or newer. If this file archiver is used in your organization, we recommend updating it centrally (if there are appropriate tools), or at least notifying that it needs urgently updating. Kaspersky products for home users can check a number of widely used software products (including 7-Zip) and update them automatically.
In addition, we recommend all internet users to handle files received from the internet with exceptional caution, and not to open them on computers without a reliable security solution.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-22 15:07:032025-01-22 15:07:03CVE-2025-0411 – vulnerability in 7-Zip | Kaspersky official blog
The growing dependence on digital technology of modern businesses makes them vulnerable to cyber threats. For three years in a row, manufacturing has stayed the sector most targeted by cyberattacks, IBM reports. Industrial companies suffered from more than 25% of security incidents recorded last year, the majority of them being ransomware attacks.
Investing in comprehensive cybersecurity infrastructure helps prevent substantial financial loss and reputation damage. But enforcing the perimeter is not enough: a proactive approach to threat management is essential.
What is Threat Intelligence
Cyber Threat Intelligence (CTI) is about gathering and analyzing data to spot, understand, and stop current and future threats. Even with strong security teams, just reacting to threats is not enough. Using current, detailed information from outside sources is key to responding effectively.
Cyber threat intelligence provides security teams with data about threats, attacks, and adversaries. It powers decision-making on all levels: operational, tactical, and strategic.
By analyzing threat indicators, tactics, techniques, and procedures of attackers, companies can anticipate attacks rather than just react to them. Vulnerabilities get identified before they can be exploited.
Why Companies Need Threat Intelligence
There are plenty of reasons why industrial enterprises and manufacturing companies may require threat intelligence. Mostly, these reasons relate to the critical role of such companies in the economy on one hand and their specific risks and vulnerabilities on the other:
They are part of critical infrastructure Many manufacturing companies are involved in critical infrastructure (e.g., energy, transportation, defense supply chains). Attacking these industries can disrupt essential services, exert political or economic pressure, or fulfill geopolitical goals.
They are part of important supply chains A successful attack can ripple across industries, causing widespread delays and impacting multiple organizations. In 2021, an attack on Colonial Pipeline disrupted fuel distribution, causing trouble to manufacturing and transportation sectors.
They have high ransom potential Companies rely on continuous operations and cannot afford prolonged downtime. Attacked by ransomware, they are often willing to pay to resume production quickly and avoid financial losses.
They collect consumer data and possess intellectual property A bunch of valuable data is an irresistible honeypot for hackers. Trade secrets, patents, blueprints, and proprietary technologies. Sensitive data about customers, employees, and supply chains. Stolen data can be sold, used for fraud, espionage, and other outlaw activities.
They depend on legacy systems Outdated systems and technologies are not designed with modern cybersecurity in mind. For example, older programmable logic controllers (PLCs) in factories often lack encryption or authentication, making them easy targets.
They are in the midst of digitalization and IoT adoption Manufacturing is embracing Industry 4.0, integrating IoT devices, cloud computing, and automation. More connected devices and networks introduce more vulnerabilities.
Time is Money, Downtime is No Money
A sadly large share of enterprise companies prioritizes operational efficiency over cybersecurity due to limited budgets, lack of expertise, and a focus on physical security. But it is a short-sighted approach.
Industrial companies have low tolerance for downtime: in the case of a ransomware attack they often prefer to pay adversaries than to permit a production halt. Research by Siemens in 2022 found that unplanned downtime costs Fortune Global 500 companies about US$1.5tn, which is 11% of their yearly turnover.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Threat Intelligence Lookup at the Service of Enterprises
TI Lookup results for RAT malware operating in Colombia
Threat Intelligence Lookup is a key tool in the cybersecurity stockpile. It is a special-purpose search engine that helps navigate and research threat data.
The data is extracted from malware samples uploaded via ANY.RUN’s Interactive Sandbox by over 500,000 security professionals.
TI Lookup key features:
Fast interactive search across over 40 different threat data types, including system events and indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs).
Continuously updated database with new indicators and samples.
Customizable queries that supportcombining multiple indicators, wildcards, YARA and Suricata rules.
Integration with sandbox to view sessions where particular indicators or events were discovered.
Real-time updates on relevant threats and indicators to ensure ongoing monitoring.
TI Lookup in Action: A Recent Example
One of the latest and most dangerous malware campaigns that targeted the industrial sector unfolded this autumn. The attack was based on Lumma and Amadey malware.
Analysts in ANY.RUN explored the attack’s anatomy with the aid of the Interactive Sandbox found a number of IOCs associated with the malware. These IOCs can be used as TI Lookup search requests to analyze the attack further in pursuit of actionable insights for arming corporate security systems against it.
The following query consists of the name of the malware and the path to one of the malicious files used in the attack:
How Threat Intel Research Helps Strengthen Enterprise Security
By investigating, collecting, and analyzing threat data, security experts and management ensure:
Early detection and prevention of threats. By knowing what IOCs to look for, companies can set up systems to monitor these signs continuously. Early detection can lead to quicker response times before significant damage occurs.
Improved Incident Response. Security teams can more rapidly identify when an incident has occurred or is in progress. This speeds up the process of containment, eradication, and recovery.
Enhanced threat hunting. IOC research lets focus threat-hunting efforts by looking for signs of similar or related threats that might not have been detected by automated systems. It also helps to distinguish benign anomalies from actual threats and reduce the noise from false positives, which can overwhelm security teams.
Validation of security measures. Indicators can be used to test the effectiveness of current security controls by simulating or analyzing known threat patterns for fine-tuning security solutions.
Understanding of vulnerabilities and attack vectors. IOCs provide insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing companies to better understand where they are vulnerable and how adversaries operate.
Prioritization of security efforts and recourse management on the basis of understanding which threats are most likely to impact the organization.
Forensic Analysis. Post-incident analysis facilitates understanding the scope of the compromise, how the attack was executed, what was accessed, and how to prevent similar attacks in the future.
Training and awareness. Threat Intelligence Lookup can be used in training programs for educating staff to watch for suspicious activities or anomalies in system behavior.
Cyber Threat Intelligence and Business Performance
Threat intelligence objectives are closely connected with key business goals and metrics.
ROI and Cost Optimization
Significant cost savings can be achieved by preventing data breaches and minimizing mitigation efforts. By avoiding data losses and leaks, businesses can sidestep the expenses associated with incident response, legal fees, and regulatory fines.
Informed Decision-Making
Threat analysis by tools like ANY.RUN’s TI Lookup provides insights that allow to focus the resources and security efforts on the most relevant threats, critical areas, topical vulnerabilities.
Operational Viability
A pillar of enterprise efficiency, operational stability suffers immensely from even a brief downtime. Threat intelligence tools and methods like TI Lookup help automate threat detection, make it both wider and more accurate, and reduce downtime caused by breaches.
Compliance and Reporting
In manufacturing and industrial enterprises, regulatory compliance is critically important. Besides, such businesses often operate in multiple jurisdictions with varying rules and requirements. Plants and manufacturing facilities can be located in different countries with their own laws. Apart from improved threat detection, TI helps document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.
Brand Reputation Defense
Customer and counterparty trust is one of the most valuable business assets in enterprise or elsewhere. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value.
Conclusion
Cyber resilience must be a business priority for enterprise companies with their critical role in the economy, low tolerance for downtime and complex digital environments. Threat intelligence builds a basis for proactive threat management and informed decisions, helps allocate resources, and avoid ineffective costs. Professional solutions like ANY.RUN’s Threat Intelligence Lookup power security teams for meeting the demands of business security.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government’s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term “bulletproof” is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
How Bulletproof Hosting Providers Operate
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Another distinctive feature of BPH providers is their location. They often operate from countries with permissive cyber regimes, where local laws either lack the framework to tackle malicious cyber activities or are weakly enforced. This makes it even more challenging for law enforcement, such as the ACSC, to take decisive action.
BPH Providers’ Impact on Australian Cybersecurity
The consequences of BPH’s involvement in cybercrime are damaging, with Australian businesses and individuals often finding themselves targeted by cybercriminals using these services. Ransomware attacks, data extortion, and the theft of sensitive customer information are just some of the incidents that have been traced back to BPH providers.
The presence of these illicit services is not only a local problem but a global one. As these networks expand and evolve, they provide cybercriminals with an easy-to-use platform to launch attacks on a global scale. A single BPH provider can facilitate the activities of hundreds or even thousands of cybercriminals, allowing them to target victims across the globe.
Collaborative Efforts to Combat Cybercrime
In response to this growing threat, law enforcement agencies, including the ACSC, have been stepping up their efforts to identify and dismantle BPH providers. Through enhanced collaboration with global law enforcement, governments, and private sector cybersecurity experts, authorities are targeting these malicious services with increasing frequency. This collective effort aims to disrupt the underlying infrastructure that allows cybercriminals to thrive while complicating their ability to operate securely.
One of the primary methods being employed to target BPH providers is defensive measures, such as proactively blocking internet traffic originating from known BPH services. By identifying and isolating the infrastructure that facilitates cybercrime, investigators can reduce the impact of cybercriminal activities on Australian networks and businesses. In addition, legitimate ISPs and upstream infrastructure providers are being encouraged to adopt practices that prevent BPH providers from accessing their networks.
While BPH providers are a crucial part of the Cybercrime-as-a-Service landscape, they are not the only providers enabling malicious cyber activities. Other illicit services in this underground ecosystem allow cybercriminals to purchase malware, tools for evading security measures, and access to compromised networks. The removal of these services is critical to dismantling the cybercriminal ecosystem and reducing the scope of attacks targeting Australia.
Conclusion
The Australian Cyber Security Centre’s efforts to target Bulletproof Hosting Providers (BPH) highlight the need for a coordinated approach to disrupt the infrastructure enabling cybercrime. By addressing vulnerabilities in BPH services, authorities can disrupt cybercriminal operations and bolster overall cybersecurity resilience.
Australia’s organizations are urged to stay vigilant by updating software, strengthening security protocols, and using multi-layered defenses. Collaboration with law enforcement and cybersecurity experts is essential for detecting and preventing attacks from BPH providers.
To further protect against cyber threats, Cyble, a leader in threat intelligence, offers AI-powered solutions like Cyble Vision to provide real-time insights and enhance cybersecurity efforts. By integrating Cyble’s tools, businesses can strengthen their defenses and stay protected against cybercriminals.
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked Security Company Credentials
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies like McAfee—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. The vendors included:
CrowdStrike
Palo Alto Networks
Fortinet
Zscaler
SentinelOne
RSA Security
Exabeam
LogRhythm
Rapid7
Trend Micro
Sophos
McAfee
Qualys
Tenable
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
Trend Micro and Sophos have large consumer security businesses, as does McAfee, which exited the enterprise business in 2021. McAfee, for example, has had more than 600 credential leaks since the start of the year, almost all for consumers’ account access, likely harvested from info stealer attacks on the consumers’ personal devices.
CrowdStrike has had more than 300 credentials exposed since the start of the year, although some of those may be duplicates offered for sale across multiple forums. Most of those appear to be customer Falcon account credentials, again likely harvested from info stealers on customer endpoints. As some of those customers are high-tech companies and others with sensitive data, including a pharmaceutical giant and a large financial firm, they have a strong interest in keeping those accounts secure.
Some internal CrowdStrike accounts also appear to have been exposed this year, but those largely appear to be web marketing accounts, data that would likely have value only for competitors.
Palo Alto Networks and some other vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Palo Alto has had nearly 400 credential exposures so far this year, most of them from customer leaks.
Credential Leaks Could Aid in Hacker Reconnaissance
Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.
Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.
Conclusion: Dark Web Monitoring is Critical for Everyone
Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks.
Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.
If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-22 09:06:502025-01-22 09:06:50Cyble Finds Thousands of Security Vendor Credentials on Dark Web
JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system.
These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed.
A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action.
Vulnerabilities Overview
HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities:
CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users.
CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials.
Both vulnerabilities:
Require administrative authentication credentials to exploit.
Allow attackers to gain full control over the device upon successful exploitation.
Impact the confidentiality, integrity, and availability of the device.
Affected Software Versions
The vulnerabilities affect the following software versions:
HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below.
Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected.
Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption.
Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers.
Mitigation and Recommendations
To safeguard against these vulnerabilities, organizations should follow these steps:
Upgrade to a Fixed Version:
Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal.
Restrict Management Interfaces:
Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies.
Audit Network Devices:
Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations.
Strengthen Authentication Mechanisms:
Enforce strong administrative passwords.
Regularly rotate administrative credentials to minimize the risk of unauthorized access.
Monitor for Suspicious Activity:
Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge.
Stay Informed:
Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches.
Technical Details of the Vulnerabilities
CVE-2024-54006
Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials.
Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device’s underlying operating system via the web interface.
Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita.
Workarounds
For organizations unable to immediately update to the fixed version, the following workarounds are recommended:
Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet.
Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces.
Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities.
These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy.
Final Notes
These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls.
Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems.
Our security solutions for Android are temporarily unavailable in the official Google Play store. To install Kaspersky apps on Android devices, we recommend using alternative app stores. You can also install our apps manually from the APK files available on our website or in your My Kaspersky account. This post gives in-depth instructions for installing Kaspersky on Android in 2025.
General recommendations
First, the good news: any Kaspersky apps you’ve already installed from Google Play will continue to work on your device. But they’ll automatically receive only antivirus database updates — not app or security feature improvements. If you uninstall an app, you won’t be able to reinstall it from Google Play.
Therefore, we recommend not deleting the apps already installed from Google Play, but to download and install over them the versions from these alternative stores:
You’ll find the same set of Kaspersky apps in all these stores, and the download methods are also alike:
Open the store app.
Enter “kaspersky” in the search bar (you may need to tap the magnifying glass icon to open the bar).
Find the app you want in the search results.
Depending on the store, tap Get, Install, Download or Update, or simply touch the download icon next to the name of the app.
If our apps are already installed on your device and you then download them from alternative stores, your device will retain all settings, and you won’t have to reactivate the license. What’s more, the apps can be updated automatically by enabling auto-update in the settings of the alternative store. Below is a how-to guide for all the recommended stores.
You can also install apps by downloading the APK files from our website. When you install over existing apps, all settings and licenses are retained. However, apps installed this way will not be updated automatically — you’ll need to track down new versions yourself, download them as APK files, and install them on your device manually. Because this is less convenient, we’ll soon be adding a feature to update apps automatically via their APK files, and will notify you when new updates come out. In the meantime, we recommend using the alternative app stores mentioned above.
What to do if your smartphone only has Google Play
If you only have Google Play on your smartphone, you first need to install an alternative app store, for example, Huawei AppGallery. Here’s how to do it:
How to enable auto-update for Kaspersky apps in alternative stores
To make sure you always have the latest version, after installing an app from an alternative store you need to enable auto-update in the store settings. We have step-by-step instructions for all stores — just follow one of the links below to go to the one you need:
Your device may warn you that the file isn’t safe to download. If this happens, confirm your action by tapping Keep or Download.
Once the download is complete, go to My files → Downloads, and tap the downloaded file. When installing it, you’ll need to allow installation of unknown apps from a new source. Here’s how to do it: Go to Settings → Apps → Additional → Special app access → Install unknown apps, find your browser in the list, and toggle the switch “Allow app installs” to On. That done, the Kaspersky app will continue to install. See here for more detailed instructions.
Granting permission to install unknown apps from Google Chrome
After installing our apps, make sure to turn this feature Off, since it can pose a security risk and so should only be used when absolutely necessary. To find out why we insist on this, see this Kaspersky Daily post.
How to buy a Premium subscription in your Kaspersky app
You can buy a subscription — for example, Kaspersky Premium — directly in the app itself. To do this, navigate to Profile, and under the Kaspersky Free icon tap Let’s go. Then select one of the three subscription tiers — Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium and the number of devices you want to protect, and check out.
How to activate an existing license in your Kaspersky app
If you installed any of our apps from an alternative store or from an APK file over one already installed from Google Play, there’s no need to reactivate your license.
If you bought a Kaspersky app on Google Play and connected it to your My Kaspersky account, but then uninstalled it and downloaded a new one from an APK file or an alternative store, your previously purchased license will work without any problems. See our detailed activation instructions.
If you uninstalled a Kaspersky app that was purchased from Google Play but not connected to your My Kaspersky account, then installed a new one according to the instructions in this post, please contact technical support to reactivate your license. They’ll be happy to assist.
If you have a license for multiple devices, the easiest way to activate apps on additional devices is to install them using the links in My Kaspersky — this way they’ll be activated automatically. You can also install Kaspersky apps from an alternative store or APK file as described above, and follow the instructions to activate the license.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-21 12:07:172025-01-21 12:07:17How to download, install, and update Kaspersky apps for Android | Kaspersky official blog
This signature technique was previously used to distribute QRLog and Docks /RustDoor, and is now delivering BeaverTail and InvisibleFerret. In this first article, we will conduct a technical dissection of the latter.
InvisibleFerret actively seeks source code, wallets, and sensitive files
The Beaver
These malicious components do not simply appear randomly among the files of questionable pirated software, lying in wait for their victim. Instead, they are part of an organized effort targeting the technological, financial, and cryptocurrency sectors, with developers as the primary focus. By staging fake job interviews, threat actors aim to spread malware disguised either as coding challenges (or their dependencies) or video call software, in a campaign now known as Contagious Interview or DevPopper.
One of the implants distributed is BeaverTail, a stealer and loader written in obfuscated JavaScript and delivered as an NPM module. While not the focus of this article, BeaverTail downloads a customized portable Python environment (“p.zip”) and later deploys InvisibleFerret as its next stage, which is the main subject of this research.
BeaverTail targets major browsers such as Opera, Brave, and Chrome, seeking user and add-on data
The Ferrets
InvisibleFerret is a Python-based malware that, at first glance, shows a disorganized structure and unnecessary escaping sequences, giving a glimpse of what lies ahead if we dare to explore the code further. A quick look reveals a compact initialization of hardcoded constants used to install dependencies via pip, which are later reused multiple times throughout its execution.
InvisibleFerret’s code is messy, with over 100 functions adding to its complexity
As expected from malware of its kind, InvisibleFerret does not generate an output trail or a logfile of its actions. Its silent nature, combined with a somewhat difficult-to-read codebase, led me to add verbosity to its functions and expand some of its compressed syntax and overly compact one-liners for better readability, creating PrettyVisibleFerret. This version is more talkative and easier to read for everyone, but still executes malicious instructions and should be handled with care.
PrettyVisibleFerret running on ANY.RUN showing exfiltrated information in real-time
After submitting the malware for analysis to ANY.RUN’s Interactive Sandbox, the first thing this mischievous ferret attempts is to gather basic information about the victim, such as geolocation — by querying legitimate services like ip-api.com (commonly used by other malware and even drainers like “ETH Polygon BNB”) — as well as system details like OS release, version, hostname, and username, before finally generating a unique ID.
Try secure malware and phishing analysis with ANY.RUN’s Interactive Sandbox
Outgoing HTTP connections to ip-api.com and the C2 server on an unusual port are shown in ANY.RUN
After the /keys endpoint is accessed, the ferret jumps to the next C2 server in the infection chain, registering the host by its name and tagging it based on its OS.
Outgoing HTTP connections to both C2 servers captured by ANY.RUN
Our host is now registered within the adversary infrastructure, but before continuing along the infection chain and following the white ferret, let’s review the traffic and noise generated so far.
Up to this point, most of the traffic is legitimate, either originating from the package manager pip — even if invoked by the malware itself — or directed to legitimate services like ip-api. However, we can observe three streams to two C2 servers using ports 1244 and 1245, which are correctly flagged as ‘unusual’ by ANY.RUN.
As seen in ANY.RUN, initial traffic targets legitimate sources with 3 streams connecting to 2 C2 servers
Aside from the unusual port, there’s another interesting yet careless detail: the Python package ‘requests’ is using its default User-Agent (python-requests/2.25.1 in this case), making it easier to dissect the traffic, narrow down destinations, and map the adversary’s infrastructure.
Legitimate traffic blends with malicious requests, all generated by the same script
What happens next is better understood by examining the code rather than dry-running the sample in a sandbox filled with placebo files. We’ll let the simulation run and return later to gather indicators and behaviors.
Be advised: much of this malware is held together by sticks and mud, so expect confusing and poor practices, such as ‘obfuscating’ C2 addresses within a sliced Base64-encoded string.
The careless use of Base64 obfuscation makes it trivial to decode and retrieve C2 server addresses
The Session class implements FTP as one of its exfiltration methods, relying on the Python ftplib package. If the package is not found, it attempts to install it. Once again, the exfiltration host is poorly hidden in plain sight within a Base64-encoded string.
Python imports are scattered throughout the code, loaded as needed rather than grouped at the top
The ferret then moves on to assess what to steal, declaring five extensive arrays: some designed to list extensions, files, directories, and patterns to ignore, and others specifying what to target.
Targets source code and sensitive files, suggesting corporate espionage
The Shell class implements new and dangerous methods allowing our fluffy adversary to run arbitrary commands sent by the attacker and downloading and executing a subsequent stage of the infection chain.
Functions for downloading and executing the next stage adapting to the host OS
Remember ftplib? It comes into play again in the o_ftp method, which opens FTP connections. Meanwhile, the ssh_upload method handles the data exfiltration process.
Functions for preparing and exfiltrating data
This process — defined by the method storbin — is somewhat complex. Files with specific extensions, such as compressed files or virtual machine disk files, are sent directly to the server via the FTP STOR command. Other files are obfuscated using XOR with a specific key before being transferred to the server. While not a robust encryption method, this technique adds a basic layer of protection.
The key “G01d*8@(“ is used on files not matching the extensions
Files are compressed using py7zr in 7z format (on Windows) or zip format with pyzipper (on Unix), with the password defaulting to ‘2024’ if none is provided.
‘2024’ is not a compliant password
Finally, down_any and ssh_any, download and execute AnyDesk, a legitimate remote desktop software, to establish persistence.
AnyDesk is downloaded directly from the adversary’s infrastructure
Two notable mentions are the ssh_env function, responsible for detecting the running OS and mapping points of interest in the corresponding file system: Documents and Downloads on Windows and /Volumes, /home, and /vol on Unix;
Documents, Downloads, home folders and volumes are targets
and the ssh_kill one, which kills Google Chrome and Brave browsers processes.
Terminates browser processes on both Windows and Unix
However, this tricky ferret doesn’t stop there—it has more in store for the victim’s browsers. After identifying the local browser, it defines specific paths to extract user data, such as profiles, cookies, credentials, and browsing history. Dedicated classes are implemented for Chrome, Chromium, Opera, Brave, Edge, and Vivaldi.
Browser data exfiltration routines for multiple vendors
A set of browser extensions is targeted to exfiltrate their data, primarily including crypto exchange and wallets like Metamask, multi factor authentication apps like Google Authenticator and password managers like 1Password.
This function targets a large number of extensions
Telegram is also used as an exfiltration channel for files, directly invoking the BotsAPIsendDocument endpoint. Since the connection and queries are handled entirely locally, PrettyVisibleFerret can reveal the Chat ID and Bot Secret Token used, enabling interaction with the bot and potentially reconfiguring or shutting it down through @BotFather, Telegram’s Bot Manager.
PrettyVisibleFerret discloses the received Telegram Bot token
On Windows systems, the ferret imports (or attempts to install if missing) pywin32 (provides Windows API access), psutil (used to retrieve system information and manage processes), pyWinhook (a library for keyboard and mouse event handling), and pyperclip (used to manage the clipboard). The last two are pretty self-explanatory.
Pyperclip is specifically used to monitor clipboard changes and exfiltrate its content. This is useful to capture passwords, keys and other secrets.
All clipboard changes within 50ms will be copied and exfiltrated using a custom format
PyHook is used to hook into the Windows operating system to capture user input events, monitoring both the keyboard (keystrokes) and the mouse.
Keylogger implementation using pyHook to capture keystrokes and clipboard events
And so the code reaches its EOF. Let’s return to the simulation to examine the resulting IOCs and see what conclusions we can draw from them.
Chasing a Ferret: IOCs & TTPs
This playful threat left quite a mess, so let’s summarize the indicators gathered so far. Remember that the earlier stage, BeaverTail, downloads a portable Python runtime (‘p.zip’) from the /pdown endpoint to run InvisibleFerret, meaning indicators from that activity are also included.
These indicators can be observed in action through ANY.RUN’s timeline, providing a structured view of how the malware operates in a step-by-step view.
ANY.RUN’s timeline provides a detailed view of malware behavior, highlighting key actions
As previously discussed, not every queried IP or downloaded file is inherently malicious, even if retrieved by malware. Many are legitimate packages, dependencies, or services that benefit the broader community but are sometimes misused by bad actors. We can’t label a tool or artifact as an Indicator of Compromise simply because it’s used by malicious actors.
However, we can trace behaviors, such as “this bad actor uses this API to geolocate victims” or “this actor frequently relies on this remote desktop solution for persistence”. These behaviors are the essence of TTPs: Tactics, Techniques, and Procedures—essentially, how an actor operates and achieves its objectives.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
ANY.RUN maps IOCs to techniques used by InvisibleFerret
Contextualizing these threats helps researchers and the broader community standardize threat behaviors, improving their understanding and making collaboration more effective. For example, a threat actor (or malware) querying ip-api to geolocate a victim and another one using a different service for the same purpose both fall under the T1016 technique, “System Network Configuration Discovery”, in general terms. While their actions at a more specific level are classified as Procedures, grouping them under a shared taxonomy significantly reduces information fragmentation and organizes data in a structured manner.
With proper context, a query to ip-api.com becomes T1016
The same applies to the other behaviors discussed in this article, such as using an unusual port to connect to a service. These actions fall under T1571, regardless of the specific port, protocol, or direction used.
As before, adding context to an unusual connection renders T1571
ANY.RUN’s direct integration with the MITRE ATT&CK Matrix simplifies the TTP mapping process by assembling it in real time.
That said, I think we’ve had enough playtime with our pet—it’s time to put the ferret back in its cage.
Ferret Fever
These campaigns involve large investments not only in infrastructure and human resources but also in developing quite convincing scenarios, like a fake job interview where you are asked to run a coding challenge or download a meeting software, which may seem completely normal if you don’t overthink it.
Always double-check job offers, don’t run software from unknown origins on your company equipment, stay safe out there, and whatever your situation is, don’t befriend ferrets, invisible or pretty visible ones alike.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Mozilla products, including the popular Mozilla Firefox and Thunderbird, have been found to contain multiple vulnerabilities that could allow attackers to execute arbitrary code, cause system instability, and even gain escalated privileges. The severity of these issues is high, and they affect both desktop and mobile versions of Mozilla’s browser and email client.
The Indian Computer Emergency Response Team (CERT-In) reported these Mozilla vulnerabilities in an advisory published on January 20, 2025, with patches already available in recent updates. Users and organizations relying on Mozilla Firefox, Mozilla Thunderbird, and their extended support release (ESR) versions are advised to take immediate action to mitigate risks.
The Mozilla vulnerabilities are present in several versions of Mozilla Firefox and Thunderbird, specifically:
Mozilla Firefox versions prior to 134
Mozilla Firefox ESR versions prior to 128.6
Mozilla Firefox ESR versions prior to 115.19
Mozilla Thunderbird versions prior to 134
Mozilla Thunderbird ESR versions prior to 128.6
Mozilla Thunderbird ESR versions prior to 115.19
The issues are critical for both individual users and enterprises using these open-source applications for browsing and communication. Users should ensure they have the latest updates installed to avoid potential exploits.
Overview of the Mozilla Vulnerabilities
A range of vulnerabilities has been identified in Mozilla Firefox and Thunderbird, with the potential to allow attackers to perform actions such as remote code execution (RCE), denial of service (DoS) attacks, bypass security restrictions, or even spoof system elements. Mozilla has provided security patches in versions 134 for Firefox and Thunderbird, as well as in the ESR releases 128.6 and 115.19. These issues are significant because they provide opportunities for remote attackers to exploit weaknesses in the software without needing to interact directly with the targeted system.
Vulnerabilities in Mozilla Firefox and Thunderbird have been classified with high and moderate severity levels, as attackers could gain unauthorized access to sensitive information, execute arbitrary code, or disrupt normal system operations. The full exploitation of these vulnerabilities may result in system instability or a complete compromise of the affected device.
Key Vulnerabilities
Several vulnerabilities have been identified and addressed across Mozilla Firefox and Thunderbird. Below are some of the notable issues that have been fixed in the latest updates:
CVE-2025-0244: Address Bar Spoofing in Firefox for Android
Impact: High
Description: This vulnerability allowed an attacker to spoof the address bar in Firefox for Android when redirecting to an invalid protocol scheme. This could mislead users into believing they were on a legitimate site, facilitating phishing and other malicious activities.
Note: This issue only affected Android operating systems.
CVE-2025-0245: Lock Screen Setting Bypass in Firefox Focus for Android
Impact: Moderate
Description: A flaw in Firefox Focus allowed attackers to bypass user authentication settings for the lock screen, potentially giving unauthorized individuals access to the application.
CVE-2025-0237: WebChannel API Vulnerability
Impact: Moderate
Description: The WebChannel API, used for communication across processes in Firefox and Thunderbird, did not properly validate the sender’s principal. This could lead to privilege escalation attacks, allowing attackers to perform actions with higher privileges than intended.
CVE-2025-0239: Memory Corruption via JavaScript Text Segmentation
Impact: Moderate
Description: A flaw in how Firefox and Thunderbird handled JavaScript text segmentation could cause memory corruption, which might lead to crashes or, in some cases, the execution of arbitrary code.
CVE-2025-0242: Memory Safety Bugs
Impact: High
Description: Several memory safety bugs were discovered in both Firefox and Thunderbird that showed signs of memory corruption. If exploited, these bugs could allow remote attackers to execute arbitrary code, compromising system security.
These vulnerabilities in Mozilla products are part of a broader set of security flaws that the Mozilla team has identified and addressed. The vulnerabilities affect multiple platforms, including desktop and mobile versions, and may result in severe security breaches if not patched.
Recommendations for Users
Given the potential impact of these Mozilla vulnerabilities, it is crucial for all users to update their systems to the latest versions of Mozilla Firefox or Thunderbird. The updates, which are available for both standard and ESR releases, fix critical security flaws and improve overall system stability. Additionally, users are advised to consider the following precautions:
Ensure that Mozilla Firefox and Thunderbird are updated to versions 134 or higher, or to the appropriate ESR releases (128.6 or 115.19).
Keep an eye on system behavior for signs of malicious exploitation, such as unexpected crashes or unauthorized access.
For those using Mozilla Firefox or Thunderbird in a business environment, enable multifactor authentication and other security features to limit exposure to attacks.
Without the proper patches, attackers can exploit Mozilla Firefox vulnerabilities to gain access to sensitive data, compromise user systems, and cause severe disruptions. Memory corruption issues, such as those reported in CVE-2025-0242, could lead to remote code execution, allowing attackers to hijack user systems or deploy malware. Furthermore, flaws like CVE-2025-0244 could facilitate phishing campaigns by spoofing URLs in the address bar, tricking users into visiting malicious websites.
Conclusion
Mozilla has released important security fixes for vulnerabilities in Mozilla Firefox and Mozilla Thunderbird that affect a wide range of users. These vulnerabilities, which could lead to arbitrary code execution, denial of service, or privilege escalation, are present in older versions of the software. Users are strongly advised to upgrade to the latest versions to protect against potential exploitation. Additionally, by applying recommended mitigations and staying informed about the latest security updates, users can better protect their systems from cyber threats.
To protect online systems against these vulnerabilities, Cyble, an award-winning cybersecurity firm, offers advanced, AI-powered cybersecurity solutions. With platforms like Cyble Vision, businesses can leverage real-time threat detection and actionable insights to mitigate risks from these vulnerabilities, including Mozilla vulnerabilities. Cyble’s comprehensive suite of tools, including vulnerability management, dark web monitoring, and brand intelligence, helps organizations proactively address security gaps. By integrating Cyble’s threat intelligence, companies can enhance their defenses and better protect against cyberattacks.
For more information on how Cyble can help protect your systems, schedule a personalized demo and see how AI-driven solutions can strengthen your cybersecurity strategy.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-01-21 11:07:222025-01-21 11:07:22Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users
