• A cross-scripting bug plaguing Cisco's Adaptive Security Appliance is being actively exploited, the company warns
• The flaw was first discovered a decade ago
• CISA added it to KEV, and warned federal agencies to patch

Cisco has updated a decade-old advisory to warn users that the ancient vulnerability is now being actively exploited in the wild to spread malware.

Spotted by The Hacker News, the advisory is for a cross-site scripting (XSS) vulnerability affecting the WebVPN login page for the Cisco Adaptive Security Appliance (ASA) Software.

The vulnerability was spotted in 2014, and has since been tracked as CVE-2014-2120. It has a severity score of 6.1 (medium), and allows threat actors to remotely inject arbitrary web script or HTML via an unspecified parameter.

A surge in abuse

"An attacker could exploit this vulnerability by convincing a user to access a malicious link," Cisco said at the time.

Earlier this week, however, the company updated the advisory, saying it observed “additional attempted exploitation" of the bug in the wild.

The discovery has also prompted the US Cybersecurity and Infrastructure Agency (CISA) to add the bug to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and adjacent organizations have a three-week deadline to patch the software, or stop using it altogether. CISA added the bug on November 12, meaning that the deadline for patching was December 3.

If you are using Cisco’s ASA, it would be wise to patch the software up without hesitation. Cybercriminals are known to take advantage of age-old vulnerabilities, since they already have working exploits and can easily be abused.

For example, late in 2023, news broke of threat actors abusing a six-year-old flaw in Microsoft’s Excel to deliver an information-stealing piece of malware called Agent Tesla. Also, in 2020, it was found that crooks were using a three-year-old Office bug to target businesses in the real estate, entertainment and banking industries in both Hong Kong and North America.

Some researchers would argue that old vulnerabilities are more dangerous than zero-day ones, since the practice is already established. However, these vulnerabilities are also easiest to address, by simply keeping the software up to date.

Via The Hacker News

You might also like

• Microsoft takes down hundreds of malicious websites used in phishing scams
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security pros from Fortra spot new phishing campaign abusing two Cloudflare domains
• Pages, and Workers, are being used to bypass email protections and redirect people to phishing pages
• The activity has risen significantly this year

Cybercriminals are abusing two Cloudflare domains to facilitate phishing attacks and push malware to their victims, researchers have claimed.

New research from cybersecurity experts Fortra claims the trend is on the rise, especially compared to 2023.

The domains, called ‘pages.dev’ and ‘workers.dev”, are used to deploy web pages and serverless computing, and given Cloudflare’s good standing in the general public’s eye, allow the crooks to bypass different endpoint protection tools and successfully compromise their targets.

A surge in abuse

Pages is a free platform where front-end developers can deploy and host static websites, or JAMstack applications, directly from their Git repository, and into Cloudflare’s Content Delivery Network (CDN).

Workers, on the other hand is a serverless platform for deploying and running JavaScript, TypeScript, or Rust code at the edge to build scalable and performant applications.

Crooks, however, use it to host intermediary phishing pages that redirect victims towards actually malicious sites. The attack starts with the usual phishing email, urging the victim to address a problem immediately. The email either carries a .PDF file, or a link in the body itself. However, since the link is towards Cloudflare’s domains, most email security solutions don’t flag it as suspicious, or malicious.

Victims are also more likely to put their guard down after seeing Cloudflare’s name in the link, or the PDF file.

"Fortra's SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024," the company said in its report. "With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%."

Workers aren’t faring much better, either. “We have witnessed a 104% surge in phishing attacks on this platform, climbing from 2,447 incidents in 2023 to 4,999 incidents year-to-date," the researchers added.

"Currently averaging 499 incidents per month, the total volume is expected to reach almost 6,000 by year-end, reflecting a projected 145% increase compared to the previous year."

All phishing starts the same way - with an email message demanding urgent attention. It can be a pending invoice, a returning parcel, a security alert, or a time-sensitive giveaway. This fear of missing out, or worsening things, makes victims spring into action without considering what they’re doing. As a result, they often share their login credentials with the attackers, install malware on their computers, or even share banking and other finance data.

The best way to defend against phishing is to use common sense, and be careful when reading emails and opening attachments, even if they’re coming from seemingly reputable sources such as Cloudflare.

Via BleepingComputer

You might also like

• Microsoft takes down hundreds of malicious websites used in phishing scams
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Stoli filed for bankruptcy in the USA in November 2024
• Among the different factors leading to the decision was an alleged ransomware attack which hindered the company's operations
• We don't know who the attackers were, or if any ransom was paid

Stoli, a top vodka brand with a presence across the world, filed for bankruptcy last week - with an apparent cybersecurity incident among the reasons.

In the bankruptcy filing, the company listed many reasons for its financial failings, including legal disputes with the Russian government, the country’s confiscation of two distilleries worth around $100 million, and a ransomware attack that allegedly happened in August 2024.

In the official document filed with the Texas bankruptcy court late last month, the company’s CEO Chris Caldwell discussed the cyberattack. “In August 2024, the Stoli Group's IT infrastructure suffered severe disruption in the wake of a data breach and ransomware attack,” he said.

Unknown attackers

“The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group's enterprise resource planning (ERP) system being disabled and most of the Stoli Group's internal processes (including accounting functions) being forced into a manual entry mode," Caldwell continued.

The company is still working on restoring its systems, and believes it won’t be fully operational before the first quarter of 2025.

Hindered daily operations aside, the ransomware attack apparently also made it difficult for the company to repay the debt to its lenders. Since it was unable to share current financial data, the lenders accused the company of defaulting on the debt, The Record reports.

It’s also worth pointing out that the company did not say who the attackers were, what they achieved, whether or not they stole any sensitive data, or how much money they asked for in exchange. Hackers would usually flaunt their success on their data leak page, but in this case no one assumed responsibility for the attack. Sometimes, when victims pay the ransom demand, their names get removed from the leak sites.

However, they are usually listed first, as a way of pressuring the victim into paying up.

You might also like

• National Public Data files for bankruptcy after massive data breach put "hundreds of millions" at risk
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• ENGlobal recently filed a new report with the SEC, detailing a ransomware attack
• It said the attack forced it to shut down parts of its infrastructure
• The incident is still being handled

A US government contractor was forced to shut down parts of its infrastructure in order to contain a ransomware attack.

ENGlobal Corporation, a US-based provider of engineering and automation services, filed a new 8-K report with the US Securities and Exchange Commission (SEC) recently, in which it said that the attack is still being remedied and that the deadline is still unknown.

“On November 25, 2024, ENGlobal Corporation became aware of a cybersecurity incident. The preliminary investigation has revealed that a threat actor illegally accessed the Company’s information technology (“IT”) system and encrypted some of its data files,” the company said in the filing.

Unknown attackers

“Upon detecting the unauthorized access, the Company immediately took steps to contain, assess and remediate the cybersecurity incident, including beginning an internal investigation, engaging external cybersecurity specialists, and restricting access to its IT system.”

To tackle the problem, ENGlobal shut parts of its network down, meaning that its systems are “limited to essential business operations”.

“The timing of restoration of full access to the Company’s IT system remains unclear as of the date of this filing,” the document reads, concluding that it still doesn’t know if the attack will impact the company financially.

The company did not discuss who the attackers were, or if they exfiltrated any sensitive files from its systems, which is standard practice in ransomware attacks. No threat actors claimed responsibility yet, either.

ENGlobal Corporation specializes in projects for the energy, government, and industrial sectors. The company focuses on delivering solutions in areas such as modular process systems, automation integration, and advanced technologies for energy and sustainability. According to The Register, it reported $39 million in revenue last year.

It counts roughly 130 employees, and primarily operates within the US. Its headquarters are in Houston, Texas, and has offices in Denver, Tulsa, and Henderson.

Via The Register

You might also like

• National Public Data files for bankruptcy after massive data breach put "hundreds of millions" at risk
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A few months ago, Chinese state-sponsored actors were observed on IT networks of ISPs, telcos, and more
• Since then, the companies worked hard on cleaning up their infrastructure
• Salt Typhoon still lurks, CISA warns, as it shares guidelines to defend

The US Cybersecurity and Infrastructure Security Agency (CISA) believes Salt Typhoon, the Chinese state-sponsored threat actor that was spotted in telecommunications giants’ networks months ago, is still lurking and hasn’t been completely eradicated. To help organizations tackle this important threat, the agency released in-depth guidance earlier this week.

Salt Typhoon is a known hacking collective, on payroll with the Chinese government. It is mostly engaged in cyber-espionage, targeting important entities and figures in the West, with infostealers and similar malware.

It is part of a wider campaign that includes a number of other “typhoons” - Flax Typhoon, Volt Typhoon, and Brass Typhoon, that seeks not just to steal information, but also to disrupt critical infrastructure.

Strengthening the network

For months now, cybersecurity experts, government agents, and the media have been reporting on Salt Typhoon’s attacks on internet service providers, telecommunications firms, and similar companies. The targets have been working hard on cleaning up their IT systems, but according to CISA, there’s still work to be done.

That being said, the agency first suggests telecoms strengthen their network visibility and focus on monitoring, detecting, and understanding network activity. Then, the report discusses hardening systems and devices through protocols and management processes, device hardening, and access controls. Finally, it tackles incident reporting and provides detailed contact information for reporting cybersecurity incidents in the U.S., Australia, Canada, and New Zealand.

Software manufacturers should embed security principles during development, CISA concluded, advocating for secure-by-design configurations, which should reduce reliance on customer hardening.

“Software manufacturers should prioritize secure by design configurations to eliminate the need for customer implementation of hardening guidelines,” it said. “Additionally, customers should demand that the software they purchase is secure by design.”

For any organization fearing being targeted by Salt Typhoon (or any other Typhoon, for that matter), CISA’s guidance is a must-read.

You might also like

• Amazon confirms employee data stolen after third-party MOVEit breach
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• MATRIX criminal chat server has been taken down by police
• Over 2.3 million messages were retrieved
• The operation was a joint effort by Europol and Eurojust

Europol has revealed that sophisticated encrypted messaging service, MATRIX, has been taken down following a joint action by French and Dutch authorities, dubbed ‘Operation Passionflower’. The service has been linked to serious crimes, including arms trafficking and money laundering.

A three month investigation led to a coordinated operation, supported by Europol and Eurojust. The messaging service was made by criminals, for criminals, and was first discovered on the phone of the man convicted of the murder of a Dutch journalist in 2021.

Over 2.3 million messages in 33 languages were deciphered during the investigation. The MATRIX infrastructure spanned 40 servers, primarily based in France and Germany, with over 8,000 users, who pay between €1,300 and €1,600 per user for a six month subscription.

Operation Passionflower

Authorities have arrested the suspected owner and operator of the platform as part of the action, and have seized over half a million dollars worth of cryptocurrencies. As well as confiscating cryptocurrencies, the investigation seized a villa worth over 15 million euros, four vehicles, and 970 phones.

Authorities have warned criminals in a message posted onto the former site. “It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service, and our investigation does not end here,” the statement says.

Earlier this year, Interpol disrupted thousands of cybercrime instances as part of ‘Operation Synergia’. The operation led to over 1,00 servers and 22,000 malicious IP addresses being taken down.

Cybercrime continues to be a cat and mouse game, with servers seized and closed by authorities across the globe. Europol have reported that the infrastructure of the MATRIX service was more complex than previously targeted platforms, and represents a significant step forward for law enforcement.

‘While the new fragmented landscape poses challenges for law enforcement, the takedown of established communication channels, shows that authorities are on top of the latest technologies that criminals use.’ Europol’s statement confirmed.

Via NL Times

You might also like

• Take a look at our pick of the best antivirus software around
• Massive data leak could mean one-third of Americans has data leaked online
• Check out our choices for best malware removal software

• 80% of workers use their own devices to access workplace applications
• Two-thirds break policies by forwarding emails and using personal hotspots
• CyberArk is calling for the implementation and enforcement of AI policies

According to cybersecurity firm CyberArk, Britain’s workers are exposing their employers to security risks by not following simple principles that could prevent many breaches.

The study found that four in five employees use personal devices to access workplace applications, which it blames on the rise of hybrid work.

This is especially problematic for companies because, although their systems may have strong protection, personal accounts tend to have weaker security and can often act as an entry for attackers.

Workers are exposing their companies to cyberattacks

Apart from accessing workplace applications on their own devices, two in five (39%) employees admitted to downloading customer information on their own devices, and nearly a third say they have the ability to approve significant financial transactions.

Nearly two-thirds (65%) of workers also confess to 'only sometimes' or 'never' following their organization's cybersecurity policies by forwarding work emails to personal accounts and using their own devices as Wi-Fi hotspots.

Additionally, two in five (42%) workers say that they either 'only sometimes' or 'never' following information handling guidelines when it comes to using AI tools at work.

Besides taking a more proactive approach to protecting sensitive and confidential data, workers should also consider using strong passwords. Nearly half (49%) admit to reusing passwords across multiple work applications, with more than a third (36%) using the same passwords for personal and work accounts.

CyberArk CEO Matt Cohen said: “These findings show that high-risk access is scattered throughout every job role and bad behaviors abound, creating serious security issues for organisations and highlighting the pressing need to reimagine workforce identity security by securing every user with the right level of privilege controls.”

Looking ahead, CyberArk's report calls for enhanced employee education and training initiatives, and clearer and enforced guidelines for the use of artificial intelligence.

You might also like

• Vary your passwords and keep them safe with the best password managers
• UK is being hit by more cyberattacks than ever before, NCSC warns
• We’ve listed the best privacy tools and anonymous browsers

• Security researchers saw corrupted files used in phishing campaigns
• These files bypass email protection solutions
• Word can easily restore them, presenting malicious content to the victim

Cybercriminals have found a new and creative way to sneak phishing emails past your onlinedefenses and into your inbox, experts have warned.

A new report from cybersecurity researchers Any.Run observed crooks distributing corrupted Microsoft Word files in their campaigns. Most phishing emails come with an attachment. That file can either be malware itself, or can contain a link to a malicious website, or download.

In response, most email security solutions these days analyze incoming attachments before the recipient can read them, warning the victim if they are being targeted.

Stealing login credentials

However, if the file is corrupted, security programs cannot read, or analyze it, and thus cannot flag it as malicious. So, hackers have now started deliberately corrupting the phishing files, before sending them out. The trick? Word can easily restore them.

Once they are restored, and readable, it is already too late for email security tools to scan them, and the victim is presented with the malicious content which, in this case, is a QR code leading to a fake Microsoft 365 login page.

Therefore, the goal of the recently observed campaign is to steal people’s cloud credentials.

"Although these files operate successfully within the OS, they remain undetected by most security solutions due to the failure to apply proper procedures for their file types," Any.Run said.

"They were uploaded to VirusTotal, but all antivirus solutions returned "clean" or "Item Not Found" as they couldn't analyze the file properly."

Phishing remains one of the most popular attack vectors on the internet. While there are many software solutions helping businesses minimize the threat, the best defense remains the same - using common sense and being careful with incoming email messages. This rings particularly true for messages coming from unknown sources, and messages coming with a sense of urgency.

Via BleepingComputer

You might also like

• The first UEFI bootkit malware for Linux has been detected, so users beware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A hacker with the alias "Nam3L3ss" started leaking data from six companies
• The companies include Nokia, Bank of America, and others
• The data came from the MOVEit breach that happened more than a year ago

Hackers are still leaking sensitive information stolen via the MOVEit flaw, more than a year after it was first disclosed, experts have warned.

A threat actor with the alias “Nam3L3ss” recently started leaking sensitive data from six major companies to BreachForums: Xerox (42,735), Koch (237,487), Nokia (94,253), Bank of America (288,297), Bridgewater (2,141), Morgan Stanley (32,861), and JLL (62,349), The Register reports.

The publication further added that security researchers analyzed the data dump and confirmed its authenticity, adding that among the leaked information are people’s full names, phone numbers, email addresses, job addresses, employee badges, job titles, and usernames.

MOVEit files keep leaking

This is the type of information cybercriminals like most (apart from passwords and banking data, obviously), since it allows them to run phishing, identity theft, and similar attacks that can lead to ransomware, wire fraud, and more.

"This data is a goldmine for social engineering," Zack Ganot, chief strategy officer for Atlas Privacy said. "Knowing exactly what employee sits on which team, who they report to, what their badge number is, what building they work in, their organizational email and phone number – this is some wild stuff for an attacker looking to exploit an org."

MOVEit is a managed file transfer (MFT) tool, used by large companies to securely share sensitive files. In late May 2023, it was discovered that it had a flaw, which was successfully exploited by a Russian ransomware actor called Cl0p. This group used the flaw to exfiltrate sensitive data from hundreds of companies using MOVEit.

Among the victims were numerous high-profile organizations across various sectors, including US government entities (Department of Energy, Office of Personnel Management), educational institutions (Johns Hopkins University), private enterprises (Shell, British Airways, Ernst & Young), and many others. In total over 62 million individuals were directly affected, with the true number likely higher.

You might also like

• Amazon confirms employee data stolen after third-party MOVEit breach
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Kaspersky found a new campaign, using malicious JavaScript to deploy RATs
• The RATs are used to deploy two infostealers
• Among the victims are people and businesses in Russia

Hackers are targeting people and businesses in Russia with malicious JavaScript, in order to install backdoors on their devices. This is according to a new report from cybersecurity researchers Kaspersky, who named the campaign “Horns&Hooves”.

As per the researchers, Horns&Hooves started in March last year, and has since infected roughly 1,000 endpoints.

The campaign starts with a phishing email, in which the attackers impersonate individuals and businesses, and send emails that mimic requests and bids from potential customers, or partners.

Actively developed campaign

The emails come with various attachments, among which is the JavaScript payload. This payload delivers two Remote Access Trojans (RAT): NetSupport RAT and BurnsRAT. In turn, these RATs are used to deploy the final payload: either Rhadamanthys, or Meduza.

These two are known infostealers. Since late 2022, Rhadamanthys is being offered on the dark web as a service, enabling crooks to steal a vast range of information from the target device, from system details, passwords, to browsing data. Rhadamanthys has specialized tools for stealing cryptocurrency credentials, with support for over 30 different wallets.

Meduza, on the other hand, is part of the growing threat landscape for personal and business cybersecurity. Like Rhadamanthys, it steals user credentials and other sensitive information, including login credentials for various services and applications. However, Meduza operates with a more focused scope, aiming to evade detection through various obfuscation and anti-analysis techniques​.

Horns&Hooves is an actively developed campaign, the researchers are saying, stressing that the code was revamped and upgraded numerous times. While attribution proved difficult, there is reason to believe that TA569 is behind the attacks. This group, according to The Hacker News, is also called Mustard Tempest, or Gold Prelude) and is the one running the SocGholish malware.

The same publication also stated that TA569 was seen acting as an initial access broker for affiliates deploying the WastedLocker ransomware strain.

Via The Hacker News

You might also like

• This devious new malware is going after macOS users with a whole barrel of tricks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• LogoFAIL, image parsing vulnerabilities on Linux and Windows, are being actively abused
• Researchers are saying crooks are installing Bootkitty, the first-ever Linux UEFI bootkit
• Bootkitty works on both Linux and Windows devices

LogoFAIL, a string of vulnerabilities that allow threat actors to install malware at boot level, is now actively being abused in the wild. This is according to a new report from cybersecurity researchers Binarly.

Discovered roughly a year ago, LogoFAIL is a group of vulnerabilities that allow malicious actors to replace the logo image displayed on Windows and Linux devices during the boot process.

The replaced images can contain malicious code that the device will run, and since the code is installed on boot, before the OS or any antivirus programs, most cybersecurity programs cannot detect or remove it.

Purely theoretical

In fact, even reinstalling the operating system, or replacing the hard drive, will not help. The malware installed this way is generally called UEFI bootkits, since they target the Unified Extensible Firmware Interface (UEFI), responsible for initializing hardware and launching the operating system.

When it was first discovered, LogoFAIL was deemed purely theoretical, as no active exploits, or code, were seen in the wild. However, Binarly now says that things have changed, and that it observed LogoFAIL being used to deploy Bootkitty.

Bootkitty was first observed, and reported, late last week. It is the first malware of its kind, since it targets Linux devices. Spotted by researchers from ESET, the malware was described as an early development stage version.

Bootkitty relies on a self-signed certificate, which means it won’t run on systems with Secure Boot - therefore, it can only target some Ubuntu distributions.

Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used, means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused functions, and does not have kernel-version checks, which often results in system crashes.

In any case, the finding marks an important moment in the development and destructive potential of UEFI bootkits.

Via Ars Technica

You might also like

• The first UEFI bootkit malware for Linux has been detected, so users beware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• The NCSC released its latest Annual Review report
• It claims the number of attacks is up, and reaching unprecedented levels
• The head of NCSC commented that the cyber risk is "widely underestimated"

The UK is being hit with more cyberattacks than ever before, with academia, manufacturing, and IT being among the most targeted verticals.

This is according to a new report published by the country’s National Cyber Security Center (NCSC). In the latest iteration of its Annual Review, published earlier this week, the NCSC said that its Incident Management (IM) team received 1,957 reports this year, from a “range of sectors.”

The team triaged the reports down into 430 incidents worthy of its attention, up from 371 last year. Of those incidents, 89 were said to have been “nationally significant”, and 12 were “at the top end of the scale and more severe in nature”. This number has also increased three times, compared to last year the NCSC added.

Biggest targets

Over the course of the year, the IM team sent out 542 bespoke notifications informing businesses of a cyberattack that impacts them, and sharing advice and guidance on how to tackle the problem. This number has also doubled compared to last year (258), the NCSC added, saying that almost half of the notifications sent this year related to pre-ransomware activity.

The biggest targets this year were academia, manufacturing, IT, legal, charities, and constructions. The organization said it received 317 reports of ransomware activity, either directly from the victims, or from its partners, another statistic that increased year-on-year (297). The IM team triaged it into 20 incidents that it addressed, 13 of which were “nationally significant” and included NHS trusts and the British Library.

During the launch of the Annual Review, the head of NSCS, Richard Horne, said that the cyber risks the country is facing are “widely underestimated”.

“What has struck me more forcefully than anything else since taking the helm at the NCSC is the clearly widening gap between the exposure and threat we face, and the defenses that are in place to protect us,” he said. “And what is equally clear to me is that we all need to increase the pace we are working at to keep ahead of our adversaries.

You might also like

• NHS at risk of being hit again as NCSC exec says IT systems "out of date"
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now