What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-02-13 11:40:21 | CISA Updates Known Exploited Vulnerabilities Catalog with Four Critical Issues (lien direct) | >
In a recent update to its Known Exploited Vulnerabilities Catalog, the Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities that are currently under active exploitation. These vulnerabilities span across multiple platforms and pose substantial security risks for both organizations and individual users.
The vulnerabilities identified in CVE-2024-40891, CVE-2024-40890, CVE-2025-21418, and CVE-2025-21391 can be exploited with relative ease if security updates are not applied promptly. Users and organizations should follow the guidance provided by vendors like Zyxel and Microsoft, ensuring that their systems are updated regularly to address the latest security flaws.
For organizations relying on Zyxel DSL routers or Windows-based systems, it is crucial to assess the exposure to these vulnerabilities and take immediate steps to update firmware or software versions.
Details of the Vulnerabilities and Active Exploitation
CVE-2024-40891 and CVE-2024-40890: Critical Command Injection Vulnerabilities in Zyxel DSL Routers
The two vulnerabilities-CVE-2024-40891 and CVE-2024-40890-are related to a series of Command Injection Vulnerabilities affecting Zyxel DSL CPE devices. Specifically, these vulnerabilities affect the Zyxel VMG4325-B10A router model running firmware version 1.00(AAFR.4)C0_20170615.
Both vulnerabilities share a common thread: they allow authenticated attackers to execute arbitrary operating system (OS) commands on the affected devices via Telnet (CVE-2024-40891) or a crafted HTTP POST request (CVE-2024-40890). This puts devices at high risk of being compromised by threat actors who can exploit these weaknesses to gain control of the affected systems.
According to the official Zyxel advisory, both vulnerabilities have been assigned a CVSS severity score of 8.8 (High). These flaws stem from improper neutralization of special elements used in OS commands (CWE-78: Improper Neutralization of Special Elements used in an OS Command). Once successfully exploited, the vulnerabilities could allow attackers to bypass authentication and execute malicious OS commands, effectively compromising the security of the devices.
Zyxel has issued advisories urging users to update their firmware to mitigate these vulnerabilities. Devices using older firmware versions are especially at risk. The active exploitation of these vulnerabilities could lead to severe consequences, such as unauthorized access, |
Vulnerability Threat | ★★★ | |
|
2025-02-13 11:15:54 | (Déjà vu) Cyble Warns of Exposed Medical Imaging, Asset Management Systems (lien direct) | >
Overview
Cyble\'s weekly industrial control system (ICS) vulnerability report to clients warned about internet-facing medical imaging and critical infrastructure asset management systems that could be vulnerable to cyberattacks.
The report examined six ICS, operational technology (OT), and Supervisory Control and Data Acquisition (SCADA) vulnerabilities in total, but it focused on two in particular after Cyble detected web-exposed instances of the systems.
Orthanc, Trimble Cityworks Vulnerabilities Highlighted by CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisories alerting users to vulnerabilities in medical imaging and asset management products.
Orthanc is an open-source DICOM server used in healthcare environments for medical imaging storage and retrieval, while Trimble Cityworks is a GIS-centric asset management system used to manage all infrastructure assets for airports, utilities, municipalities, and counties.
In a February 6 ICS medical advisory, CISA said the Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled, which could result in unauthorized access by a malicious actor. The Missing Authentication for Critical Function vulnerability, CVE-2025-0896, has been assigned a CVSS v3.1 base score of 9.8, just below the maximum score of 10.0.
Orthanc recommends that users update to the latest version or enable HTTP authentication by setting the configuration "AuthenticationEnabled": true in the configuration file.
Cyble provided a publicly accessible search query for its ODIN vulnerability search tool, which users can use to find potentially vulnerable instances.
“This flaw requires urgent attention, as Cyble researchers have identified multiple internet-facing Orthanc instances, increasing the risk of exploitation,” the Cyble report said. “The exposure of vulnerable instances could allow unauthorized access to sensitive medical data, manipulation of imaging records, or even unauthorized control over the server. Given the high stakes in healthcare cybersecurity, immediate patching to version 1.5.8 or later, along with restricting external access, is strongly recommended to mitigate potential threats. |
Tool Vulnerability Threat Patching Industrial Medical | ★★★ | |
|
2025-02-12 10:33:38 | New Zealand\\'s National Cyber Security Centre (NCSC) Reports Surge in Cyber Threats and Vulnerabilities (lien direct) | 
Overview
The 2023/24 Cyber Threat Report from New Zealand\'s National Cyber Security Centre (NCSC), led by Lisa Fong, Deputy Director-General for Cyber Security at the Government Communications Security Bureau (GCSB), sheds light on the country\'s rapidly changing cyber threat landscape. The report highlights an increase in cyber incidents targeting individuals, businesses, and critical national sectors, underlining the growing complexity of cyber threats.
For the year ending June 2024, the NCSC recorded a whopping total of 7,122 cybersecurity incidents, marking a new milestone since CERT NZ\'s integration into the NCSC. Of these incidents, 95% (6,799) were handled through the NCSC\'s general triage process. These incidents primarily affected small to medium businesses and individual users and resulted in a reported financial loss of $21.6 million. While these incidents did not require specialized technical interventions, they still had a substantial impact on those affected, particularly in terms of financial losses and reputational damage.
A smaller subset of incidents, 343 in total, was categorized as having national significance. These incidents were more complex and targeted critical infrastructure or large organizations. Among them, 110 were linked to state-sponsored actors, signaling a slight increase in cyber activities from such groups. Financially motivated cybercriminal activities were responsible for 65 of these high-impact incidents, emphasizing the persistent threat from financially driven attacks such as ransomware and data exfiltration.
2023/24 Cyber Threat Report: State-Sponsored Cyber Threats and Ransomware
|
Ransomware Tool Vulnerability Threat Technical | ★★★ | |
|
2025-02-11 12:46:32 | Cyber Security Agency of Singapore Alerts Users on Active Exploitation of Zero-Day Vulnerability in Apple Products (lien direct) | 
Overview
The Cyber Security Agency of Singapore (CSA) has recently issued a warning regarding the active exploitation of a zero-day vulnerability (CVE-2025-24200) in a range of Apple products. This critical vulnerability is being actively targeted, and Apple has released timely security updates to address the issue. If exploited, the vulnerability could allow attackers to bypass certain security features and gain unauthorized access to sensitive data through USB connections.
The vulnerability, identified as CVE-2025-24200, affects various Apple devices, including iPhones and iPads. Specifically, the issue lies in the USB Restricted Mode, a security feature designed to prevent unauthorized access to a device\'s data when it is locked. A successful attack could disable this mode, allowing an unauthenticated attacker to access the device\'s data via a USB connection, even if the device is locked.
This flaw has been dubbed a "zero-day vulnerability," as it was discovered and actively exploited before a patch or security fix was made available. Apple has moved quickly to resolve the issue with new security updates released on February 10, 2025.
Affected Apple Products
|
Vulnerability Threat Mobile | ★★★★ | |
|
2025-02-10 13:34:05 | Cyble Warns of Patient Monitor Risk in ICS Vulnerability Report (lien direct) | 
Cyble\'s weekly industrial control system (ICS) vulnerability report to clients included a warning about a severe vulnerability in a patient monitor that could potentially compromise patient safety.
In all, the report covered 36 ICS, operational technology (OT) and Supervisory Control and Data Acquisition (SCADA) vulnerabilities, 31 of which affect critical manufacturing and energy systems. Ten of the 36 vulnerabilities were rated “critical” and 17 carried high-risk ratings.
Patient Monitor Vulnerability Carries a 9.8 Risk Rating
The patient monitor vulnerability, CVE-2024-12248, was one of three flaws in Contec Health CMS8000 Patient Monitors that were addressed in a January 30 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA said the vulnerabilities were reported to the agency anonymously.
The Food and Drug Administration (FDA) also issued an alert about the vulnerabilities the same day. The FDA said the flaws “may put patients at risk after being connected to the internet,” but added that the agency “is not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time.”
The FDA advisory contained recommendations for patients and caregivers for mitigating the risk that included the following advice:
“If your health c |
Tool Vulnerability Patching Industrial Medical | ★★ | |
|
2025-02-10 10:12:05 | Man-in-the-Middle Attack Risk: Veeam Urges Urgent Patching for CVE-2025-23114 (lien direct) | 
Overview
Veeam has issued a security update to address a critical vulnerability (CVE-2025-23114) affecting its Veeam Updater component. This flaw allows attackers to execute arbitrary code remotely by leveraging a Man-in-the-Middle (MitM) attack. The vulnerability has a CVSS v3.1 score of 9.0, indicating a severe security risk. Users and administrators of affected products should update their software immediately to mitigate potential threats.
Technical Details
The vulnerability exists due to improper Transport Layer Security (TLS) certificate validation in the Veeam Updater component. Attackers can intercept and modify communication between the Veeam Backup server and update sources, enabling them to execute arbitrary code with root privileges. Given the high severity of this flaw, exploitation could lead to complete system compromise, data loss, or ransomware attacks.
Affected Products
The following Veeam Backup products contain the vulnerable Veeam Updater component:
Current Releases:
Veeam Backup for Salesforce - Version 3.1 and older
Previous Releases:
Veeam Ba |
Ransomware Tool Vulnerability Patching | ★★★ | |
|
2025-02-07 12:57:51 | Open Graph Spoofing Toolkit: Old Exploitation Techniques Still in Use to Lure Social Media Users into Phishing Attacks (lien direct) | 
The current digital landscape necessitates an approach to sharing content on social media for significant user engagement and click-through rates. This is where the Open Graph Protocol (OGP) comes into play. Developed by Facebook, Open Graph allows web developers to control how their web pages appear when shared across various platforms. Developers use specific meta tags in a webpage\'s HTML to define essential elements such as the title, description, and image that accompany shared links.
Attackers have long exploited the Open Graph Protocol for malicious activities. Recently, Cyble Research and Intelligence Labs (CRIL) also observed a threat actor on a Russian underground offering a toolkit dubbed \'OG Spoof\' for similar operations. The toolkit was designed for phishing campaigns, aiming to mislead users and artificially inflate click-through rates by exploiting flaws in the Open Graph protocol.
Overview
The importance of Open Graph (OG) tags cannot be overstated. The OG tags enhance the visibility of content, making it appealing to a broader base of potential viewers and more likely to garner views and clicks.
 Figure 1: OG tags used in the header
Several content management systems (CMS), such as WordPress and Magento, come equipped with built-in functionalities or plugins that automatically generate these tags based on the post\'s content. This automation ensures that when links are shared, they are presented in an engaging manner while accurately previewing their content.
The TA released the \'OG Spoof\' kit for sale in October 2024 at a staggering USD 2,500 price and claimed that it was initially designed for their own fraudulent operations. However, as they developed advanced methods, the toolk |
Malware Vulnerability Threat | ★★★ | |
|
2025-02-07 11:44:32 | Critical Vulnerabilities Reported in Cyble\\'s Weekly Vulnerability Insights (lien direct) | 
Overview
Cyble Research & Intelligence Labs (CRIL) published their Weekly Vulnerability Insights Report to clients, covering key vulnerabilities reported from January 29 to February 4, 2025. The analysis highlights critical security flaws that have posed cyber threats to various IT infrastructures globally. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to the Known Exploited Vulnerability (KEV) catalog.
This report highlights vulnerabilities in several widely used software products and services, including Paessler PRTG Network Monitor, Microsoft .NET Framework, and Zyxel DSL devices. These vulnerabilities could impact a range of industries that rely on these systems to monitor, manage, and protect critical infrastructure.
Incorporation of Vulnerabilities into the KEV Catalog
CISA\'s inclusion of vulnerabilities in the KEV catalog is an important step in highlighting serious risks associated with widely deployed software. During this period, CISA added five vulnerabilities, including two dating back to 2018, that have been actively exploited and affect major IT infrastructure tools like Paessler PRTG Network Monitor. These vulnerabilities were assessed for their active exploitation and listed accordingly to ensure better protection for organizations globally.
Among the newly added vulnerabilities, CVE-2018-19410 and |
Tool Vulnerability Threat Patching Mobile | ★★★ | |
|
2025-02-07 10:55:33 | U.S. Ransomware Attacks Surge to Start 2025 (lien direct) | 
Overview
According to an analysis of Cyble threat intelligence data, U.S. ransomware attacks have surged to the start of 2025, up nearly 150% from the first five weeks of 2024.
Ransomware attacks on U.S. targets have been climbing since a few organizations paid ransoms to attackers in highly publicized cases last year, making the country a more attractive target for ransomware groups.
That\'s likely the main reason for the increase. Regardless of the timeframe or changes in the most active ransomware groups, U.S. ransomware attacks have increased substantially in the last year and have been climbing steadily since the fall.
We\'ll examine the changing ransomware landscape in the U.S. and other frequently attacked countries and consider what changes may be in store as we approach 2025.
The Effect of Ransomware Payments
In the first five weeks of 2024, Cyble documented 152 ransomware attacks on U.S. targets, in line with late 2023 trends.
In the first five weeks of 2025, that number soared to 378 attacks on U.S. targets, a 149% year-over-year increase. Compared to the end of 2024, attacks are up a still significant 29% so far in 2025, up from 282 in the last five weeks of the year.
Perhaps owing to geographical proximity, Canada has also seen a significant increase in ransomware attacks, up from 14 in the year-ago period to 28 at the end of 2024, and nearly doubling again to 46 to start 2025.
Even as North American ransomware attacks have soared, the next-most attacked regions have stayed relatively stable. France, for example, had 18 attacks to start in 2024 and has seen 19 thus far in 2025 (chart below).
|
Ransomware Tool Vulnerability Threat Legislation Prediction Medical | ★★★ | |
|
2025-02-06 11:44:16 | CISA Issues Nine Critical Industrial Control Systems Advisories, Addressing Vulnerabilities in Key Equipment (lien direct) | 
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) released a series of nine Industrial Control Systems (ICS) advisories on February 4, 2025. These CISA ICS advisories provide essential information about vulnerabilities, security risks, and recommended mitigations affecting various industrial control systems and their components.
The advisories, which highlight numerous threats across a variety of devices, emphasize the need for vigilance and prompt action to protect critical infrastructure from potential exploits. The nine advisories address flaws found in systems from notable vendors such as Schneider Electric, Rockwell Automation, and AutomationDirect.
These vulnerabilities can allow attackers to disrupt operations, gain unauthorized access, or even execute remote code on compromised devices.
Details of the Industrial Control Systems Advisories
1. Western Telematic Inc. Vulnerability
Advisory Code: ICSA-25-035-01
Vulnerable Products:
NPS Seri |
Vulnerability Threat Legislation Industrial | ★★★ | |
|
2025-02-06 10:44:52 | Five Eyes Cyber Agencies Share New Security Guidelines for Edge Device Manufacturers (lien direct) | 
Overview
The rise in cyber threats targeting edge devices has prompted the cybersecurity agencies of the UK, Australia, Canada, New Zealand, and the United States to release new guidelines aimed at strengthening the security of these critical network components.
These recommendations urge manufacturers to integrate robust forensic and logging features by default, making it easier to detect and investigate cyber intrusions. As cybercriminals and state-sponsored actors continue to exploit vulnerabilities in edge devices, organizations must adopt these security measures to mitigate risks.
“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” said NCSC Technical Director Ollie Whitehouse. “In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyberattacks but also provide investigative capabilities require post intrusion.”
Understanding Edge Device Security Risks
Edge devices, including routers, IoT sensors, security cameras, and smart appliances, act as critical gateways between local networks and the internet. These devices are often deployed with minimal security features, making them attractive targets for attackers who exploit vulnerabilities to gain unauthorized access, disrupt services, or maintai |
Tool Vulnerability Threat Technical | ★★★ | |
|
2025-02-05 12:25:39 | CISA Adds New Vulnerabilities to Known Exploited Vulnerabilities Catalog – Critical Updates Required (lien direct) | 
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added four vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities, identified in widely-used software products, have been actively exploited by cyber attackers.
With these updates, CISA highlights the importance of addressing these flaws promptly to mitigate the risks they pose, particularly to federal enterprises and other critical infrastructure sectors. The newly added vulnerabilities include CVE-2024-45195, CVE-2024-29059, CVE-2018-9276, and CVE-2018-19410, all of which could have severe consequences for the security of affected systems.
Detailed List of Vulnerabilities Highlighed in the Known Exploited Vulnerabilities Catalog
CVE-2024-45195: Apache OFBiz Forced Browsing Vulnerability
The first of the vulnerabilities, CVE-2024-45195, relates to a flaw in Apache OFBiz, an open-source enterprise resource planning (ERP) and e-commerce solution. This vulnerability is a forced browsing issue, where attackers can gain unauthorized access to certain parts of a website by bypassing security restrictions through direct URL requests. The flaw was discovered in Apache OFBiz versions before 18.12.16, and users are advised to upgrade to this version or later to mitigate the threat.
The vulnerability can allow attackers to gain unauthorized access to sensitive data by leveraging weak authorization mechanisms. It is listed in the CISA Known Exploited Vulnerabilities Catalog due to active exploitation, with evidence showing malicious actors targeting vulnerable systems to escalate privileges.
CVE-2024-29059: Microsoft .NET Framework Info |
Tool Vulnerability Threat Patching | ★★★ | |
|
2025-02-05 10:32:24 | Australian Cyber Security Centre Urges Immediate Action to Combat Email Scammers (lien direct) | 
Overview
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), has shared new information on cyber threats targeting individuals and organizations across the country. The ACSC has warned that Australians must remain vigilant and take immediate action to protect their personal and professional data.
Over the past few years, Australia has seen an alarming rise in cyberattacks, including phishing, ransomware, and denial-of-service attacks, which are impacting both businesses and private citizens. These cyberattacks often target vulnerabilities in online platforms and devices, aiming to steal sensitive information, disrupt services, or even demand ransom payments.
The ACSC has highlighted the rise of email scammers impersonating trusted organizations, such as the ACSC itself. These scammers often attempt to deceive users into disclosing personal details, such as passwords, bank information, or credit card numbers.
The Danger of Email Scammers
One of the most concerning tactics employed by cybercriminals is impersonating government agencies like the ACSC and the ASD. Email scammers frequently send fraudulent emails, often mimicking the ACSC\'s official logo and email signature, to create a sense of urgency and pressure individuals into responding.
These scam messages often contain threats, such a |
Ransomware Vulnerability | ★★★ | |
|
2025-02-05 09:40:09 | Stealthy Attack: Dual Injection Undermines Chrome\\'s App-Bound Encryption (lien direct) | 
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) identified malware being spread via a ZIP file containing an .LNK file disguised as a PDF and an XML project file masquerading as a PNG to trick users into opening it.
The filename suggests that the malware is likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors.
The LNK file creates a scheduled task that runs every 15 minutes, executing MSBuild.exe to deploy malicious C# code.
The malware is capable of bypassing Chrome\'s App-Bound Encryption and deploying a stealer payload to target sensitive Chrome-related files.
Additionally, it uses the Double Injection technique to carry out fileless execution to evade detection.
The malware establishes a connection to the Threat Actor (TA) through the Telegram Web API for command execution.
The malware enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels.
Overview
Cyble Research & Intelligence Labs (CRIL) discovered malware potentially targeting organizations in Vietnam, especially those in the Telemarketing or Sales sectors. The initial infection vector is unknown at present.
This malware was discovered being delivered via a malicious ZIP archive containing an .LNK file disguised as a .PDF and an XML project file masquerading as a .PNG file, designed to deceive users into opening the fake PDF file. When executed, the shortcut file copies an XML project file to the Temp directory and initiates a command that creates a scheduled task running every 15 minutes. This task launches |
Malware Tool Vulnerability Threat | ★★★ | |
|
2025-02-04 10:58:37 | NETGEAR Urges Immediate Firmware Updates for Critical Security Flaws (lien direct) | 
Overview
NETGEAR has recently addressed two critical security vulnerabilities affecting its products, which, if exploited, could allow unauthenticated attackers to execute arbitrary code or remotely exploit devices. These vulnerabilities impact multiple models, including the XR series routers and WAX series access points. Given the high severity of these vulnerabilities, with Common Vulnerability Scoring System (CVSS) scores of 9.8 and 9.6, users are strongly advised to update their devices immediately to the latest firmware versions to prevent potential cyber threats.
Details of the Security Vulnerabilities
The vulnerabilities impact several NETGEAR devices and could allow remote attackers to take control of the affected routers and access points without requiring authentication. Such security flaws are particularly concerning as they can be leveraged for malicious activities, including data theft, network disruption, and unauthorized surveillance.
Affected Devices and Firmware Updates
NETGEAR has released fixes for the unauthenticated remote code execution (RCE) security vulnerability affecting the following models:
XR1000: Fixed in firmware version 1.0.0.74
XR1000v2: Fixed in firmware version 1.1.0.22
XR500: Fixed in firmware version 2.3.2.134
|
Malware Vulnerability Threat Mobile | ★★★ | |
|
2025-02-03 13:49:16 | Cyble Sensors Detect Attacks on Apache OFBiz, Palo Alto Networks (lien direct) | 
Overview
Cyble honeypot sensors have detected new attack attempts on vulnerabilities in Palo Alto Networks\' web management interface and the Apache OFBiz ERP system, among dozens of other exploits picked up by Cyble sensors.
Cyble\'s recent sensor intelligence report to clients examined more than 30 vulnerabilities under active exploitation by hackers and also looked at persistent attacks against Linux systems and network and IoT devices. Threat actors continue to scan for vulnerable devices for ransomware attacks and add to botnets for DDoS attacks and crypto mining.
The full reports also looked at banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.
Palo Alto Networks Vulnerabilities Targeted
Cyble sensors detected attacks attempting to exploit an OS Command Injection vulnerability in the Palo Alto Networks PAN-OS management web interface.
The vulnerability, CVE-2024-9474, could be used by hackers to escalate privileges in PAN-OS. It could allow attackers who can access the PAN-OS management web interface to perform actions on the firewall with root privileges.
P |
Ransomware Vulnerability Threat Patching | ★★ | |
|
2025-02-03 12:21:32 | Apple Issues Security Updates for iOS, macOS, watchOS, and More-Patch Now! (lien direct) | 
Overview
Apple has released security updates to address a newly discovered vulnerability, CVE-2025-24085, in its Core Media framework. This vulnerability is classified as a privilege escalation flaw and is reportedly being actively exploited. If successfully leveraged by a malicious application, this vulnerability could enable an attacker to elevate privileges on an affected device.
To mitigate the risk, Apple has released patches across multiple product lines, urging users and administrators to update their devices immediately. The affected operating systems include iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, tvOS 18.3, visionOS 2.3, and watchOS 11.3.
Details of CVE-2025-24085
The vulnerability stems from a use-after-free (UAF) issue, a memory management flaw where a program continues to access memory after it has been freed. This can lead to arbitrary code execution, privilege escalation, or application crashes. Apple has addressed this issue by improving memory management.
Apple has acknowledged that CVE-2025-24085 may have been actively exploited against iOS versions before iOS 17.2. This underlines the urgency of updating affected devices to the latest security patches.
Impacted Devices and Operating Systems
Apple has rolled out security patches for the following devices and operating system versions:
iOS 18.3 and iPadOS 18.3:
iPhone XS and later
iPad Pro 1 |
Vulnerability Threat Prediction | ★★★ | |
|
2025-01-31 10:18:43 | Cyble\\'s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered (lien direct) | 
Overview
Cyble\'s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.
Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall\'s SMA1000 appliances.
In this week\'s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti\'s Cloud Services Appliance, and issues within RealHome\'s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.
Weekly Vulnerability Insights
CVE-2025-23006 - SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)
A severe deserialization vulnerability in SonicWall\'s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.
This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.
2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)
Three vulnerabilities were discovered in SimpleHelp\'s remote support software, used by IT professionals for remote customer assistance. These flaws include:
CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
|
Tool Vulnerability Threat Patching Cloud | ★★★ | |
|
2025-01-30 08:42:50 | ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes (lien direct) | >
Overview
A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble\'s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.
OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.
Critical mySCADA Vulnerabilities
The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven\'t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.
The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.
CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\') vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.
CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.
The following mySCADA products are affected:
myPRO Manager: Versions prior to 1.3
myPRO Runtime: Versions prior to 9.2.1
mySCADA recommends that users update to the latest versions:
mySCADA PRO Manager 1.3
mySCADA PRO Runtime 9.2.1
|
Tool Vulnerability Patching Industrial | ★★★ | |
|
2025-01-29 13:01:36 | New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems (lien direct) | 
Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two urgent advisories regarding serious ICS vulnerabilities in industrial control systems (ICS) products. These ICS vulnerabilities, identified in Schneider Electric\'s RemoteConnect and SCADAPack x70 Utilities, as well as B&R Automation\'s Runtime software, pose online risks to critical infrastructure systems worldwide. The ICS vulnerabilities, if exploited, could lead to potentially devastating impacts on the integrity, confidentiality, and availability of systems within energy, critical manufacturing, and other essential sectors.
Schneider Electric\'s Vulnerability in RemoteConnect and SCADAPack x70 Utilities
The ICS vulnerability in Schneider Electric\'s RemoteConnect and SCADAPack x70 Utilities arises from the deserialization of untrusted data, identified as CWE-502. This flaw could allow attackers to execute remote code on affected workstations, leading to several security risks, including the loss of confidentiality and integrity. The issue is triggered when a non-admin authenticated user opens a malicious project file, which could potentially be introduced through email, file sharing, or other methods.
Schneider Electric has assigned the CVE identifier CVE-2024-12703 to this vulnerability, with a base CVSS v3 score of 7.8 and a CVSS v4 score of 8.5. Both versions highlight the severity of the issue, with potential consequences including unauthorized remote code execution.
This vulnerability affects all versions of both RemoteConnect and SCADAPack x70 Utilities, products widely deployed in sectors such as energy and critical manufacturing across the globe. Although Schneider Electric is working on a remediation plan for future product versions, there are interim steps that organizations can take to mitigate the risk. These include:
Only opening project files from trusted sources
Verifying file integrity by computing and checking hashes regularly
Encrypting project files and restricting access to trusted users
Using secure communication protocols when exchanging files over the network
Following established SCADAPack Security Guidelines for added protection
CISA recommends minimizing the network exposure of control system devices, ensuring they are not directly accessible from the internet, and placing control system networks behind firewalls to isolate them from business networks. When remote access is necessary, using secure methods like Virtual Private Networks (VPNs) is strongly advised. However, organizations should ens |
Vulnerability Threat Patching Industrial | ★★★★ | |
|
2025-01-29 10:38:59 | Australia\\'s Health Sector Receives $6.4 Million Cybersecurity Boost with New Threat Information-Sharing Network (lien direct) | >
The Australian Government has awarded a $6.4 million grant to CI-ISAC Australia, enabling the establishment of a new Health Cyber Sharing Network (HCSN). This initiative is designed to facilitate the rapid exchange of critical cyber threat information within Australia\'s healthcare industry, which has become a target for cyberattacks.
The recent surge in cyberattacks on Australian healthcare organizations, including hospitals and health insurance providers, has highlighted the pressing need for enhanced cybersecurity measures. In response, the Australian Government has made healthcare the priority sector for its formal funding efforts.
This grant is part of a broader strategy to address the vulnerabilities in the nation\'s health sector and ensure it is better equipped to handle the cyber threats faced by the industry.
A Growing Threat: The Cost of Cybersecurity Breaches
The healthcare industry globally has been facing increasing cybersecurity challenges, and Australia is no exception. According to reports from 2023, the global healthcare sector continues to experience the most expensive data breaches across industries for the 13th consecutive year. The average cost of a healthcare data breach was a staggering AUD$10.93 million, nearly double that of the financial industry, which recorded an average cost of $5.9 million.
Australia\'s health sector, which encompasses a diverse range of organizations, from public and private hospitals to medical clinics and insurance providers, is increasingly vulnerable to cyber threats. This sector includes approximately 750 government hospitals, 650 private hospitals, and over 6,500 general practitioner clinics, along with numerous third-party suppliers and vendors.
The creation of the HCSN aims to address these risks by providing a secure, collaborative platform for information sharing. The network will enable health sector organizations to work together more effectively, breaking down silos and improving the speed and quality of cybersecurity threat information exchange.
The Role of CI-ISAC and the Health Cyber-Sharing Network
CI-ISAC Australia, the recipient of the $6.4 million Australian Government grant, will spearhead the creation and management of the Health Cyber Sharing Network. The HCSN will focus on fostering collaboration between Australian healthcare organizations, ensuring they can share relevant |
Data Breach Vulnerability Threat Medical Cloud | ★★★ | |
|
2025-01-28 12:00:59 | Critical Vulnerabilities in Node.js Expose Systems to Remote Attacks (lien direct) | >
Overview
A series of critical security vulnerabilities have been discovered in multiple versions of Node.js, a popular open-source JavaScript runtime used to build scalable network applications. These vulnerabilities, outlined in CERT-In Vulnerability Note CIVN-2025-0011, have been classified as high severity, with the potential to compromise sensitive information, disrupt services, and even execute arbitrary code. Users of Node.js, including developers and organizations relying on this platform, are urged to take immediate action to secure their systems.
The vulnerabilities affect several versions of Node.js, including both long-term support (LTS) and current releases. Affected versions include Node.js v18.x, v20.x, v22.x, and the latest v23.x. The flaws stem from various issues, including memory leaks, path traversal vulnerabilities, and worker permission bypasses, which could result in denial of service (DoS) conditions, data theft, and potential system compromises.
The vulnerabilities present a high risk of unauthorized access to sensitive data, denial of service, or even complete system compromise. These flaws can be exploited remotely, allowing attackers to gain control over affected systems. The potential impacts are significant, especially in production environments where Node.js applications are running in high-traffic scenarios.
Key Vulnerabilities in Node.js
CVE-2025-23087 (Node.js v17.x and prior): This critical vulnerability affects older versions of Node.js (v17.x or earlier), with an attacker potentially gaining unauthorized access due to insufficient security controls. The severity of the flaw demands immediate attention from users of these older versions.
CVE-2025-23088 (Node.js v19.x): A critical flaw affecting Node.js v19.x, which could allow an attacker to bypass security measures and execute arbitrary code. It\'s essential for users of v19.x to update to the latest release to mitigate the risk.
CVE-2025-23089 (Node.js v21.x): Similar to CVE-2025-23088, this vulnerability impacts Node.js v21.x, allowing for potential exploitation due to a lack of proper access control and security features. Users should upgrade to patched versions of Node.js immediately.
CVE-2025-23083 (Worker Permission Bypass): A high-severity vulnerability discovered in Node.js v20.x, v22.x, and v23.x, where an attacker could exploit the internal worker leak mechanism via the diagnostics_channel utility. This flaw could enable unauthorized access to worker threads, which are typically restricted, potentially leading to privilege escalation.
|
Tool Vulnerability Threat | ★★★ | |
|
2025-01-28 09:37:55 | phpMyAdmin 5.2.2 Addresses Critical XSS and Library Vulnerabilities (lien direct) | >
Overview
phpMyAdmin, a popular web-based tool for managing MySQL and MariaDB databases, has recently released version 5.2.2, addressing multiple vulnerabilities that posed a medium severity risk. This widely-used tool is a basis for database administrators, offering strong features and ease of use. However, the vulnerabilities discovered could potentially expose users to risks such as unauthorized actions, session hijacking, and data theft.
The update resolves two cross-site scripting (XSS) vulnerabilities (CVE-2025-24530 and CVE-2025-24529) and a potential issue in the glibc/iconv library (CVE-2024-2961). These vulnerabilities underline the importance of staying up to date with security patches to safeguard sensitive data and ensure secure database management.
According to the advisory:
Reported By: The vulnerability was reported by a security researcher identified as "bluebird."
Severity: Moderate.
Solution: Users are encouraged to upgrade to version 5.2.2 or apply the patch.
Vulnerability Details
Three significant vulnerabilities were identified in phpMyAdmin versions prior to 5.2.2:
1. CVE-2025-24530: XSS in “Check Tables”
Description: This XSS vulnerability allows an attacker to exploit the "Check Tables" feature by crafting a malicious table name. This could result in injecting malicious scripts into the application.
Impact: Successful exploitation could lead to session hijacking, data theft, and unauthorized actions.
CWE ID: CWE-661 (Improper Neutralization of Input During Web Page Generation).
Fix: This issue was resolved through commit a45efd0eb9415240480adeefc587158c766bc4a0.
2. CVE-2025-24529: XSS in “Insert”
Description: This vulnerability involves the "Insert" functionality, which could be manipulated to execute malicious scripts.
Impact: Exploitation could compromise user accounts and sensitive data by injecting malicious code into user |
Tool Vulnerability Threat Medical | ★★★ | |
|
2025-01-27 15:02:33 | IT Vulnerability Report: 7-Zip, Windows and Fortinet Fixes Urged by Cyble (lien direct) | >
Overview
Cyble\'s vulnerability intelligence report to clients last week examined high-risk flaws in 7-Zip, Microsoft Windows, and Fortinet, among other products. It also examined dark web claims of a zero-day vulnerability in Apple iOS.
In all, the report from Cyble Research and Intelligence Labs (CRIL) looked at 14 vulnerabilities and dark web exploits, including one vulnerability with a maximum CVSS severity score of 10.0 and another with more than 276,000 web exposures.
Here are some of the vulnerabilities highlighted by Cyble\'s vulnerability intelligence unit as meriting high-priority attention by security teams.
The Top IT Vulnerabilities
CVE-2024-50603 is a 10.0-severity OS Command Injection vulnerability in the Aviatrix Controller that could allow an unauthenticated user to execute arbitrary commands against the cloud networking platform controller, due to improper neutralization of special elements used in an OS command. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
CVE-2025-0411 is a critical vulnerability in the 7-Zip file archiving software that allows attackers to bypass the Mark-of-the-Web (MOTW) protection mechanism, which is intended to warn users about potentially dangerous files downloaded from the internet. An attacker could use the vulnerability to craft an archive file so that the files do not inherit the MOTW mark when they are extracted by 7-Zip. The vulnerability was just announced, but a patch has been available since November 30. As 7-Zip lacks an auto-update function, users must download the update directly.
CVE-2024-12084 is a 9.8-severity Heap-Based Buffer Overflow vulnerability in the Rsync file synchronization tool. The vulnerability arises from improper handling of checksum lengths that exceed the fixed limit of 16 bytes (SUM_LENGTH) during the processing of user-controlled data. An attacker could manipulate checksum lengths, leading to out-of-bounds memory writes in the sum2 buffer. This could enable remote code execution (RCE) on systems running the Rsync server. Cyble detected more than 276,000 vulnerable web-facing Rsync exposures (image below).
Dark Web Exploits and Zero Days
The |
Tool Vulnerability Threat Patching Cloud | ★★★ | |
|
2025-01-27 12:16:17 | United Against Cybercrime: ASEAN Ministers Forge New Security Pathways (lien direct) | >
Overview
The digital world in Southeast Asia is evolving rapidly, with nations striving to balance innovation, inclusivity, and security. The recently held 5th ASEAN Digital Ministers\' Meeting (ADGMIN) in Bangkok, Thailand, marked a significant milestone in this journey. The meeting highlighted the importance of cybersecurity in shaping a resilient digital future for the region. The ASEAN Digital Masterplan 2025 (ADM 2025) continues to serve as a guiding framework for fostering collaboration, enabling trust in digital services, and promoting the safe and inclusive use of technology.
From addressing online scams to operationalizing the ASEAN Regional Computer Emergency Response Team (CERT) and advancing AI governance, the event showcased ASEAN\'s commitment to fortifying its digital ecosystem against cyber threats. With an emphasis on collaboration and proactive measures, the meeting highlighted the pressing need to enhance cybersecurity frameworks, strengthen cross-border data governance, and address emerging challenges posed by technologies like generative AI.
Key Cybersecurity Highlights
ASEAN Regional CERT Operationalization: One of the significant milestones discussed was the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT). This initiative aims to enhance collaboration among member states, facilitate real-time information sharing, and strengthen the region\'s preparedness against cyberattacks. CERT\'s operationalization highlights ASEAN\'s focus on collective resilience in cyberspace.
Tackling Online Scams: Online scams remain a pressing issue across ASEAN. The ASEAN Working Group on Anti-Online Scams (WG-AS) released its Report on Online Scams Activities in ASEAN (2023–2024), offering insights into the threat landscape. The report outlines key recommendations for regional collaboration to combat scams effectively. The ASEAN Recommendations on Anti-Online Scams provide a framework for governments to develop policies aimed at mitigating online fraud, with a focus on cross-border scams and fraudulent activities exploiting digital platforms.
Promoting Responsible State Behavior in Cyberspace: ASEAN adopted the Checklist for Responsible State Behavior in Cyberspace, aligning with global norms to promote peace and security online. This initiative focuses on fostering cooperation and ensuring responsible use of digital tools while mitigating risks.
Strengthening Cross-Border Data Governance: Data governance was another key topi |
Ransomware Tool Vulnerability Threat Technical | ★★★ | |
|
2025-01-24 14:40:40 | Unlocking Vulnrichment: Enhancing CVE Data for Smarter Vulnerability Management (lien direct) | >
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced Vulnrichment, an innovative initiative designed to enhance CVE data by adding crucial context, scoring, and detailed analysis. Launched on May 10, 2024, Vulnrichment aims to empower security professionals by providing more than just basic CVE information-it offers the insights needed to make informed, timely decisions regarding vulnerability management.
As part of a mid-year update, CISA\'s Tod Beardsley, Vulnerability Response Section Chief, provides an overview of how this resource can be leveraged to improve vulnerability management.
For IT defenders and vulnerability management teams, Vulnrichment represents a significant advancement in how CVE data is presented and utilized. By enriching basic CVE records with essential metadata like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS) scores, Vulnrichment transforms raw CVE data into a more actionable and comprehensive resource.
The best part? No additional setup is required. This enhanced data is integrated directly into the CVE feeds already being consumed by security teams. Whether you\'re pulling CVE data from the official CISA platform at https://cve.org or GitHub at https://github.com/CVEProject/cvelistV5, you\'re already collecting the enriched CVE records that Vulnrichment provides.
How Vulnrichment Enhances CVE Data
CISA\'s Vulnrichment is designed to provide a deeper layer of insight into each CVE, helping security professionals prioritize vulnerabilities with greater clarity. Here\'s an example of how Vulnrichment works with a specific CVE, CVE-2023-45727, which has been marked as a Known Exploited Vulnerability (KEV) by CISA. If you want to understand the exploitation status of this CVE, you can query the SSVC decision points included in the Vulnrichment ADP (Authorized Data Publisher) container. For instance, using the command line tool jq, you can execute a query to extract the "Exploitation" field to understand whether the vulnerability is actively being exploited, requires proof of concept, or is not yet exploited in the wild.
By parsing the ADP container, you can extract this enriched data, which helps you make informed decisions about whether to prioritize this vulnerability over others. This ability to access context-rich CVE data provides valuable intelligence for vulnerability management efforts, enabling teams to prioriti |
Tool Vulnerability Threat Patching Technical | ★★★ | |
|
2025-01-24 13:53:11 | Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks (lien direct) | >
Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs).
The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People\'s Republic of China (PRC).
The Ivanti CSA Exploit Chains
CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability.
The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers.
The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0.
The First Exploit Chain
In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone |
Tool Vulnerability Threat Patching Cloud | ★★★ | |
|
2025-01-23 12:43:04 | Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability (lien direct) | >
Overview
A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks.
Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest.
TCAS II Vulnerabilities
The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory.
The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.”
TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions.
The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1.
CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).”
The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm- |
Tool Vulnerability Threat Patching Industrial Commercial | ★★★ | |
|
2025-01-22 10:44:07 | Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks (lien direct) | >
Overview
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government\'s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term "bulletproof" is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
How Bulletproof Hosting Providers Operate
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Anot |
Ransomware Malware Tool Vulnerability Threat Legislation | ★★ | |
|
2025-01-22 08:12:57 | Cyble Finds Thousands of Security Vendor Credentials on Dark Web (lien direct) | >
Overview
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked Security Company Credentials
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at 13 of the largest enterprise security vendors-along with some of the bigger consumer security companies-and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls.
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
One of the largest security vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for |
Ransomware Tool Vulnerability Threat Cloud | ★★★ |
To see everything:
Our RSS (filtrered)
