Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Software. Show all posts

Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended




Cisco has issued a security warning about a newly identified vulnerability in its IOS XR Software. This security flaw, labeled CVE-2025-20138, has been rated 8.8 on the CVSS scale, meaning it poses a major risk to affected devices.


What Is the Problem?

The issue is found in the Command Line Interface (CLI) of Cisco’s IOS XR Software. If an attacker gains access to a system with limited user privileges, they can exploit this weakness to execute commands with the highest level of control. This would allow them to make major modifications to the system, potentially leading to severe security threats.

The root of the problem is improper validation of user inputs in certain CLI commands. Because the system does not correctly filter these inputs, attackers can manipulate it using carefully crafted commands. If successful, they can obtain full administrative access, giving them total control over the device.


Who Is Affected?

This vulnerability affects all configurations of Cisco IOS XR 64-bit Software. Users should check Cisco’s official security advisory to confirm if their specific version is vulnerable.

However, some Cisco software versions are confirmed to be unaffected, including:

IOS Software

IOS XE Software

IOS XR 32-bit Software

NX-OS Software

No Quick Fixes—Users Must Update Their Software

Cisco has stated that there are no temporary solutions or workarounds for this security flaw. The only way to protect affected systems is to install the latest software updates provided by Cisco.

The company has outlined which versions require updates:

1. Users running Cisco IOS XR Software Release 24.1 or earlier need to switch to a patched version.

2. Those using Release 24.2 should upgrade to version 24.2.21 when it becomes available.

3. Users on Release 24.3 must transition to a secure version.

Release 24.4 is not affected by this issue.

As of now, there have been no reports of hackers exploiting this flaw. However, because of the severity of the issue, users should not delay in updating their devices.

Cisco is urging all users running affected versions of IOS XR Software to review the security advisory and apply the necessary updates as soon as possible. Keeping software up to date is the only way to ensure systems remain protected from potential cyber threats.

North Korea-Linked Hackers Target Crypto with RustDoor and Koi Stealer

 


A significant amount of malware has become a common threat to Mac OS systems in today’s rapidly developing threat landscape. The majority of these threats are associated with cybercriminal activities, including the theft of data and the mining of cryptocurrencies without consent. As of recently, cybercrime operations have been attributed to groups of advanced persistent threat (APT) groups that are sponsored by the North Korean government. 

In addition to this trend, the Federal Bureau of Investigation (FBI) recently issued a public service announcement regarding North Korean social engineering campaigns. In many of these attacks, deceptive tactics are used to manipulate victims into divulging sensitive information or allowing access to the system. This type of attack is usually carried out using deceptive tactics. As such, there have been increasing numbers of such incidents targeting software developers within the cryptocurrency industry, specifically those seeking employment opportunities, in a growing number of such incidents. 

In my view, these sophisticated cyber threats, originating from North Korean threat actors, demonstrate the persistence and evolution of these threats. Known as CL-STA-240, or Contagious Interview, the cyber campaign aims to infiltrate macOS systems with advanced malware strains, including RustDoor and Koi Stealer. It is known that these malicious programs have been specifically designed to exfiltrate sensitive data and can use sophisticated techniques to avoid detection within the macOS environment while doing so. As a result of this campaign's technical proficiency, it reinforces the fact that threats targeting the Apple ecosystem are becoming increasingly complex as time passes. 

he threat actors responsible for this operation are utilizing social engineering as a primary attack vector. By impersonating recruiters or potential employers, they can trick job seekers, especially those working in the cryptocurrency industry, into installing the compromised software unintentionally. It is through this deceptive strategy that attackers can gain access to critical data while maintaining operational stealth. 

These manipulative strategies are becoming increasingly popular, highlighting the persistent threat that state-sponsored cybercriminal groups, especially those linked to North Korea, continue to pose as they continue to refine their methods to exploit human vulnerability to continue their operation. In the course of this cyber campaign, researchers have revealed that Rust-based malware, referred to as RustDoor, is hiding inside legitimate software updates to evade detection. In addition, researchers have discovered that there was an undocumented macOS variant of the Koi Stealer malware that has been discovered for the first time in recent years. 


A recent investigation uncovered rare techniques for evasion, including manipulating macOS system components to conceal their presence and remain undetected. These sophisticated tactics underscore the increasing sophistication of threats aimed at Mac OS. In the past year, several reports have linked North Korean threat actors to cyberattacks targeting job seekers, which are based on the characteristics and methodologies observed in this campaign. 

According to the available evidence, analysts can rely on a moderate degree of confidence that this attack was carried out to further North Korean state-sponsored cyber objectives. By using social engineering to target job seekers, these adversaries are further proving that they are involved in an extensive pattern of attacks. An in-depth technical analysis of the recently identified Koi Stealer macOS variant was performed in this research, which provides an in-depth picture of the attackers’ activities in compromised environments. 

In addition, Cortex XDR is used to examine the various stages of the attack to provide an understanding of the investigation. A suite of advanced security solutions offered by Palo Alto Networks, an established leader in network security solutions, helps Palo Alto Networks' customers protect themselves from these evolving threats, including applications such as: Two products offer enhanced detection and responding capabilities - Cortex XDR and XSIAM. Computer-based security services for firewalls, such as Advanced WildFire, Advanced DNS Security, and Advanced URL Filtering that provide proactive defense against malicious activities. 

The use of these security solutions can help organizations greatly strengthen their defenses against RustDoor, Koi Stealer, and similar malware threats targeting MacOS environments. Often, victims are tricked into downloading malware disguised as legitimate software development tools in the form of fake job interviews associated with this campaign, which results in the infection process starting with a fake job interview. The attackers were particularly noteworthy for using malicious Visual Studio projects, which is a strategy previously documented in similar cyber campaigns analyzed by Jamf Threat Labs. 

When the RustDoor malware is executed, it establishes persistence within the system and attempts to exfiltrate sensitive user information, which is one of the first steps toward completing its operations. Researchers have discovered that the threat actors have attempted to execute several variants of the malware throughout the investigation. As a result of this adaptive behavior, it appears to me that attackers are continuously adapting their approach in response to security controls and detection mechanisms in place.

According to security researchers, when the Cortex XDR was blocked for the initial attempt at infiltration, adversaries quickly tried to re-deploy and execute additional malware payloads to circumvent detection by redeploying and executing additional malware payloads. RustDoor Infection Stages An infection process that involves two RustDoor binaries being executed in hidden system directories to avoid detection of the malware is the process by which the RustDoor malware operates. 

Another stage involves the deployment of additional payloads, such as a reverse shell, that allows attackers to gain remote access. Several sensitive data sets were stolen, and the attackers specifically targeted credentials stored in web browsers, such as LastPass data from Google Chrome, as well as exfiltrating the information into command and control servers under their control. As part of this campaign, it was discovered that an IP address known as 31.41.244[.]92 has previously been used to conduct cybercriminal activities. This was one of our most significant findings. 

The threat has also been associated with the RedLine Stealer infostealer campaign, which further reinforces the sophisticated nature of the ongoing threats that have been identified. The second malware strain identified, Koi Stealer, possesses advanced data exfiltration capabilities, as compared to the previously undocumented macOS variant. According to this discovery, it is clear that macOS-targeted malware continues to evolve and that robust cybersecurity measures are necessary to mitigate the risks posed by these sophisticated threats and help to minimize incidents. 


As a result of the Koi Stealer malware, a run-time string decryption mechanism is utilized by it. Throughout the binary code, there is a single function that is repeatedly invoked. In the decryption function, each character of a hard-coded key (xRdEh3f6g1qxTxsCfg1d30W66JuUgQvVti) is iterated sequentially from index 0 to index 33 and the XOR operation is applied between the key’s characters and the encrypted string's characters, in a way that is applied sequentially. 

To get a better understanding of how Koi Stealer behaves, researchers developed a custom decryption program that replicates the malware's logic to gain insight into the malware's behavior, along with the techniques it uses to disguise its true functionality. Using the same decryption routine, analysts were able to extract and analyze the decrypted strings with success, allowing a more comprehensive understanding of the malware’s capabilities and objectives. There are significant similarities between the code structure and execution flow of different versions of Koi Stealer, as shown by a comparison between the various variants. 

Each variant of malware was designed consistently to steal data. Each category of stolen information was contained within separate functions within each variant. This modular design indicates that the malware has been developed in a structured and organized manner, further proving its sophistication. Besides targeting common types of information stealers, Koi Stealer also has a specific interest in specific directories and configurations that are not commonly found in the information stealer world. 

Interestingly, both of the analyzed samples actively target user data from Steam and Discord, which indicates a deep interest in credentials related to gaming platforms and communication platforms. A wide range of targeted data demonstrates how versatile the malware is and how it is capable of being exploited for a wider range of purposes than traditional financial or credential thefts. The detailed breakdown of the notable decrypted strings and the additional technical findings found in Appendix C provides further insight into Koi Stealer's internal operations and goals, as well as providing additional insight into the company's internal operations.

FBI Warns: ‘Ghost’ Ransomware Is Spreading— Here’s How to Stay Safe

 


The Federal Bureau of Investigation (FBI) has released an urgent alert about a growing cyber threat known as Ghost ransomware. This group has been attacking various organizations across more than 70 countries, locking victims out of their own systems and demanding payment to restore access. In response, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised businesses and individuals to back up their data and strengthen their cybersecurity measures to prevent potential attacks.  


Who Is Behind the Ghost Ransomware?  

The Ghost ransomware group is a team of cybercriminals that use ransomware to encrypt data, making it unusable unless a ransom is paid. Unlike other hacking groups that trick people into clicking on harmful links or sharing personal information (phishing attacks), Ghost takes a different approach. They exploit security flaws in outdated software and hardware to break into systems without needing victims to take any action.  

Cybersecurity experts believe that Ghost operates from China and has used multiple names over time, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. These different names suggest the group has been active for a long time and may have carried out various attacks under different identities.  


How Does Ghost Ransomware Work?  

Since early 2021, Ghost ransomware has been targeting systems with outdated software and firmware. The hackers search for weaknesses in these systems and use publicly available hacking tools to gain access and install ransomware. Once inside, they encrypt important files and demand payment to unlock them.  

The FBI has identified several ransomware files linked to Ghost, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These files have been used to lock data in critical industries such as healthcare, education, government services, manufacturing, technology, and small businesses. The impact has been severe, affecting essential services and causing financial losses.  


How to Stay Protected from Ghost Ransomware

The FBI has recommended several security steps to reduce the risk of being attacked:  

1. Create Secure Backups: Keep offline backups of important data so that even if ransomware encrypts your files, you can restore them without paying a ransom. Many organizations that had proper backups were able to recover quickly.  

2. Update Software and Firmware: Hackers often target outdated programs with security flaws. Ensure that your operating system, applications, and firmware are regularly updated with the latest security patches.  

3. Recognize Cyber Threats: While Ghost does not typically use phishing, it is still essential to train employees and individuals to identify suspicious activity and avoid downloading unknown files or clicking on unverified links.  

4. Monitor Network Activity: Keep an eye on unusual behavior in your network, such as unexpected logins, file modifications, or unauthorized access. Detecting an attack early can help prevent major damage.  


Cyber threats like Ghost ransomware continue to evolve, but staying informed and taking these preventive measures can help reduce the risk of falling victim to an attack. The FBI urges everyone to act now and secure their data before it’s too late.


US Defense Industry Targeted in Infostealer Malware Campaign

 


Several major defence contractors, such as Lockheed Martin, Boeing, and Honeywell, as well as the United States Army, and Navy, and several major defence contractors have been recently revealed to be infected with the Infostealer malware, according to Hudson Rock's recent report. This alarming discovery emphasizes the increasing threats critical national security institutions face due to cybersecurity threats. The report shows that U.S. military agencies have been significantly impacted by these infections. 

The U.S. Army has reported infections among 71 employees, while the U.S. Navy has reported infections among 30 employees, and an additional 551 users have been infected. It has also been reported that the Federal Bureau of Investigation (FBI) has been affected, with 24 employees and 26 users affected. This raises concerns about the possible risk of exposure to sensitive law enforcement and intelligence data, as well. 

Further, the report highlights the extent to which cybersecurity breaches have occurred within the defence contracting industry as a whole. One of the most prominent defence contractors in the country, Lockheed Martin, reported that 55 employees and 96 users had been infected with the virus. Boeing, another major player in the defence industry, reported that 66 employees and 114 users had been infected with the virus. 

Honeywell seems to have the most severe case, as there have been a substantial number of infected employees and 472 infected users. One of the most concerning revelations of the report was the ease at which cybercriminals can steal data. Several illicit cyber marketplaces are offering sensitive data such as login credentials, classified access points, and other sensitive data for purchase for as little as $10, according to an investigation conducted by the FBI.

These findings raise serious national security concerns, as they suggest that adversarial entities could exploit these vulnerabilities and gain unauthorized access to critical defence and intelligence networks that are critical to the nation's security. Infostealer malware is becoming increasingly common in the military and defence sectors, which highlights the urgent need to strengthen cybersecurity measures. This report serves as a stark reminder of how cyber threats are evolving and the need to take proactive measures to safeguard sensitive information from governmental agencies and defence companies. 

Several users affiliated with six major defence contractors are infected with Infostealer malware: Lockheed Martin, BAE Systems, Boeing, Honeywell, L3 Harris, and Leidos. As a result of these companies' efforts, advanced military technology, such as warships, fighter jets, and other critical defence systems, is being developed and manufactured. 

The government's contract with Lockheed Martin will award it $5 billion alone in 2024, which shows that Lockheed Martin is a key player in the defence industry in the United States. Malware infections have exposed corporate credentials in various ways, raising concerns regarding the security of corporate data in general. The firm discovered that 472 third-party corporate credentials were compromised, including those linked to essential enterprise applications such as Cisco, SAP Integrations, and Microsoft systems used by defence contractors. 

Cybercriminals are increasingly targeting supply chain vendors as businesses, government agencies, and organizations become more interconnected as a result of cybercrime. In light of this growing vulnerability, it is clear that an adversary could have access to stolen credentials to breach the supply chain of a defence contractor if they intended to do so. Honeywell's infrastructure was one of the most vulnerable places in the world, which revealed significant security vulnerabilities. According to researchers, Honeywell's internal systems, including the company's intranet, Active Directory Federation Services login, and Identity and Access Management system, had been compromised for several reasons. 

Honeywell employees and employees connected to the company were identified as infected three times over the past decade. An especially concerning case occurred when a single compromised employee was found to have 56 corporate credentials to Honeywell's internal systems, as well as 45 additional credentials from third parties. 

In light of this level of access, unauthorized access to sensitive systems can be scaled up, highlighting the need for strengthened cybersecurity measures, which have become increasingly important in the defence sector due to the growing number of cyber threats. The threat of exploitation of sensitive military and corporate data becomes more sophisticated as time passes, so users must prioritize the protection of these data to prevent further exploitation. 

Having Infostealer malware present within a defence organization raises serious security concerns since each infected employee represents one possible weak point in critical operations within the military and intelligence communities. There is no doubt that these individuals could range from engineers building advanced military artificial intelligence systems to procurement officers who handle classified contracts to defence analysts who have access to mission-critical data. 

As a result of compromised credentials, not only can their login information be exposed, but their entire digital footprint can also be compromised. Several factors could have contributed to further security breaches, such as browsing history, autofill data, internal documents, and session cookies that allow users access to sensitive applications. According to cybersecurity experts, such thefts of data pose a serious national security threat, and they warn against them. 

It is believed by Thomas Richards, a principal consultant at Black Duck, that adversaries could exploit the stolen credentials to gain unauthorized access to highly secure networks so that they could move laterally within the system and compromise additional personnel and infrastructure, allowing them to reach further into the network. If such a breach occurs, affected users should reset their passwords immediately. A comprehensive forensic investigation should be conducted to assess the extent of the compromise and determine whether unauthorized access to classified information has occurred. 

Information stealer computers can be infected by a wide range of sources, making them an extremely persistent and widespread threat to the computer community. A phishing attack, a drive-by download from a compromised website, and even applications that look legitimate, such as an unsuspicious meeting program, are the most frequent sources of these infections. Further, there is a growing awareness that cybercriminals are spreading malware via misleading Google Adwords, YouTube video descriptions, and even pirated software in addition to malicious Google Adwords. According to a recent study, millions of computers have been infected with infostealer malware, emphasizing the urgent need to enhance security measures across critical industries. 

A spokesperson for Hudson Rock, Alon Gal, says that Infostealer malware has infected employees at major U.S. defence contractors as well as the U.S. Army and Navy, as well as government agencies like the FBI and GAO. The threat of cybercriminals targeting individual computers for as little as $10 poses a serious threat to investigative and cybersecurity personnel, and they can be found online for as little as $10. By downloading modified game content, pirated software, or infected documents, employees inadvertently download malware, which is far more effective than using force to gain entry into networks. 

Infostealer malware exploits human error as opposed to forcing entry into networks. Upon entering the system, this malware extracts sensitive information silently, such as VPN credentials, authentication session cookies, e-mail login information, and access to internal development tools, as well as putting not only individual users at risk but also entire defence networks at risk. As well as identifying infections, cybersecurity experts emphasize the importance of addressing how these threats penetrate in users' system. 

Roger Grimes, a cybersecurity expert at KnowBe4, argues that Infostealers are secondary problems—what matters is their initial access, whether it be social engineering, unpatched software, or outdated firmware. Organizations that fail to address these entry points risk much more than a theft of credentials, which is why proactive cybersecurity defences are essential for national security protection.

Chinese Spies Allegedly Engaged in Ransomware Operations

 


Backed by the Chinese government, a cyber-espionage group has been observed engaging in ransomware-related activities as part of its intelligence activities. Further, this observation demonstrates how nation-state cyber operations and financially motivated cybercrimes have become increasingly convergent as a result of financial incentives. 

In late November 2024, Symantec's research team observed that threat actors infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Network's security systems to gain access to its databases. Several days after the initial compromise, the attackers obtained administrative credentials from the company's intranet, and this gave them access to the Veeam server. 

Upon discovering the AWS S3 credentials on the server, they discovered that data management tools like Veeam are often using these credentials to facilitate access to cloud storage accounts through the use of cloud storage tools. It is believed that these credentials were used by the attackers to gain access to the company's sensitive data stored in an S3 buckettoo to encrypt its Windows-based systems with RA World ransomware. At first, the attackers demanded a ransom of $2 million but offered a $1 million reduction if the ransom was paid within three days. 

Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. In addition to a legitimate Toshiba executable, which has been deployed on the victims' computers to facilitate DLL sideloading, the threat actors have also used a legitimate Toshiba executable to implement a DLL sideload. The PlugX backdoor is the result of this technique.

It is heavily obfuscated and contains the backdoor, Korplug. It has been previously reported by Symantec that the custom PlugX backdoor you see here has been associated with Mustang Panda (also known as Earth Preta), a Chinese espionage group that is believed to have been used for economic purposes. However, this specific variant has never been associated with non-Chinese threat actors. 

There are four government ministries involved in Southeast Asian countries from differing nations: the foreign ministry of one country in the region, the government of another Southeastern European country, a telecommunications operator from the region, and two other government ministries involved in different Southeast Asian nations. These intrusions are all related to espionage, all of which are driven by espionage purposes.

A Symantec analysis indicates, however, that the same toolset was employed in a November 2024 extortion attempt targeting a medium-sized software and services company based in South Asia, as well. In this case, the attacker leveraged the Toshiba executable to sideload the malicious DLL, which had the same PlugX variant as used in earlier espionage attacks, to install the malicious DLL. As a result, the victim's systems were infected with the ransomware known as RA World, which marked a shift in cyber-espionage towards financial extortion, as opposed to traditional cyber-espionage.

Several cyber-espionage groups allegedly backed by the Chinese government have been observed participating in ransomware activities, thus emphasizing how nation-state cyber operations and financially motivated cybercrime are becoming increasingly intertwined. In a report released by Symantec in late November 2024, a research team uncovered that threat actors successfully infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability found in Palo Alto Networks' security system (CVE-2024-0012).

Aside from stealing administrative credentials from the company's intranet following the initial compromise, the attackers were able to gain access to the Veeam server via the exfiltration of administrative credentials from the company's intranet. They found AWS S3 credentials on this server that are commonly used to facilitate access to cloud storage accounts by data management tools like Veeam. 

Using these credentials, the attackers were able to access sensitive data stored in S3 buckets of the company's servers before encrypting the Windows-based systems with the RA World ransomware. As a first response, the attackers initially demanded a ransom of $2 million. However, if the ransom was paid within three days, they reduced the amount to $1 million. Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. 

In the latest RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been identified as a possible source of the attack, a Chinese-based threat group previously linked with numerous ransomware attacks, including LockFile, AtomSilo, and NightSky. There was also evidence that the attackers used NPS, a proxy tool developed in China and previously associated with Bronze Starlight, which further strengthened the connection between the attackers and Bronze Starlight. 

A group whose mission is to provide espionage services is typically not involved in financially motivated cybercrime on a large scale. However, the possibility that this group may be involved in ransomware operations raises serious concerns. As one theory suggests, the ransomware deployment may have been an attempt to distract from the true espionage objectives of the operation, to obscure these objectives. Despite this, this theory fails to hold water due to the absence of sophisticated concealment techniques as well as the fact that it targets a non-strategic company. 

Several cybersecurity experts have suggested that the most likely explanation is that either one or more individuals in the group are seeking to profit financially from the espionage tools and infrastructure they already have. The same pattern has also been observed by other threat actor groups, in which members repurpose advanced cyber capabilities for their benefit. Even though cyber threats continue to evolve, some lines continue to blur between state-sponsored cyber operations and financially driven cybercrime.

In the case of the RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been linked with the attack, which is an established China-based cyber threat group. In the past, this group was responsible for distributing LockFile, AtomSilo, and NightSky ransomware. Moreover, the ransomware operation was also accompanied by the use of NPS, a proxy tool developed by the Chinese government and previously employed by Bronze Starlight, further suggesting a connection between the ransomware operation and the group. Even though the possibility of Bronze Starlight being associated with RA World ransomware raises several concerns, it is unlikely that espionage-focused threat actors will engage in financially motivated cybercrime. 

Ransomware deployments are thought to serve as diversionary tactics that may hide the underlying espionage objectives that are driving the operation. Despite this, the fact that the espionage tools were obfuscated in a way that is not sophisticated and that the company targeted was not a strategic company casts doubt on this hypothesis. Experts in the field of cyber security propose a more plausible explanation for the attack: an individual or a small faction in the threat group aims to gain financial gain through the use of tools and infrastructure that were originally designed to conduct espionage operations during the attack. 

Observations have been made of the same pattern by other cyber threat groups, where members repurpose their skills and access to advanced cyber capabilities for their benefit. State-sponsored cyber operations have been converged with traditional cybercrime for some time, making it more difficult to attribute and mitigate threats of this kind. The analysis conducted by Symantec suggests that the RA World ransomware attack was likely perpetrated by a single individual, likely due to his or her desire to generate personal financial gain by impersonating their employer's operations to exploit the cyber assets of the company. 

Symantec points out several inconsistencies with the alternative theory that the ransomware deployment was merely a decoy of a broader espionage campaign, stating that it may have been a decoy. There was no strategic significance for the target, no effort was put into concealing the attacker's actions, and evidence was found to be that the attacker was actively negotiating with the victim regarding a ransom payment, indicating there was more to it than just a distraction involving financial gain. 

The Symantec report also points out that Chinese cyber-espionage groups usually work together very closely and share resources, so direct involvement in ransomware attacks is an anomaly. This tactic has been observed by North Korean state-sponsored cyber actors in the past, so strategies within the threat landscape may be evolving in the future.

XE Group Rebrands Its Cybercrime Strategy by Targeting Supply Chains

 


Over the past decade, there has been a rise in the number of cyber threats targeting the country, including the XE Group, a hacker collective with Vietnamese connections. According to recent investigations, the group was responsible for exploiting two zero-day vulnerabilities in VeraCore's warehouse management platform, CVE-2025-25181 and CVE-2025-57968 known to be zero-day vulnerabilities. 

A suite of reverse shells and web shells that exploit these vulnerabilities were deployed by the adversaries, allowing them to gain remote access to targeted systems in covert ways. This development is an indication of the group's sophisticated cyber-attack techniques. Identified as CVE-2024-57968, the vulnerability is a critical upload validation vulnerability with a CVSS score of 9.9, affecting versions before 2024.4.2.1, and can allow adversaries to upload files into non-intended directories, which could result in unauthorized access to the files. 

Adventure VeraCore up to version 2025.1.0 is vulnerable to SQL injection flaw CVE-2025-25181, which could be exploited remotely to execute arbitrary SQL commands through the remote execution of SQL commands. In addition to the XE Group's past association with credit card fraud, their focus has now switched to targeted data theft, particularly within manufacturing and distribution organizations. 

Several recent attacks have been perpetrated by threat actors who exploited VeraCore security issues to install Web Shells, which allowed them to execute various malicious activities and remain persistent within compromised environments while they executed their malicious activities. The group's continued sophistication and adaptability in the cyber threat landscape is reflected in this recent report, which details a compromise of a Microsoft Internet Information Services (IIS) server where VeraCore's warehouse management system software is hosted, and it indicates the company's growing sophistication. 

Upon further analysis of this incident, it was discovered that the initial breach occurred in January 2020 as a result of a zero-day vulnerability in SQL injection. It is speculated that As a result of this exploitation, The XE Group deployed customized web shells, which researchers have described as very versatile tools that are designed to maintain persistent access inside victim environments as well as run SQL queries regarding those environments.

As an example, in the case of the compromised IIS server, the attackers reactivated a web shell that was planted four years earlier, showing that they have retained a foothold in the infrastructure targeted by them for many years. Security vendors have been warning that the XE Group is actively targeting supply chains in the manufacturing and distribution sectors. Though the group has historically been associated with extensive credit card skimming operations, it has recently gained a reputation for exploiting zero-day vulnerabilities to do more damage. 

According to researchers, the group's continued ability to adapt and increase sophistication underscores the group's ability to remain agile and sophisticated over the years. The reactivation of an older web shell indicates the group's strategic focus on achieving long-term operational objectives by maintaining long-term access to compromised systems. 

To enhance the threat investigation process, the rules have been designed to be compatible with several SIEM (Security Information and Event Management) systems, Endpoint Detection and Response systems (EDR), and Data Lake solutions aligned with the MITRE ATT&CK framework. There is a variety of metadata that is accessible in each rule, including references to cyber threat intelligence, attack timelines, triage recommendations, and audit configurations, guaranteeing that security analysis has a structured approach. 

Additionally, SOC Prime's Uncoder AI (Artificial Intelligence) capabilities enable the quick development of custom IOC-based queries that will be seamlessly integrated with SIEM and EDR platforms, thus eliminating the need for security professionals to manually search for indicators of compromise (IOCs). Intezer's analysis of XE Group activity and SOC Prime's Uncoder AI were used to achieve this.

As an alternative to the corporate-only service offered previously by Uncoder AI, customers can now benefit from Uncoder AI's full suite of capabilities, which enhances accessibility for independent risk analysis performed by individual researchers. As a consequence of the XE Group's adoption of zero-day exploits as part of their attack strategy, it became increasingly clear that adversarial techniques are becoming more sophisticated and adaptable, making it necessary to enter into proactive defence measures as soon as possible.

SOC Prime Platform is a scalable tool designed to assist organizations in enhancing their security posture, countering evolving threats effectively, and mitigating risks associated with adding more attack surfaces in an increasingly complex cyber landscape by utilizing the tools provided by the platform. The XE Group has exploited two zero-day VeraCore vulnerabilities, CVE-2025-25181 and CVE-2025-50308, in recent attacks in an attempt to deploy one or more web shells on compromised systems. 

These two vulnerabilities are critical upload validation flaws (CVSS 9.9) and SQL injection flaws (CVSS 5.7), respectively. In a report published jointly by Solis and Intezer, the researchers reported that the group exploited one of these vulnerabilities as early as January 2020 and maintained persistent access to the victim's environment for several years afterwards. There was an attempt in 2024 by some threat actors to reactivate a previously deployed web shell, demonstrating their ability to avoid detection while maintaining long-term access to compromised systems as they remain undetected. 

XE Group's evolving tactics come as part of a broader trend that threats are exploring the software supply chain as a way to achieve their goals. Some notable precedents include the SolarWinds attack, breaches into Progress Software's MOVEit file transfer product, an Okta intrusion that affected all customers, and an Accellion breach that enabled ransomware to be deployed on an organization's network.

Cyber Threats in Hong Kong Hit Five-Year Peak with AI’s Growing Influence

 




Hong Kong experienced a record surge in cyberattacks last year, marking the highest number of incidents in five years. Hackers are increasingly using artificial intelligence (AI) to strengthen their methods, according to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT).

The agency reported a spike of 12,536 cybersecurity incidents in 2024, a dramatic increase of 62% from 7,752 cases in 2023. Phishing attacks dominated these incidents, with cases more than doubling from 3,752 in 2023 to 7,811 last year.

AI is aiding in improving phishing campaign effectiveness. Attackers can now use AI tools to create extremely realistic fake emails and websites that even the most skeptical eye cannot easily distinguish from their legitimate counterparts.

Alex Chan Chung-man, a digital transformation leader at HKCERT, commented that phishing attacks targeted the majority of cases for banking, financial, and payment systems, almost 25% of the total cases. Social media, including WhatsApp and messaging apps, was another main target, 22% of the total cases.

AI allows scammers to create flawless phishing messages and generate fake website links that mimic trusted services," Chan explained. This efficiency has led to a sharp rise in phishing links, with over 48,000 malicious URLs identified last year—an increase of 1.5 times compared to 2023.

Hackers are also targeting other essential services such as healthcare and utilities. A notable case involved Union Hospital in Tai Wai, which suffered a ransomware attack. In this case, cybercriminals used a malware called "LockBit" to demand a $10 million ransom. The hospital did not comply with the ransom demand but the incident illustrates the risks critical infrastructure providers face.

Third-party vendors involved with critical sectors are emerging vulnerabilities for hackers to exploit. Leaks through such third-party partners have the potential to cause heavy damages, ranging from legal to reputation-related.


New Risk: Electronic Sign Boards

Digital signboards, once left unattended, are now being targeted by hackers. According to HKCERT, 40% of companies have not risk-assessed these systems. These displays can easily be hijacked through USB devices or wireless connections and display malicious or inappropriate content.  

Though Hong Kong has not been attacked this way, such attacks in other countries indicate a new threat.


Prevention for Businesses

HKCERT advises organizations to take the following measures against these threats:  

  1. Change passwords regularly and use multi-factor authentication.  
  2. Regularly backup important data to avoid loss.  
  3. Update software regularly to patch security vulnerabilities.

Chan emphasized that AI-driven threats will develop their methods, and thus robust cybersecurity practices are needed to protect sensitive data and infrastructure.




New Variant of Banshee Stealer Targets macOS with Enhanced Evasion Tactics

 




Cybersecurity researchers have identified a dangerous new version of Banshee Stealer, a sophisticated malware specifically targeting macOS users. This updated strain is designed to bypass antivirus defenses and steal sensitive data from millions of macOS devices.

Originally detected in August 2024, Banshee Stealer was offered as malware-as-a-service (MaaS) to cybercriminals for $3,000 per month. Its capabilities included:
  • Data Theft: Stealing browser data, cryptocurrency wallet credentials, and specific file types.
The malware's source code was leaked in late 2024, briefly halting its spread. However, security experts have now discovered ongoing campaigns distributing an updated and more powerful version.

The latest version of Banshee Stealer, uncovered in September 2024, is being spread through:
  • Phishing Websites: Fake websites impersonating legitimate services to trick users into downloading the malware.
  • Fake GitHub Repositories: Malicious repositories posing as popular software like Google Chrome, Telegram, and TradingView.
Additionally, cybercriminals are simultaneously deploying another malware called Lumma Stealer to target Windows systems, signaling a broader, cross-platform attack strategy.

Key Enhancements in the Updated Version

The new variant of Banshee Stealer features several dangerous improvements:
  1. Advanced Encryption: Incorporates sophisticated encryption methods inspired by Apple's XProtect to evade detection by security tools.
  2. Expanded Targeting: Previously restricted from targeting Russian-language systems, this limitation has been removed, broadening the malware's victim pool.
  3. Social Engineering Tactics: The malware disguises itself as software updates or legitimate applications, increasing its chances of tricking users into installing it.

Related Threats on Other Platforms

Beyond Banshee Stealer, other malware families like Nova Stealer and Hexon Stealer are exploiting social engineering techniques on platforms such as Discord. Attackers lure users with fake promises of the latest video game versions, aiming to steal Discord credentials and access linked accounts for further exploitation.

To mitigate the risk of infection, users should adopt the following cybersecurity practices:
  • Download from Trusted Sources: Always install software from official and reputable platforms.
  • Exercise Caution with Links: Avoid clicking on suspicious links or accepting unsolicited invitations, particularly on social platforms like Discord.
  • Keep Security Software Updated: Regularly update antivirus and security tools to guard against the latest threats.
The resurgence of Banshee Stealer underscores the need for continuous vigilance in cybersecurity. Cybercriminals are constantly evolving their methods, blending technical exploits with social engineering to target both human and system vulnerabilities. Staying informed and cautious remains the most effective defense against such sophisticated attacks.

3 Critical Apache Flaws Discovered: Users Should Update to Avoid Major Risks

3 Critical Apache Flaws Discovered: Users Should Update to Avoid Major Risks

Experts find critical flaws 

The Cyber Security Agency of Singapore has issued warning against three critical flaws in Apache software products. The Apache Software Foundation has released security patches to address these vulnerabilities, which can cause risk to users and organizations using these tools. The three critical vulnerabilities are CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046. 

About CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046 

Out of the affected Apache vulnerabilities, CVE-204-43441 impacts Apache HugeGraph-Server, a graph database server commonly used to deal with complex data relationships. This flaw lets hackers escape security checks, giving unauthorized access to data. Exploiting this flaw can allow threat actors to get entry to restricted systems without needing credentials.

The second flaw, CVE-2024-45387, has been found in Apache Traffic Control, a famous tool for optimizing and managing content delivery networks (CDNs). The flaw only affects Traffic Ops, an important part of Apache Traffic Control. Hackers can misuse this vulnerability to launch SQL injection attacks to modify databases, causing modification or unauthorized data access.

The third flaw, CVE-2024-52046, was found in a network application framework Apache MINA used for various applications. The vulnerability comes from the mishandling of Java’s deserialization protocol, allowing threat actors to send modified serialized data.

“By exploiting this issue, attackers could execute remote code on affected systems, which may result in full system compromise. This vulnerability affects Apache MINA versions before 2.0.27, 2.1.10, and 2.24. The exploitation of this flaw could lead to remote code execution (RCE) attacks, posing a serious risk to users of affected versions,” reports the Cyber Express.

How to address these critical flaws

According to Cyber Express, users and administrators of Apache HugeGraph-Server should upgrade to version 1.5.0 or above to protect themselves against CVE-2024-43441. This update resolves the authentication bypass issue, preventing unauthorized users from gaining access to systems. 

To defend against the SQL injection vulnerability, CVE-2024-45387 in Apache Traffic Control requires users to update to versions higher than 8.0.1. Failure to implement this patch may expose users to data modification or leakage. 

However, CVE-2024-52046 in Apache MINA needs more research. Besides the newest versions (2.0.27, 2.1.10, or 2.24), administrators must take additional precautions to reduce the dangers associated with unbounded deserialization. 

Hidden Dangers in Third-Party Supply Chain

 


A supply chain attack refers to any cyberattack targeting a third-party vendor within an organization's supply chain. Historically, these attacks have exploited trust relationships, aiming to breach larger organizations by compromising smaller, less secure suppliers.

The Growing Threat of Software Supply Chain Attacks

While traditional supply chain attacks remain a concern, the software supply chain poses an even greater threat. Modern development practices rely heavily on third-party components, including APIs, open-source software, and proprietary products, creating vulnerabilities across multiple systems.

In the event of a security breach, the integrity of these systems can be compromised. A recent study highlights that many vulnerabilities in digital systems go unnoticed, exposing businesses to significant risks. Increased reliance on third-party software and complex supply chains has expanded the threat landscape beyond internal assets to external dependencies.

Key Findings from the 2024 State of External Exposure Management Report

The 2024 State of External Exposure Management Report underscores several critical vulnerabilities:

  • Web Servers: Web server environments are among the most vulnerable assets, accounting for 34% of severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server host more severe issues than 54 other environments combined.
  • Cryptographic Protocols: Vulnerabilities in protocols like TLS (Transport Layer Security) and HTTPS contribute to 15% of severe issues on the attack surface. These protocols, essential for secure communication, often lack proper encryption, making them a significant security concern.
  • Web Application Firewalls (WAFs): Only half of the web interfaces handling personally identifiable information (PII) are protected by a WAF. Moreover, 60% of interfaces exposing PII lack WAF coverage, increasing the risk of exploitation by cybercriminals.

Challenges in Vulnerability Management

Outdated vulnerability management approaches often leave assets exposed to increased risks. Organizations must adopt a proactive strategy to mitigate these threats, beginning with a thorough assessment of supply chain risks.

Steps to Secure the Supply Chain

  1. Assess Supplier Security Postures: Evaluate suppliers' data access and organizational impact, and categorize them into risk profiles based on vulnerability levels.
  2. Conduct Risk Assessments: Use questionnaires, on-site visits, and process reviews to identify weaknesses within the supply chain.
  3. Visualize Risks: Utilize interaction maps to gain a clearer understanding of supply chain vulnerabilities and develop a comprehensive security strategy addressing both physical and virtual risks.
  4. Collaborate with Leadership: Ensure senior leadership aligns security priorities to mitigate threats such as ransomware, data breaches, and sabotage.

Addressing Endpoint Vulnerabilities

With the rise of remote work, monitoring supplier endpoints has become critical. Risks such as device theft, data leaks, and shadow IT require proactive measures. While VPNs and virtual desktops are commonly used, they may fall short, necessitating continuous monitoring of telework environments.

Continuous Monitoring and Threat Management

Effective risk management requires continuous monitoring to protect critical assets and customer information. Organizations should prioritize advanced protective measures, including:

  • Threat Hunting: Identify potential breaches before they escalate, reducing the impact of cyberattacks.
  • Centralized Log Aggregation: Facilitate comprehensive analysis and anomaly detection through a unified system view.
  • Real-Time Monitoring: Enable swift response to security incidents, minimizing potential damage.

Building a Resilient Cybersecurity Framework

A robust, integrated risk monitoring strategy is essential for modern cybersecurity. By consolidating proactive practices into a cohesive framework, organizations can enhance visibility, close detection gaps, and fortify supply chains against sophisticated attacks. This approach fosters resilience and maintains trust in an increasingly complex digital landscape.

US Court Rules Against Tornado Cash Sanctions




A U.S. appeals court has ruled that the Treasury Department overstepped its authority when it imposed sanctions on the cryptocurrency mixer Tornado Cash in 2022. The department accused Tornado Cash of facilitating over $7 billion in the laundering of funds, a portion of which was reportedly linked to North Korean hackers. However, the court stated that the sanctions were not lawfully justified under federal law.


Tornado Cash is a cryptocurrency mixer—a type of software that anonymizes digital transactions. It helps users conceal the origin and ownership of their cryptocurrencies by pooling and shuffling deposits. The Treasury's Office of Foreign Assets Control (OFAC) has blacklisted Tornado Cash under the International Emergency Economic Powers Act (IEEPA), as it was alleged that it had been used for laundering cybercrime proceeds, among which is $455 million reportedly stolen by the Lazarus Group, a North Korean hacking group.


Court's Ruling and Key Arguments

This came about with a decision by a panel of three judges from the New Orleans 5th U.S. Circuit Court of Appeals. A spokesperson from the panel, Judge Don Willett, wrote, "The smart contracts forming Tornado Cash did not constitute 'property.'" Law puts the authorization of regulating the property to OFAC but held that because these were immutables and unchangeables, the codes could neither be owned nor controlled hence would exempt from sanctions.


The court acknowledged that the risks that technologies like Tornado Cash pose are legitimate, but it held that updating the law to address such issues is the job of Congress, not the judiciary.

The lawsuit challenging the sanctions was brought by six Tornado Cash users with the financial support of Coinbase, a major cryptocurrency exchange. The court's decision was called a "historic win for crypto and liberty" by Paul Grewal, Coinbase's chief legal officer. Coinbase had argued that sanctioning an entire technology could stifle innovation and harm privacy rights. 


Legal Troubles for Tornado Cash Developers

Despite the court ruling, there are still legal problems for those associated with Tornado Cash. In May, developer Alexey Pertsev was sentenced to over five years in prison in the Netherlands for money laundering. Founders of Tornado Cash, Roman Semenov and Roman Storm, are also charged with money laundering and sanctions violations in the United States.


The Bigger Picture 

This case, therefore, underlines the legal and ethical challenges of privacy-focused technologies such as cryptocurrency mixers. It also calls for updated regulations to balance innovation, privacy, and security in the digital age.


How OpenAI’s New AI Agents Are Shaping the Future of Coding

 


OpenAI is taking the challenge of bringing into existence the very first powerful AI agents designed specifically to revolutionise the future of software development. It became so advanced that it could interpret in plain language instructions and generate complex code, hoping to make it achievable to complete tasks that would take hours in only minutes. This is the biggest leap forward AI has had up to date, promising a future in which developers can have a more creative and less repetitive target while coding.

Transforming Software Development

These AI agents represent a major change in the type of programming that's created and implemented. Beyond typical coding assistants, which may use suggestions to complete lines, OpenAI's agents produce fully formed, functional code from scratch based on relatively simple user prompts. It is theoretically possible that developers could do their work more efficiently, automating repetitive coding and focusing more on innovation and problem solving on more complicated issues. The agents are, in effect, advanced assistants capable of doing more helpful things than the typical human assistant with anything from far more complex programming requirements.


Competition from OpenAI with Anthropic

As OpenAI makes its moves, it faces stiff competition from Anthropic-an AI company whose growth rate is rapidly taking over. Having developed the first released AI models focused on advancing coding, Anthropic continues to push OpenAI to even further refinement in their agents. This rivalry is more than a race between firms; it is infusing quick growth that works for the whole industry because both companies are setting new standards by working on AI-powered coding tools. As both compete, developers and users alike stand to benefit from the high-quality, innovative tools that will be implied from the given race.


Privacy and Security Issues

The AI agents also raise privacy issues. Concerns over the issue of data privacy and personal privacy arise if these agents can gain access to user devices. Secure integration of the agents will require utmost care because developers rely on the unassailability of their systems. Balancing AI's powerful benefits with needed security measures will be a key determinant of their success in adoption. Also, planning will be required for the integration of these agents into the current workflows without causing undue disruptions to the established standards and best practices in security coding.


Changing Market and Skills Environment

OpenAI and Anthropic are among the leaders in many of the changes that will remake both markets and skills in software engineering. As AI becomes more central to coding, this will change the industry and create new sorts of jobs as it requires the developer to adapt toward new tools and technologies. The extensive reliance on AI in code creation would also invite fresh investments in the tech sector and accelerate broadening the AI market.


The Future of AI in Coding

Rapidly evolving AI agents by OpenAI mark the opening of a new chapter for the intersection of AI and software development, promising to accelerate coding, making it faster, more efficient, and accessible to a wider audience of developers who will enjoy assisted coding towards self-writing complex instructions. The further development by OpenAI will most definitely continue to shape the future of this field, representing exciting opportunities and serious challenges capable of changing the face of software engineering in the foreseeable future.




Want to Make the Most of ChatGPT? Here Are Some Go-To Tips

 







Within a year and a half, ChatGPT has grown from an AI prototype to a broad productivity assistant, even sporting its text and code editor called Canvas. Soon, OpenAI will add direct web search capability to ChatGPT, putting the platform at the same table as Google's iconic search. With these fast updates, ChatGPT is now sporting quite a few features that may not be noticed at first glance but are deepening the user experience if one knows where to look.

This is the article that will teach you how to tap into ChatGPT, features from customization settings to unique prompting techniques, and not only five must-know tips will be useful in unlocking the full range of abilities of ChatGPT to any kind of task, small or big.


1. Rename Chats for Better Organisation

A new conversation with ChatGPT begins as a new thread, meaning that it will remember all details concerning that specific exchange but "forget" all the previous ones. This way, you can track the activities of current projects or specific topics because you can name your chats. The chat name that it might try to suggest is related to the flow of the conversation, and these are mostly overlooked contexts that users need to recall again. Renaming your conversations is one simple yet powerful means of staying organised if you rely on ChatGPT for various tasks.

To give a name to a conversation, tap the three dots next to the name in the sidebar. You can also archive older chats to remove them from the list without deleting them entirely, so you don't lose access to the conversations that are active.


2. Customise ChatGPT through Custom Instructions

Custom Instructions in ChatGPT is a chance to make your answers more specific to your needs because you will get to share your information and preferences with the AI. This is a two-stage personalization where you are explaining to ChatGPT what you want to know about yourself and, in addition, how you would like it to be returned. For instance, if you ask ChatGPT for coding advice several times a week, you can let the AI know what programming languages you are known in or would like to be instructed in so it can fine-tune the responses better. Or, you should be able to ask for ChatGPT to provide more verbose descriptions or to skip steps in order to make more intuitive knowledge of a topic.

To set up personal preferences, tap the profile icon on the upper right, and then from the menu, "Customise ChatGPT," and then fill out your preferences. Doing this will enable you to get responses tailored to your interests and requirements.


3. Choose the Right Model for Your Use

If you are a subscriber to ChatGPT Plus, you have access to one of several AI models each tailored to different tasks. The default model for most purposes is GPT-4-turbo (GPT-4o), which tends to strike the best balance between speed and functionality and even supports other additional features, including file uploads, web browsing, and dataset analysis.

However, other models are useful when one needs to describe a rather complex project with substantial planning. You may initiate a project using o1-preview that requires deep research and then shift the discussion to GPT-4-turbo to get quick responses. To switch models, you can click on the model dropdown at the top of your screen or type in a forward slash (/) in the chat box to get access to more available options including web browsing and image creation.


4. Look at what the GPT Store has available in the form of Mini-Apps

Custom GPTs, and the GPT Store enable "mini-applications" that are able to extend the functionality of the platform. The Custom GPTs all have some inbuilt prompts and workflows and sometimes even APIs to extend the AI capability of GPT. For instance, with Canva's GPT, you are able to create logos, social media posts, or presentations straight within the ChatGPT portal by linking up the Canva tool. That means you can co-create visual content with ChatGPT without having to leave the portal.

And if there are some prompts you often need to apply, or some dataset you upload most frequently, you can easily create your Custom GPT. This would be really helpful to handle recipes, keeping track of personal projects, create workflow shortcuts and much more. Go to the GPT Store by the "Explore GPTs" button in the sidebar. Your recent and custom GPTs will appear in the top tab, so find them easily and use them as necessary.


5. Manage Conversations with a Fresh Approach

For the best benefit of using ChatGPT, it is key to understand that every new conversation is an independent document with its "memory." It does recall enough from previous conversations, though generally speaking, its answers depend on what is being discussed in the immediate chat. This made chats on unrelated projects or topics best started anew for clarity.

For long-term projects, it might even be logical to go on with a single thread so that all relevant information is kept together. For unrelated topics, it might make more sense to start fresh each time to avoid confusion. Another way in which archiving or deleting conversations you no longer need can help free up your interface and make access to active threads easier is


What Makes AI Unique Compared to Other Software?

AI performs very differently from other software in that it responds dynamically, at times providing responses or "backtalk" and does not simply do what it is told to do. Such a property leads to some trial and error to obtain the desired output. For instance, one might prompt ChatGPT to review its own output as demonstrated by replacing single quote characters by double quote characters to generate more accurate results. This is similar to how a developer optimises an AI model, guiding ChatGPT to "think" through something in several steps.

ChatGPT Canvas and other features like Custom GPTs make the AI behave more like software in the classical sense—although, of course, with personality and learning. If ChatGPT continues to grow in this manner, features such as these may make most use cases easier and more delightful.

Following these five tips should help you make the most of ChatGPT as a productivity tool and keep pace with the latest developments. From renaming chats to playing around with Custom GPTs, all of them add to a richer and more customizable user experience.


Apache Addresses Severe RCE Vulnerability in OFBiz with an Urgent Patch

 


In a recent release, the Apache OFBiz project developers have been working on a patch to fix a new critical flaw of software that can be exploited by unauthenticated attackers to execute arbitrary code on the server. Considering that attackers are likely to exploit this vulnerability in real-world attacks, users are advised to deploy the patch as soon as possible to avoid falling victim to this vulnerability.

There was a high-severity vulnerability identified as CVE-2024-45195 (CVSS score: 7.5) affecting Apache OFBiz, a popular open-source business enterprise resource planning (ERP) system that is adapted from Apache OFBiz. In the field of enterprise process automation, Apache OFBiz® from the Apache Software Foundation consists of framework components and applications as well as a business process automation framework. 

This vulnerability is caused by Apache's OFBiz implementation of Direct Request ('Forced Browsing'). It has been found that all versions of the software before 18.12.16 are affected by this bug. The project maintainers have been working on CVE-2024-45195 for several months now to prevent the occurrence of a severe sequence of vulnerabilities, CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were already addressed by the project maintainers previously. 

CVE-2024-32113 and CVE-2024-38856, both of which appear to be exploited actively in the wild and the former of which is used to distribute the Mirai botnet malware, are exploited extensively. This was due to Rapid7's inability to desynchronize the controller state from the view map state, something that was never completely resolved in any of the patches that were released, but which led to all three of the earlier shortcomings. 

Because of the vulnerability, attackers may be able to exploit it to execute code, and SQL queries, and remotely execute the code without the need for authentication by exploiting it. This latest patch was put in place to validate that a view should allow anonymous access if a user is not authenticated (rather than performing authorization checks solely based on the target controller)." CVE-2024-38856 and CVE-2024-32113 are, in fact, critical vulnerabilities, and they've been actively targeted by attackers in the past few months. 

The Cybersecurity and Infrastructure Security Agency has listed them in its catalogue of Known Exploited Vulnerabilities in August. There has been speculation that companies can have a hard time resolving the underlying causes of vulnerabilities because of their size. Sometimes it is difficult to judge whether a patch will be effective until several researchers have tried bypassing it to test its effectiveness. It was Rapid7 that identified and reported the vulnerability, and they suggest that the three security defects are essentially the same bug because they are both caused by the same source code. 

In a report published in early May, CVE-2024-32113 was described as an issue in which a malicious user would be able to navigate through an unauthenticated controller and interact with an authenticated view map, granting them access to an admin-only view map or allowing them to execute SQL commands on it. It has been observed that there have been attempts to exploit people in July.  

A second vulnerability, CVE-2024-36104, which was disclosed in early June, was also explained as a path traversal vulnerability. There were multiple issues with the URI, including semicolons and URL-encoded periods that need to be removed. In early August, Apache drew attention to a vulnerability referred to as CVE-2024-38856. 

This has been described as a security flaw that could allow code execution due to an incorrect authorization. CISA, the United States Cyber Defense agency, announced that the bug had been added to its list of Known Exploited Vulnerabilities (KEVs) towards the end of August. Rapid7 said that all three issues are the result of controller-view map state fragmentation, which can occur when an application begins receiving URI patterns that are not expected. 

Assuming the root cause of the three vulnerabilities is the same, CVE-2024-38856 works on systems that are affected by CVE-2024-32113 and CVE-2024-36104, "since the payload for all three vulnerabilities is the same". There was a CVE-2024-32113 OFBiz vulnerability (patched in May) that was being exploited in attacks by hacker groups, just days after SonicWall researchers published detailed technical details on CVE-2024-38856, a bug involving pre-authentication RCE. 

CISA issued a warning regarding this CVE in early August. In addition to adding the two security bugs to its catalogue of actively exploited vulnerabilities, CISA also announced that federal agencies must patch their servers as soon as possible after the three-week deadline mandated by the binding operational directive (BOD 22-01) issued in November 2021. 

Even though BOD 22-01 only applies to agencies of the Federal Civilian Executive Branch (FCEB), the Center for Information Security and Assurance (CISA) is urging organizations to patch these security flaws immediately to prevent the onset of attacks against their networks. A public proof of concept exploit for OFBiz pre-authentication remote code execution vulnerability (CVE-2023-49070) was used in December to identify Confluence servers that were vulnerable to the exploit. 

The exploit was based on public proof of concept exploits. Having discovered that Emmons now had a new view map to abuse called XmlDsDump, he could query the underlying database for any data that may be available and then write the results to any file, anywhere on the disk, without any restrictions. 

Among the data displayed in this presentation could be hashed passwords of users defined in the system, which could then be cracked to reveal their passwords. As a result of this study, the researcher has taken it one step further by combining it with a script he discovered that was present in the system, named ViewDataFile.groovy, which could write files to disk from requests and used it to build a web shell that enabled remote code execution on the server using the script. 

In response to this flaw, OFBiz developers came up with a more comprehensive fix that does not rely only on non-centralized authorization checks on view maps anymore but also takes into account non-centralized authorization checks for target controllers for the view maps as well.

22,000 PyPI Packages Affected by Revival Hijack Supply-Chain Attack

 


It has been discovered that hackers can distribute malicious payloads easily and efficiently through the package repository on the PyPI website by using a simple and troublesome exploit. A JFrog security researcher has discovered a new supply chain attack technique using which they can attack PyPI repositories (Python Package Index) that can be used to hack them. 

Hundreds of thousands of software packages can potentially be affected by this attack technique and countless users could be affected as a result. A technique known as "Revival Hijack," exploits a policy loophole by which attackers may re-register the names of packages that have been removed from PyPI by their original developers and hijack the names themselves once the packages have been removed from PyPI. 

As part of an attack against the Python Package Index (PyPI) registry, a new supply chain attack technique has been uncovered in the wild, which is designed to infiltrate downstream organizations by exploiting the PyPI registry. There is an attack vector called "Revival Hijack" which involves the registration of a new project with a name that matches a package that has been removed from the PyPI platform which may then serve as an attack vector. 

If a threat actor manages to do this, then they will be able to distribute malicious code to developers who pull updates periodically. A software supply chain security firm named JFrog, which specializes in software supply chain security, has codenamed this attack method Revival Hijack, claiming to be able to hijack 22,000 existing PyPI packages, which in turn will result in hundreds of thousands of malicious packages being downloaded. 

There are more than 100,000 downloads or six months' worth of activity on the affected packages and are more susceptible to exploits. A very common technique used by Revival Hijack is to take advantage of the fact that victims are often unknowingly updating once-safe packages without being aware that they have been altered or compromised. Further, CI/CD machines are set up with a mechanism for automatically installing package updates so that they can be applied right away. 

A similar attack technique was discovered by Jfrog earlier this year, which is one of several different attacks that adversaries have been developing in recent years to try and sneak malware into enterprise environments using public code repositories like PyPI, npm, Maven Central, NuGet, and RubyGems, and to steal sensitive data. As a part of these attacks, popular repositories have often been cloned and infected, poisoning artifacts have been used, and leveraged leaked secrets such as private keys and database certificates have been revealed. 

According to JFrog researchers Brian Moussalli and Andrey Polkovnichenko, there is a much higher risk here than in previous software supply chain hacks that relied primarily on typosquatting and human error to distribute malicious code throughout software websites. When a developer decides to delete a project from PyPI, they are given a warning about the potential repercussions that may arise, including the Revival Hijack scenario that could occur. 

The dialogue warns that deleting this project will give the name of the project to anyone else who uses PyPI", so please refrain from doing so. In this scenario, the user will be able to issue new releases under the project name as long as the distribution files have not been renamed to match those from a previously released distribution. According to the motive of the attacker, the "Revival Hijack" attack vector can result in hundreds of thousands of increments as a result of the attack, depending on the motive. 

As far as exploiting this technique is concerned, it can be applied to exploiting abandoned package names to spread malware. Researchers observed this in action with the hijack of the "pingdomv3" package, which was detected by research teams. This package has been given the version number 0.0.0.1 to avoid a dependency confusion attack scenario, in which developer packages would be pulled by pip upgrade commands when they were run as a part of the upgrade process. 

In addition, it is worth noting that Revival Hijack has already been exploited in the wild, by an unknown threat actor called Jinnis who introduced a benign version of a package titled "pingdomv3" on March 30, 2024, just two days after the original package's owner (cheneyyan) removed it from PyPI. There has been a report that says the new developer has released an update containing a Base64-encoded payload, which checks for the presence of the "JENKINS_URL" environment variable, and if it exists, executes an unknown next-stage module retrieved from a remote server after checking for the appearance of the "JENKINS_URL." environment variable. 

Although JFrog proposed this precaution as a preventative measure, over the last three months it has received nearly 200,000 downloads both manually and automatically, proving that the Revival Hijack threat is very real, the security company announced. In making an analysis of this data, JFrog reported that there are outdated jobs and scripts out there that are still searching for the deleted packages, as well as users who manually downloaded these packages due to typosquatting. 

Depending on how the hijacked packages are hijacked, the adversaries may attach a high version number to each package, which will cause the CI/CD systems to automatically download the hijacked packages believing they are the latest version. This will ultimately cause a bug to develop, JFrog explained. As a result of the company's recommendation, PyPI has effectively prohibited the reuse of abandoned package names as well.

Some organizations use PyPI that need to be aware of this attack vector when updating to new versions of the package, JFrog warns. There is a non-public blacklist maintained by PyPI, which prevents certain names from being registered on new projects, but most deleted packages don't make it to that list because there is a non-public blacklist maintained by PyPI. It was due to this that the security firm took indirect measures to mitigate the "Revival Hijack" threat and added the most popular of the deleted and vulnerable packages to an account named security_holding under which they could be monitored. 

As a result of the researchers changing the version numbers of the abandoned packages to 0.0.0.1, they make sure that it does not affect active users while updating the packages. As a result, the package names are preserved and are not susceptible to theft by malicious actors who may want to use them for offensive purposes. The third month later, JFrog discovered that the packages in their repository seemed to have been downloaded by nearly 200,000 people due to automatic scripts or user errors. There are a lot more risks involved in "Revival Hijack" than the standard typosquatting attacks on PyPI. 

This is because users pulling updates for their selected projects for which they have permission do not make mistakes when doing so. It's best to mitigate this threat by utilizing package pinning to stay on a known secure version, verify the integrity of the package, audit its contents, and watch for any changes in package ownership or unusual updates.