Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label zero Day vulnerability. Show all posts
zero Day vulnerability
Cisco Cyber Security Data Theft Pornhub United States zero Day vulnerability

This Week in Cybersecurity: User Data Theft, AI-Driven Fraud, and System Vulnerabilities

 



This week surfaced several developments that accentuate how cyber threats continue to affect individuals, corporations, and governments across the globe.

In the United States, federal records indicate that Customs and Border Protection is expanding its use of small surveillance drones, shifting from limited testing to routine deployment. These unmanned systems are expected to significantly widen the agency’s monitoring capabilities, with some operations extending beyond physical U.S. borders. At the same time, Immigration and Customs Enforcement is preparing to roll out a new cybersecurity contract that would increase digital monitoring of its workforce. This move aligns with broader government efforts to tighten internal controls amid growing concerns about leaks and internal opposition.

On the criminal front, a major data extortion case has emerged involving user records linked to PornHub, one of the world’s most visited adult platforms. A hacking group associated with a broader online collective claims to have obtained hundreds of millions of data entries tied to paid users. The stolen material reportedly includes account-linked browsing activity and email addresses. The company has stated that the data appears to originate from a third-party analytics service it previously relied on, meaning the exposed records may be several years old. While sensitive financial credentials were not reported as part of the breach, the attackers have allegedly attempted to pressure the company through extortion demands, raising concerns about how behavioral data can be weaponized even years after collection.

Geopolitical tensions also spilled into cyberspace this week. Venezuela’s state oil firm reported a cyber incident affecting its administrative systems, occurring shortly after U.S. authorities seized an oil tanker carrying Venezuelan crude. Officials in Caracas accused Washington of being behind the intrusion, framing it as part of a broader campaign targeting the country’s energy sector. Although the company said oil production continued, external reporting suggests that internal systems were temporarily disabled and shipping operations were disrupted. The U.S. government has not publicly accepted responsibility, and no independently verified technical evidence has been released.

In enterprise security, Cisco disclosed an actively exploited zero-day vulnerability affecting certain email security products used by organizations worldwide. Researchers confirmed that attackers had been abusing the flaw for weeks before public disclosure. The weakness exists within a specific email filtering feature and can allow unauthorized access under certain configurations. Cisco has not yet issued a patch but has advised customers to disable affected components as a temporary safeguard while remediation efforts continue.

Separately, two employees from cybersecurity firms admitted guilt in a ransomware operation, highlighting insider risk within the security industry itself. Court records show that the individuals used their professional expertise to carry out extortion attacks, including one case that resulted in a seven-figure ransom payment.

Together, these incidents reflect the expanding scope of cyber risk, spanning personal data privacy, national infrastructure, corporate security, and insider threats. Staying informed, verifying claims, and maintaining updated defenses remain essential in an increasingly complex digital environment.


Read more »
zero Day vulnerability
firmware Hardware router Vulnerabilities and Exploits WiFi zero Day vulnerability

Should You Still Trust Your Router? What Users Need to Know and How to Secure Home Wi-Fi today

 



Public discussion in the United States has intensified around one of the country’s most widely purchased home router brands after reports suggested that federal agencies are considering restrictions on future sales. The conversation stems from concerns about potential national security risks and the possibility of foreign influence in hardware design or data handling. While the company firmly denies these allegations, the ongoing scrutiny has encouraged many users to reassess the safety of their home Wi-Fi setup and understand how to better protect their networks.


Why the issue surfaced

The debate began when officials started examining whether equipment manufactured by the company could expose American networks to security risks. Investigators reportedly focused on the firm’s origins and questioned whether foreign jurisdictions could exert influence over product development or data processes.

The company has rejected these claims, saying its design, security functions, and oversight structures operate independently and that its leadership teams within the United States manage core product decisions. It maintains that no government has the ability to access or manipulate its systems.


Common router vulnerabilities users should understand

Even without the broader policy debate, home routers are frequently targeted by attackers, often through well-known weaknesses:

Hardware-level risks. In rare cases, security issues can originate in the physical components themselves. Malicious implants or flawed chips can give attackers a hidden entry point that is difficult for users to detect without specialized tools.

Unpatched security gaps. Zero-day vulnerabilities are flaws discovered by attackers before the manufacturer has prepared a fix. Some older or discontinued models may never receive patches, leaving users exposed for the long term.

Outdated firmware. Firmware updates serve the same purpose as software updates on phones and computers. Without them, routers miss critical security improvements and remain vulnerable to known exploits.

Botnets. Compromised routers are often absorbed into large collections of infected devices. These groups of hijacked systems are then directed to launch attacks, spread malware, or steal information.

Weak login credentials. Many intrusions occur simply because users keep the default administrator username and password. Attackers run automated tools that test the most common combinations in an attempt to break in.

Exposed remote settings. Some routers allow remote control panels to be accessed from outside the home network. If these remain active or are protected with simple passwords, attackers can quietly enter the system.

Outdated Wi-Fi encryption. Older wireless standards are easy for attackers to crack. Weak encryption allows outsiders to intercept traffic or join the network without permission.


How to strengthen your home network today

Any user can substantially improve their router’s security by following a few essential steps:

1. Change default passwords immediately. Use strong, unique credentials for both the router’s control panel and the Wi-Fi network.

2. Check for firmware updates regularly. Install every available update. If your device no longer receives support, replacement is advisable.

3. Enable the built-in firewall. It acts as the first barrier between your home network and outside threats.

4. Turn off remote management features. Only leave such functions active if you clearly understand them and require them.

5. Use modern Wi-Fi encryption. Choose WPA3 whenever your device supports it. If not, use the most up-to-date option available.

6. Consider a trusted VPN. It adds an extra layer of protection by encrypting your online activity.

7. Upgrade aging hardware. Older models often lack modern protections and may struggle to handle security patches or stable performance.


What users should do now

A potential restriction on any router brand is still under government review. For now, users should focus on ensuring their own devices are secured and updated. Strengthening home Wi-Fi settings, using current security practices, and replacing unsupported hardware will offer the most immediate protection while the situation continues to escalate. 


Read more »
zero Day vulnerability
Cyber Security Firewall Scanning GlobalProtect GreyNoise Network Security Palo Alto Networks PAN OS Threat Intelligence zero Day vulnerability

Spike in Login Portal Scans Puts Palo Alto Networks on Alert


 

The Palo Alto Networks login portals have seen a dramatic surge in suspicious scanning activity over the past month, a development that has caught the attention of the cybersecurity community. Evidence suggests that threat actors are trying to coordinate reconnaissance efforts aimed at the Palo Alto Networks login portals. 

A new report from cybersecurity intelligence firm GreyNoise revealed that Palo Alto Networks' GlobalProtect and PAN-OS interfaces saw an increase in scanning volumes of over 500%, which marks a sharp departure from the usual pattern for such scanning. In the last week of October, the firm recorded more than 1,285 unique IP addresses attempting to probe these systems - a sharp rise from the typical daily average of fewer than 200 that occurs on a regular basis. 

Approximately 80% of this activity was attributed to IP addresses in the United States, with additional clusters originating from IP addresses in the United Kingdom, the Netherlands, Canada, and Russia. Moreover, separate TLS fingerprints indicated that there were organised scanning clusters that were heavily oriented towards United States targets as well as Pakistani targets. 

A GreyNoise analyst classifies 91% of the observed IP addresses as suspicious, while the remaining 7% are suspected to be malicious, indicating this may represent an early phase of targeted reconnaissance or exploitation attempts against Palo Alto Networks' infrastructure that is widely deployed. 

A GreyNoise analysis revealed that a large portion of the scanning traffic originated from U.S. IP addresses, with smaller but noteworthy clusters originating from the United Kingdom, the Netherlands, Canada, and Russia, indicating the traffic originated primarily from the United States. Using TLS fingerprints, research identified distinct activity clusters – targeting foand cusing o and focusing on Pakistani systems, focusing, overlapping fingerprints, suggesting infrastructure or coordination. 

Ninety per cent of the IP addresses involved in the campaign were deemed suspicious, while another seven per cent were flagged as malicious by the firm. It has been observed that most scanning activity has been directed towards emulated Palo Alto Networks profiles, including GlobalProtect and PAN-OS, indicating that the probes were likely to be intentional and are the product of open-source scanning tools or attackers who are conducting reconnaissance efforts to identify vulnerable Palo Alto devices. 

According to GreyNoise, heightened scanning activity can often be detected before zero-day or zero-n-day vulnerabilities are exploited, acting as a warning to potential offensive operations well in advance. A similar pattern was observed earlier this year, as a spike in Cisco ASA scans followed shortly thereafter by the disclosure and exploitation of a critical zero-day vulnerability in that product line, which was a warning of potential offensive operations. 

Although the timing and scale of the current Palo Alto scans are cause for concern, researchers have clarified that the available evidence suggests a weak correlation with any known or emerging exploit activity at this point in the Palo Alto network ecosystem. Palo Alto Networks' GlobalProtect platform is the core of its next-generation firewall ecosystem, allowing organisations to implement consistent policies for threat prevention and security across remote endpoints, regardless of whether or not the endpoints are connected to a virtual network. 

GlobalProtect portals are critical management tools that enable administrators to customize VPN settings, distribute security agents, and oversee endpoint connectivity within enterprise networks by allowing them to configure VPN settings, distribute security agents, and manage endpoint connectivity. Due to its function and visibility on the Internet, the portal is considered a high-value target for attackers looking to access sensitive data. 

According to experts, firewalls, VPNs, and other edge-facing technologies are among the most attractive security tools for attackers because they act as gateways between internal corporate environments and the open internet as a whole. These systems, by necessity, are available online to support remote operations, but are inadvertently exposing themselves to extensive reconnaissance and scanning efforts as a result. 

A few weeks earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a warning indicating that Palo Alto Networks would be actively exploited if it were to exploit a zero-day authentication bypass vulnerability in the company's PAN-OS software. This has increased Palo Alto Networks' appeal to cyber adversaries. As with other cyber threats, similar trends have been observed across the entire industry. 

For example, Cisco Talos disclosed last year that two zero-day flaws in Cisco firewall appliances were exploited by a state-backed threat actor to conduct an espionage campaign coordinated with Cisco. These risks highlight the persistence of the threats vendors are facing when it comes to edge security infrastructure vendors.

Among experts in the field of cybersecurity, it is very important to recognise that recent spikes in scanning activity targeting Palo Alto Networks' PAN-OS GlobalProtect gateways highlight a long-standing principle of cybersecurity: there is always a vulnerability in software. According to Boris Cipot, Senior Security Engineer at Black Duck, no matter how sophisticated a piece of software is, security vulnerabilities will inevitably arise at some point, whether due to programming oversight or the introduction of vulnerabilities by third-party open-source components. 

According to him, the real test is not whether a vulnerability exists but how swiftly the affected vendor releases a fix and how quickly the users apply the fix. The Palo Alto Networks spokesperson told me that while most Palo Alto Networks customers have probably patched their systems in response to recent advisories, attackers continue to hunt for devices that are not patched or poorly maintained, hoping that they can exploit those that are not well secured. 

Among Cipot's recommendations are to perform timely patching, follow vendor-recommended mitigations when patches are not available, and restrict management interfaces to trusted internal networks, which, he says, is also one of the most fundamental practices. 

The report also recommends that organisations use continuous log monitoring, conduct regular security audits, and analyse open-source components to identify vulnerabilities as early as possible in the lifecycle. A Salt Security director, Eric Schwake, who is responsible for cybersecurity strategy, expressed the concerns of these people by pointing out that the pattern of scans, which span nearly 24,000 unique IP addresses, demonstrates the persistence of threat actors in attempting to gain unauthorised access to data. 

While perimeter security, such as firewalls and VPNs, is still crucial, it should not be viewed as impenetrable, according to Schwake. As a result, he recommended organisations adopt a multi-layered security approach integrating API security governance, robust authentication mechanisms, and behavioural threat detection in order to detect abnormal login attempts as well as other malicious activities immediately in real time, as opposed to just relying on a single approach. 

Also, it was recommended that users be trained in user awareness, and multifactor authentication (MFA) should be enforced in order to reduce the risk of credential compromise and strengthen the overall cyber resilience of organisations. A GreyNoise security research team has noted unusual scanning activity directed at Palo Alto Networks’ PAN-OS GlobalProtect gateways for a number of years. 

In April 2025, the cybersecurity intelligence firm spotted another wave of suspicious login probes, resulting in Palo Alto Networks advising its customers to make sure that their systems are running the latest software versions and to apply all patches available to them. There are several patterns in GreyNoise’s Early Warning Signals report from July 2025 that support the company’s renewed warning. Among those patterns are large-scale spikes in malicious scanning, brute-force attempts, or exploit probing, which often follow a new CVE being disclosed within six weeks of the spike in those activities.

A similar pattern appeared to occur in early September 2025 when GreyNoise detected an increase in suspicious network scans targeting Cisco Adaptive Security Appliance (ASA) devices - traced back to late August. A total of 25,100 IP addresses were involved in the initial wave, primarily located in Brazil, Argentina, and the United States, with most originating from Brazil. 

Researchers at Palo Alto Networks have discovered what appears to be an alarming rise in the number of scanning sessions available on the Internet targeting a critical flaw in the software Palo Alto Networks GlobalProtect, identified as CVE-2024-3400. There is a high-severity vulnerability that affects one of the most widely deployed enterprise firewall solutions, allowing the creation of arbitrary files that can be weaponised in order to execute root privilege-based commands on the operating system.

By exploiting such vulnerabilities, attackers are able to gain complete control over affected devices, potentially resulting in the theft of sensitive data, the compromise of critical network functions, and even the disruption of critical network functions. In the last few weeks, analysts have noticed a significant increase in the probing attempts of this exploit, suggesting that threat actors have been actively incorporating it into their attack arsenals. 

The fact that GlobalProtect serves as a gateway to the internet in many corporate environments increases the risks associated with the flaw, which is remote and unauthenticated. A surge of malicious reconnaissance, according to analysts, could be the precursor to coordinated intrusion campaigns. This makes it imperative that organizations implement security patches as soon as possible, enforce access restrictions, and strengthen monitoring mechanisms across all perimeter defenses, as well as implement security patches as soon as possible.

Only weeks after the discovery of one of the exploitable zero-day vulnerabilities in its ASA products (CVE-2025-20333), Cisco confirmed that the other zero-day vulnerability in the same product (CVE-2025-2020362) was actively exploited, enabling advanced malware strains such as RayInitiator and LINE VIPER to be deployed in real-world attacks. 

In accordance with the data supplied by the Shadowserver Foundation, over 45,000 Cisco ASA and Firepower Threat Defence instances in the world, including more than 20,000 in the United States, remain susceptible to these vulnerabilities. It is evident that organisations reliant on perimeter security technologies face escalating threats and are faced with an ongoing challenge of timely patch adoption, as well as the escalating risks associated with them. 

This latest surge in scanning activity serves as yet another reminder that cyber threats are constantly evolving, and that is why maintaining vigilance, visibility, and velocity is so crucial in terms of defence against them. As reconnaissance efforts become more sophisticated and automated, organisations have to take more proactive steps - both in terms of integrating threat intelligence, continuously monitoring, and managing attack surfaces in order to remain effective. 

This cannot be done solely through vendor patches. It is imperative to combine endpoint hardening, strict access controls, timely updates, and intelligence anomaly detection based on behavioural analytics in order to strengthen network resilience today. It is also important for security teams to minimise the exposure of interfaces, and wherever possible, to shield them behind zero-trust architectures that validate every connection attempt with a zero-trust strategy. 

The use of regular penetration testing, as well as active participation in information-sharing communities, can make it much easier to detect early warning signs before adversaries gain traction. The attackers are ultimately playing the long game, as can be seen by the recurring campaigns against Palo Alto Networks and Cisco infrastructure – scanning for vulnerabilities, waiting for them to emerge, and then attacking when they become complacent. Defenders' edge lies, therefore, in staying informed, staying updated, and staying ahead of the curve: staying informed and staying updated.
Read more »
zero Day vulnerability
Cyber intrusion Cyber Security CyberThreat DDoS FortiGate IoT IP Address Networkk Infrastructure ransomware-as-a-service (RaaS) VPN Vulnerabilities Firewalls zero Day vulnerability

Firewalls and VPNs Under Siege as Businesses Report Growing Cyber Intrusions

 


A security researcher has discovered an ongoing cyberattack that is active, exploiting a newly discovered vulnerability in Fortinet's FortiGate Firewalls to infiltrate corporate and enterprise networks and has been conducting this activity for some time. A security advisory published on Tuesday by Fortinet confirmed the existence of the critical security flaw known as CVE-2024-55591 and indicated that the vulnerability is currently being exploited in the wild. 

Nevertheless, cybersecurity experts are voicing their concerns over the possibility that malicious actors are exploiting this flaw as a zero-day vulnerability - a term that refers to a software vulnerability exploited before the vendor is made aware of or has issued a patch for it. According to a report by Fortinet, attackers may have actively targeted this vulnerability since at least December, many months before it was publicly disclosed and patched. 

In particular, organisations that heavily rely on FortiGate Firewalls for perimeter defence face a significant threat when the vulnerability is exploited by exploiting CVE-2024-55591. As a result of the vulnerability's criticality, enterprises should apply security updates as soon as possible and examine their systems for any indications of unauthorized access as soon as possible. Even though zero-day exploits remain a threat, this development highlights the fact that cybercriminals are increasingly focusing on foundational network infrastructure to gain a foothold in high-value environments. 

The use of virtual private networks (VPNs) as a critical defence mechanism against a variety of cyber threats has long been regarded as a crucial aspect of protecting digital communications from a wide range of threats. VPNs are effective in neutralising the risks associated with man-in-the-middle attacks, which involve unauthorised parties trying to intercept or manipulate data while it is in transit by encrypting the data transmissions. Through this layer of encryption, sensitive data remains secure, even across unsecured networks. 

One of the most prominent use cases for VPNs is that they serve the purpose of protecting people using public Wi-Fi networks, which are often vulnerable to unauthorised access. It has been shown that VPNs are significantly less likely to expose or compromise data in such situations because they route traffic through secure tunnels. Additionally, VPNs hide the IP addresses of users, thereby providing greater anonymity to users and reducing the possibility of malicious actors tracking or monitoring them. 

As a result of this concealment, network resources are also protected against distributed denial-of-service (DDoS) attacks, which often use IP addresses as a method of overloading network resources. Even though VPNs have been around for decades, their use today does not suffice as a standalone solution due to the increasingly complex threat landscape that exists in today's society. To ensure comprehensive protection against increasingly sophisticated attack vectors, it is important to integrate their capabilities with more advanced, adaptive cybersecurity measures. 

It seems that conventional security frameworks, such as Firewalls and VPN,s are becoming increasingly outpaced as the cybersecurity landscape continues to evolve due to the sophistication and frequency of modern threats, which have increased significantly over the past few years. Businesses across many industries are experiencing an increasing number of breaches and vulnerabilities, and traditional methods of addressing these vulnerabilities are no longer capable of doing so. 

Due to the widespread transition from on-premises infrastructure to remote and digitally distributed work environments, legacy security architectures have become increasingly vulnerable, forcing enterprises to reassess and update their defence strategies. Firewalls and VPNs were once considered to be the cornerstones of enterprise network security; however, in today's increasingly complex threat environment, they are having trouble meeting the demands. 

In the past, these technologies have played an important role in securing organisational boundaries, but today, the limitations of those technologies are becoming increasingly apparent as organisations transition to a cloud-based environment and undergo rapid digital transformation. In the year 2025, technological advances are expected to change the way industry operations are conducted—for instance, the adoption of generative artificial intelligence, automation, and the proliferation of Iot and OT systems. 

Despite these innovations, there are also unprecedented risks associated with them. For example, malicious actors use artificial intelligence to automate spear-phishing efforts, craft highly evasive malware, and exploit vulnerabilities more quickly and accurately than they could previously. In addition, as Ransomware-as-a-Service (Raas) is on the rise, the barrier to entry for hackers is dropping, enabling a broader set of threat actors to conduct sophisticated, scalable attacks on businesses. To respond effectively to the complexities of a digitally driven world, organisations must adopt proactive, adaptive cybersecurity models that are capable of responding to the challenges of this dynamic threat environment and moving beyond legacy security tools.

There has been a significant shift in cybersecurity dynamics that has led to a worrying trend: malicious actors are increasingly exploiting Virtual Private Networks (VPNs) as a strategy to gain an advantage over their adversaries. Since VPNs were originally developed as a way to enhance privacy and protect data, they are increasingly being repurposed by cybercriminals to facilitate complex attacks while masking their identity digitally. Because VPNs are dual-purpose devices, they have become instruments of exploitation, which poses a significant challenge for cybersecurity professionals as well as digital forensics teams to deal with. 

There is one particularly alarming technique for using VPN software to exploit vulnerabilities, which involves deliberately exploiting these vulnerabilities to bypass perimeter defences, infiltrate secure systems, and deploy malware without being it. When attackers identify and target these vulnerabilities, they can easily bypass perimeter defences, infiltrate secure systems, and deploy malware without being detected. 

Frequently, such breaches act as entry points into larger campaigns, such as coordinated phishing campaigns that attempt to trick individuals into revealing confidential information. Further, VPNs are known for the ability to mask the actual IP addresses of threat actors, a technique known as IP address masquerading, which enables them to evade geographical restrictions, mislead investigators, and remain anonymous when they launch cyberattacks.

In addition to enabling adversaries to circumvent Firewalls, VPNs also offer the option of encrypting and tunnelling, thus enabling them to penetrate networks that would otherwise be resistant to unauthorised access with greater ease. As a matter of fact, VPNs are often used as a means of spreading malicious software across unreliable networks. By using an encrypted VPN traffic, malware can be able to bypass traditional detection methods, thereby circumventing traditional detection methods. The shield of anonymity provided by VPNs can also be used by threat actors to impersonate legitimate organisations and initiate phishing campaigns, compromising the privacy and integrity of users. 

VPNs can also facilitate the spreading of Distributed Denial-of-Service (DDoS) attacks, which is equally troubling. As these networks are anonymised, it makes it difficult to trace the origin of such attacks, which hinders the development of appropriate response strategies and mitigation strategies. This paradox underscores the complexity of modern cybersecurity, since one security tool can serve both as a tool for cybercrime and a tool for security. 

Even though VPNs remain an important tool to keep users safe and anonymous, their misuse requires a proactive and multifaceted response. To combat this misuse, people need robust technological defences combined with ongoing awareness and education initiatives, which will help us address this misuse effectively. Only through such comprehensive measures can organisations ensure the integrity of VPN technology and ensure trust in the digital privacy infrastructure as long as the technology remains intact. 

Check Point has issued a formal warning regarding the active targeting of its VPN devices as part of an ongoing increase in cyber threats against enterprise infrastructure. As a result of this disclosure, people have been reminded again that there is a sustained campaign aimed at compromising remote access technologies and critical network defences. It is the second time in recent months that a major cybersecurity vendor has released such an alert in the past couple of months. 

According to Cisco, in April 2024, organisations are being warned about a widespread wave of brute-force attacks against VPNs and Secure Shell (SSH) services that are likely to impact several devices from Cisco, Check Point, SonicWall, Fortinet, and Ubiquiti, among others. In the first observed attack around March 18, attackers used anonymised tools, such as TOR exit nodes, proxy networks, and other techniques to obfuscate and avoid detection and block lists, to launch the attacks. 

In March of this year, Cisco had also noticed that passwords were being sprayed at their Secure Firewall appliances that were running Remote Access VPN (RAVPN) services. According to analysts, this is a reconnaissance phase, likely intended to lay the groundwork for more advanced intrusions to follow. Following a subsequent analysis by cybersecurity researcher Aaron Martin, these incidents were linked to a malware botnet dubbed "Brutus", which was previously undocumented. 

Over 20,000 IP addresses were found to be associated with this botnet that was deployed from both residential and cloud-hosted environments, which greatly complicated the process of attribution and mitigation. The threat landscape has only been compounded by Cisco's announcement that a state-sponsored hacker group, also known as UAT4356, has been utilising zero-day vulnerabilities found within its Firepower Threat Defence (FTD) and Adaptive Security Appliances to exploit zero-day vulnerabilities. 

Known by the codename ArcaneDoor, the cyber-espionage campaign has been ongoing since November 2023, targeting critical infrastructure networks as well as governments around the world as part of a broader cyber-espionage campaign. As the frequency and complexity of cyber attacks continue to increase, it is apparent that legacy perimeter defences are no longer adequate in terms of security. 

A layered, intelligence-driven approach to security includes detecting threats in real time, hardening systems continuously, and responding to incidents in a proactive manner. As well as strengthening cybersecurity resilience, fostering collaboration between public and private sectors, sharing threat intelligence, and providing ongoing training to employees can make sure that they remain ahead of their adversaries. There is no doubt that the future of secure enterprise operations is going to be determined by the ability to anticipate, adapt, and remain vigilant in this rapidly evolving digital age.
Read more »
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
zero Day vulnerability
Computer Virus Avast Cyberattack CyberCrime Lazarus Virus Microsoft s Cybersecurity Vulnerabilities and Exploits zero Day vulnerability

Lazarus Group Exploits Microsoft Zero-Day in a Covert Rootkit Assault

 


The North Korean government-backed hackers were able to gain a major victory when Microsoft left a zero-day vulnerability unpatched for six months after learning it was actively exploited for six months. As a result of this, attackers were able to take advantage of existing vulnerabilities, thereby gaining access to sensitive information. Although Microsoft has since patched this vulnerability, the damage had already been done. 

Researchers from the Czech cybersecurity firm Avast discovered a zero-day vulnerability in AppLocker earlier this month, and Microsoft patched the flaw at the beginning of this month. AppLocker is a service that allows administrators to control which applications are allowed to run on their systems. 

APT38, the Lazarus group, is a state-run hacking team operated by the North Korean government. It's tasked with cyberespionage, sabotage, and sometimes even cybercrime to raise money for the regime. Although Lazarus has operated for many years, some researchers believe it is essentially a group of subgroups operating their campaigns and developing specific types of malware for specific targets that they use to accomplish their objectives. 

In addition to Lazarus's toolset tools, FudModule has been analyzed by other cybersecurity firms in the past in 2022 and is not new to Lazarus. Essentially, it is an in-user data-only rootkit that is active within the user space, utilizing kernel read/write privileges through the drivers to alter Windows security mechanisms and hinder the detection of other malicious components by security products. 

In August 2023, the security company Avast developed a proof-of-concept exploit for this vulnerability after observing the Lazarus attack and sending it to Microsoft. The vulnerability has been tracked as CVE-2024-21338 and was identified in the Lazarus attack last year. In an updated version of its FudModule rootkit, which ESET first documented in late 2022, Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive, which Avast reports. 

As part of the rootkit, previously, BYOVD attacks were performed using a Dell driver. Avast reported that threat actors had previously established the administrative-to-kernel primitive through BYOVD (Bring Your Own Vulnerable Driver) techniques, which are noisy. However, there seems to be no doubt that this new zero-day exploit has made it easier for kernel-level read/write primitives to be established. 

The issue was discovered in further detail due to a thin line in Microsoft Windows Security that has been left for a very long time, which was the cause of this issue. Since "administrator-to-kernel vulnerabilities are not a security boundary", Microsoft still retains the right to patch them. Furthermore, it is also important to remember that threat actors with administrative privileges have access to the Windows kernel. 

Since this is an open space that attackers can play around with, they take advantage of any vulnerabilities they find to gain access to the kernel.  The threat actors will gain kernel-level access to the OS once they have managed to disrupt the software, conceal infection indicators, and disable kernel-mode telemetry, among other malicious activities once they have gained kernel-level access to the OS. 

In an announcement made by Avast, a cybersecurity vendor that discovered an admin-to-kernel exploit for the bug, the company noted that by weaponizing the kernel flaw, the Lazarus Group could manipulate kernel objects directly in an updated version of their data-only rootkit FudModule by performing direct kernel object manipulation.." 

A rootkit named FudModule has been detected by ESET and AhnLab since October 2022 as capable of disabling the monitoring of all security solutions on infected hosts. As a result of the Bring Your Own Vulnerable Driver (BYOVD) attack, in which an attacker implants a driver with known or unknown flaws to escalate privileges, the security solution is unable to monitor the network. 

There is something important about the latest attack because it goes "beyond BYOVD by exploiting a zero-day vulnerability in a driver that is already installed on the target machine, which is known to be a zero-day vulnerability." It is an appid.sys driver, which plays a crucial role in the functioning of an application control feature in Windows called AppLocker. 

In a study published earlier this week, researchers discovered that Lazarus was spreading malicious open-source software packages to a repository where Python software is hosted, aimed directly at software developers. The researchers report that the malicious packages have been downloaded hundreds of times, according to their findings. 

The South Korean judicial system was also targeted by Lazarus as part of his endeavours. There was a large hack at the Supreme Court of South Korea last year, which was allegedly carried out by the criminal Lazarus group of hackers. Police confiscated servers from the court in February. It is still being investigated whether or not the servers are compromised. 

North Korean hackers, including Lazarus, are said to have hacked more crypto platforms for the first time last year, according to a report by crypto analytics firm Chainalysis. The number of stolen assets reached $1 billion, more than any other year.
Read more »
zero Day vulnerability
CLOP Clop Ransomware Data Evade Detection Extortion MOVEit Ransom Ransomware Safety Security zero Day vulnerability

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.
Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
Subscribe to: Comments (Atom)