Lilith >_> of Cisco Talos discovered these vulnerabilities. 
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  
The Wavlink AC3000 wireless router is one of the

Wednesday, January 15, 2025 08:00

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._ 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Static login vulnerability **

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

*   TALOS-2024-2034 (CVE-2024-39754): Static login 

**Ten .cgi vulnerabilities **

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist\_sync.cgi 

*   TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution 
*   TALOS-2024-2000 (CVE-2024-34166): Command injection 
*   TALOS-2024-2046 (CVE-2024-36258): Buffer overflow  

Login.cgi 

*   TALOS-2024-2017 (CVE-2024-39363): Persistent XXS 
*   TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection 
*   TALOS-2024-2019 (CVE-2024-36290): Buffer overflow  
*   TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload  

internet.cgi 

*   TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection 
*   TALOS-2024-2021 (CVE-2024-39288): Buffer overflow 
*   TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow  

firewall.cgi 

*   TALOS-2024-2023 (CVE-2024-39367): Command injection  

adm.cgi 

*   TALOS-2024-2024 (CVE-2024-39756): Buffer overflow 
*   TALOS-2024-2025 (CVE-2024-37184): Buffer overflow 
*   TALOS-2024-2026 (CVE-2024-39294): Buffer overflow 
*   TALOS-2024-2027 (CVE-2024-39358): Buffer overflow 
*   TALOS-2024-2028 (CVE-2024-21797): Command injection 
*   TALOS-2024-2029 (CVE-2024-37357): Buffer overflow 
*   TALOS-2024-2030 (CVE-2024-39774): Buffer overflow 
*   TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution 
*   TALOS-2024-2032 (CVE-2024-37186): OS command injection 
*   TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection 

wireless.cgi 

*   TALOS-2024-2039 (CVE-2024-39357): Buffer overflow 
*   TALOS-2024-2040 (CVE-2024-39359): Buffer overflow 
*   TALOS-2024-2041 (CVE-2024-36493): Buffer overflow 
*   TALOS-2024-2042 (CVE-2024-39603): Buffer overflow 
*   TALOS-2024-2043 (CVE-2024-39757): Buffer overflow 
*   TALOS-2024-2044 (CVE-2024-34544): Command injection 

usbip.cgi 

*   TALOS-2024-2045 (CVE-2024-36272): Buffer overflow 

qos.cgi 

*   TALOS-2024-2047 (CVE-2024-36295): Command injection 
*   TALOS-2024-2048 (CVE-2024-39299): Buffer overflow 
*   TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow 

openvpn.cgi 

*   TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control 
*   TALOS-2024-2051 (CVE-2024-38666): Configuration control 

nas.cgi 

*   TALOS-2024-2052 (CVE-2024-39602): Configuration control 
*   TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control 
*   TALOS-2024-2054 (CVE-2024-39360): Command injection 
*   TALOS-2024-2055 (CVE-2024-39280): Configuration control 
*   TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control 
*   TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal 
*   TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection 

**Three .sh vulnerabilities **

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw\_check.sh and update\_filter\_url.sh vulnerabilities. 

testsave.sh 

*   TALOS-2024-2035 (CVE-2024-39773): Firmware update 

fw\_check.sh 

*   TALOS-2024-2037 (CVE-2024-39273): Firmware upload  

update\_filter\_url.sh 

*   TALOS-2024-2038 (CVE-2024-39604): Argument injection

Slew of WavLink vulnerabilities

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Tuesday, January 14, 2025 16:15

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 12 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”  

One notable critically rated vulnerability that has been patched this month is CVE-2025-21309, which is a remote code execution vulnerability affecting Windows Remote Desktop Services. Exploitation of this vulnerability could lead to arbitrary code execution on systems where the Remote Desktop Gateway role has been enabled. This vulnerability has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

Another notable remote code execution vulnerability in Window Object Linking and Embedding (OLE) was also patched this month. This vulnerability, CVE-2025-21298, is a critical remotely exploitable vulnerability that can be triggered by sending a malicious email to a victim running a vulnerable version of Microsoft Outlook. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and can be triggered when the victim previews the malicious email. This vulnerability has been assigned a CVSS 3.1 score of 9.8. Microsoft recommends disabling RTF as mitigation for this vulnerability. 

CVE-2025-21294 is a critical vulnerability in Microsoft Digest Authentication that affects multiple versions of Windows and Windows Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. To exploit this vulnerability, an attacker would need to win a race condition. 

CVE-2025-21295 is a critical remote code execution vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems and does not require user interaction for successful exploitation.  

CVE-2025-21296 is a critical remote code execution vulnerability in BranchCache. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft assesses that an attacker would need to be on the same network to successfully exploit this vulnerability.  

CVE-2025-21297 is another critical remote code execution vulnerability in Windows Remote Desktop Services. Microsoft has assessed that this vulnerability is “less likely to be exploited” and that it would require an attacker to win a race condition for exploitation to be successful. This vulnerability affects multiple versions of Windows Server.  

CVE-2025-21298 is a critical remote code execution vulnerability in Windows Object Linking and Embedding (OLE). It could allow an attacker to execute arbitrary code on vulnerable systems. Microsoft recommends disabling RTF as a mitigation for this vulnerability.

CVE-2025-21307 is a critical remote code execution vulnerability in Windows Reliable Multicast Transport Driver (RMCAST). This vulnerability, if successfully exploited, could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to vulnerable systems.  

CVE-2025-21311 is a critical privilege escalation vulnerability in NTLMv1. This vulnerability can be exploited remotely and could allow an attacker to increase their level of access to vulnerable systems. Microsoft recommends disabling the use of NTLMv1 as a mitigation for this vulnerability. 

CVE-2025-21362 - is a critical remote code execution vulnerability in Microsoft Excel. This vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This vulnerability can also be triggered via the preview pane.  

CVE-2025-21380 is a critical information disclosure vulnerability affecting Azure Marketplace SaaS Resources. According to Microsoft this vulnerability, which could enable an attacker to disclose information, has been mitigated.  

CVE-2025-21385 is a critical information disclosure vulnerability affecting Microsoft Purview. This vulnerability is due to a Server-Side Request Forgery (SSRF) vulnerability that Microsoft reports has been mitigated. 

Talos would also like to highlight the following important vulnerabilities that Microsoft considers to be “more likely” to be exploited:   

*   CVE-2025-21189 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21210 - Windows BitLocker Information Disclosure Vulnerability 
*   CVE-2025-21219 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21268 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21269 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21292 - Windows Search Service Elevation of Privilege Vulnerability 
*   CVE-2025-21299 - Windows Kerberos Security Feature Bypass Vulnerability 
*   CVE-2025-21314 - Windows SmartScreen Spoofing Vulnerability 
*   CVE-2025-21315 - Microsoft Brokering File System Elevation of Privilege Vulnerability 
*   CVE-2025-21328 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21329 - MapUrlToZone Security Feature Bypass Vulnerability 
*   CVE-2025-21354 - Microsoft Excel Remote Code Execution Vulnerability 
*   CVE-2025-21364 - Microsoft Excel Security Feature Bypass Vulnerability 
*   CVE-2025-21365 - Microsoft Word Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64432 – 64436, 64444 - 64457. There are also these Snort 3 rules: 301113, 301114, 301117 - 301123.

Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities

An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.

Source: Lutsenko Oleksandr via Shutterstock

A zero-day flaw is likely to blame for a series of recent attacks on Fortinet FortiGate firewall devices that have management interfaces exposed on the public Internet. Attackers are targeting the devices to make unauthorized administrative logins and other configuration changes, create new accounts, and perform SSL VPN authentication, researchers have found.

Researchers at Arctic Wolf have been tracking the campaign since they first noticed suspicious activity on FortiGate devices in early December, they revealed in a recent blog post. They observed threat actors gaining access to management interfaces on affected firewalls — the firmware versions of which ranged between 7.0.14 and 7.0.16 —  and altering their configurations. Moreover, in compromised environments, attackers also were using DCSync to extract credentials.

Artic Wolf released a security bulletin in December upon discovery of the campaign, while the recent blog post revealed more in-depth details, including the attackers likely exploiting a zero-day flaw. However, they have not "definitively confirmed" this initial access vector, though the compressed timeline across affected organizations as well as firmware versions affected by the campaign suggest that attackers are exploiting an as-yet-undisclosed vulnerability, according to the Arctic Wolf researchers.

Victims of the campaign did not represent a specific sector or organization size, suggesting "that the targeting was opportunistic in nature rather than being deliberately and methodically targeted," they added.

The researchers didn't provide details on the scope or volume of the campaign.

**Cyber Abuse of the Fortinet Administrator Console**

What alerted the researchers to the malicious activity "in contrast with legitimate firewall activities, is the fact that \[attackers\] made extensive use of the jsconsole interface from a handful of unusual IP addresses," according to the post.  FortiGate next-generation firewall products have a standard and "convenient" feature that allow administrators to access the command-line interface through the Web-based management interface, the researchers explained.

"According to the FortiGate Knowledge Base, when changes are made via the Web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes," they wrote. "In contrast, changes made via ssh would be listed as ssh for the user interface instead."

The researchers do not have direct confirmation that such commands are used in the present campaign; however, the observed activities follow a similar pattern in the way they invoke jsconsole, they added.

"Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board," the researchers wrote.

**A Four-Phase Cyberattack, Still Ongoing**

The researchers broke the campaign down into four phases that started in mid-November: It started with a vulnerability scanning phase, followed by a reconnaissance phase at the end of November, an SSL VPN configuration phase in the beginning of December, and then wrapping up with lateral movement from mid- to late December. However, they noted that the campaign is ongoing and they may uncover further activity in the future.

"These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access," the researchers explained.

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning the four phases of the campaign.

"Most of these sessions were short-lived, with corresponding logout events within a second or less," the researchers wrote. "In some instances, multiple login or logout events occurred within the same second, with up to four events occurring per second."

**Don't Expose Management Interfaces to Public Internet**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products widely exploited to breach networks. To protect against attack, organizations should never expose Fortinet device management interfaces on the public Internet, regardless of the product specifics, according to the researchers. Instead, access to these interfaces should be limited to trusted internal users.

"When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators," they wrote in the post.

Administrators also should follow the common best practice of regularly updating firmware on the devices to patch any flaws or other security issues. Further, the researchers added, organizations also should ensure that syslog monitoring is configured for all of an organization’s firewall devices to increase the likelihood of catching malicious activity early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

Threat actors are targeting people searching for pirated or cracked software with fake downloaders that include infostealing malware such as Lumma and Vidar.

Source: Bits and Splits via Shutterstock

Attackers are targeting people interested in pirated and cracked software downloads by abusing YouTube and Google search results.

Researchers from Trend Micro uncovered the activity on the video-sharing platform, on which threat actors are posing as "guides" offering legitimate software installation tutorials to lure viewers into reading the video descriptions or comments, where they then include links to fake software downloads that lead to malware, they revealed in a recent blog post.

On Google, attackers are seeding search results for pirated and cracked software with links to what appear to be legitimate downloaders, but which in reality also include infostealing malware, the researchers said.

Moreover, the actors "often use reputable file hosting services like Mediafire and Mega.nz to conceal the origin of their malware, and make detection and removal more difficult," Trend Micro researchers Ryan Maglaque, Jay Nebre, and Allixon Kristoffer Francisco wrote in the post.

**Evasive & Anti-Detection Built Into the Campaign**

The campaign appears to be similar to one that surfaced about a year ago spreading Lumma Stealer — a malware-as-a-service (MaaS) commonly used to steal sensitive information like passwords and cryptocurrency-wallet data — via weaponized YouTube channels. At the time, the campaign was thought to be ongoing.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

Though the Trend Micro did not mention if the campaigns are related, if they are, the recent activity appears to up the ante in terms of the variety of malware being spread and advanced evasion tactics, as well as the addition of malicious Google search results.

The malicious downloads spread by attackers often are password-protected and encoded, which complicates analysis in security environments such as sandboxes and allows malware to evade early detection, the researchers noted.

After infection, the malware lurking in the downloaders collects sensitive data from Web browsers to steal credentials, demonstrating "the serious risks of exposing your personal information by unknowingly downloading fraudulent software," the researchers wrote.

In addition to Lumma, other infostealing malware observed being distributed via fake software downloads on links posted on YouTube include PrivateLoader, MarsStealer, Amadey, Penguish, and Vidar, according to the researchers.

Overall, the campaign exploits the trust that people have in platforms such as YouTube and file-sharing services, the researchers wrote; it especially can affect people looking for pirated software who think they are downloading legitimate installers for popular programs, they said.

Related:Russia Carves Out Commercial Surveillance Success Globally

**Shades of a GitHub Campaign**

The thinking behind the campaign also is similar to one recently found abusing GitHub, in which attackers exploited the trust that developers have in the platform to hide the Remcos RAT in GitHub repository comments.

Though the attack vector is different, comments play a big role in spreading malware, the researchers explained. In one attack they observed, a video post purports to be advertising a free "Adobe Lightroom Crack" and includes a comment with a link to the software downloader.

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer, which leads to a download of the malicious file that includes infostealing malware from the Mediafire file hosting site.

Another attack discovered by Trend Micro planted a shortened link to a malicious fake installer file from OpenSea, the NFT marketplace, as the third result in a search for an Autodesk download.

"The entry contains a shortened link that redirects to the actual link," the researchers wrote. "One assumption is that they use shortened links to prevent scraping sites from accessing the download link."

The link prompts the user for the actual download link and the zip file's password, presumably because "password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary," they noted.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

**Protect Your Organization From Malware**

As shown by the threat activity, attackers continue to use social engineering tactics to target victims and apply a variety of methods to avoid security defenses, including: using large installer files, password-protected zip files, connections to legitimate websites, and creating copies of files and renaming them to appear benign, the researchers noted.

To defend against these attacks, organizations should "stay updated on current threats and to remain vigilant regarding detection and alert systems," the researchers wrote. "Visibility is important because solely relying on detection can result in many malicious activities going unnoticed."

Employee training, as security experts often note, also goes a long way in ensuring employees don't fall for socially engineered attacks or try to download pirated software.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia Carves Out Commercial Surveillance Success Globally

Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions.

Thursday, January 9, 2025 14:15

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

*   Global scale identity management 
*   Insider threat 
*   Availability of time critical systems 
*   Building scalable secure systems 
*   Attack attribution and situational understanding 
*   Information provenance 
*   Security with privacy 
*   Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, ﻿if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. "People are your greatest asset, if you treat them that way." 

I'm seeing a lot of "how to thrive in 2025!" posts right now. For anyone who isn't ready for that, or tired of it all, I just want to say, I'm right there with you. But if you're also feeling like it's "new year, same problems"  perhaps there's one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I'd thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

**The one big thing**

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

** Why do I care?  **

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats - primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

**So now what?  **

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

**Top security headlines of the week   **

*   CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
*   FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading. 
*   Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

**Can’t get enough Talos?  **

*   Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

*   The evolution and abuse of proxy networks – check out this piece of research by Nick Biasini and Vitor Ventura. 

**Upcoming events where you can find Talos     **

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

**Most prevalent malware files of the week**

**SHA 256:**  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f

**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  

**VirusTotal :** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5**: 7bdbd180c081fa63ca94f9c22c457376 

**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5**: 71fea034b422e4a17ebb06022532fdde 

**VirusTotal:**  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d  

**VirusTotal:** https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8

Do we still have to keep doing it like this?

Torrance, United States / California, 9th January 2025, CyberNewsWire

**Torrance, United States / California, January 9th, 2025, CyberNewsWire**

Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its **Criminal IP Malicious Link Detector** add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats.

Advances in generative AI have driven a surge in sophisticated phishing attacks that are increasingly difficult to distinguish from legitimate communications. The Criminal IP Malicious Link Detector combats these threats by analyzing email links in real-time, detecting and blocking phishing URLs and malicious domains. Fully integrated with Microsoft Outlook and available for free, it provides robust protection for both individuals and organizations.

**Case Study: Phishing Email Targeting Cryptocurrency Wallet Users**

In one instance, Criminal IP detected a phishing email targeting Trust Wallet users. The email contained links disguised as official pages, aiming to deceive users into downloading malware. The Criminal IP Malicious Link Detector swiftly identified and blocked these malicious URLs in real-time, averting potential harm.

**Getting Started with the Criminal IP Malicious Link Detector**

Using the tool is straightforward:

1.     **Signing Up:** Creating an account on the Criminal IP platform.

2.    **Installing the Add-In:** Downloading and integrating the add-in from Microsoft Marketplace.

3.    **Start Scanning:** Email links are automatically scanned upon login, with results displayed instantly.

As cyber threats evolve rapidly, the **Criminal IP Malicious Link Detector** ensures the users’ emails are protected against phishing links and malicious URLs. Download it today to stay ahead of emerging cyber risks and strengthen email security.

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

The deal will enhance 1Password Extended Access Management offering with capabilities to address challenges around software-as-a-service sprawl and shadow IT.

Source: blickwinkel via Alamy Stock Photo

NEWS BRIEF

1Password on Monday announced that it has acquired software-as-a-service (SaaS) access management provider Trelica. Although terms of the transaction were not disclosed, 1Password said it is the largest acquisition by company revenue in its 18-year history.

1Password provides password management and other online identity-based services. This acquisition will build on 1Password's effort to expand its Extended Access Management offering, a platform that secures, identities, and manages access and permissions applications and devices, the company said. Launched last year, the platform is designed to ensure that employee devices, identities, and apps are trusted before granting access to enterprise resources.

Founded in 2018, UK-based Trelica offers a suite of tools for managing and securing SaaS applications, such as tools for employee onboarding and offboarding, discovering shadow IT deployments, SaaS operations, spend optimization, and access management. With shadow IT and SaaS sprawl increasing the risk of security breaches, security teams rely on automated application discovery tools to identify unmanaged apps, streamline user provisioning and access governance, and enforce security policies.

"Trelica addresses critical challenges that haven't been solved by traditional solutions like single sign-on (SSO), mobile device management (MDM) and SaaS security posture management (SSPM)," wrote 1Password CEO Jeff Shiner in a blog post announcing the deal. "These include provisioning and de-provisioning users, reclaiming unused licenses, monitoring permission drift, and adjusting access during role changes. Trelica prioritizes IT administrators' most time-consuming tasks while maintaining a secure environment."

With Shadow IT discovery capabilities from Trelica, the 1Password Extended Access Management platform will provide organizations with a repeatable framework for bringing unmanaged apps into full compliance under IT and security management, while empowering employees to use the tools that enhance their productivity, 1Password said in a statement.

Besides 1Password, Trelica lists over 300 SaaS integrations with SaaS providers, including Adobe, Atlassian, Cisco, Google, HubSpot, JFrog, LastPass, ManageEngine, Marketo, Microsoft, Okta, Pax8, Salesforce, SAP, ServiceNow, Snyk, Sophos, TeamViewer, Workday, Workspace One, and Zoom.

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

1Password Acquires SaaS Access Management Provider Trelica

The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites.

Source: Primakov via Shutterstock

A malicious plug-in found on a Russian cybercrime forum turns WordPress sites into phishing pages by creating fake online payment processes that convincingly impersonate trusted checkout services. Masquerading as legitimate e-commerce apps such as Stripe, the malware proceeds to steal customer payment data.

Called PhishWP, the WordPress plug-in was designed by Russian cybercriminals to be particularly deceptive, researchers from SlashNext revealed in findings published this week. In addition to mimicking the legitimate payment process that people would be familiar with to complete online transactions, it also has a key feature that make payment processes on transactions appear secure by allowing users to create one-time passwords (OTPs) during the process, they said.

Instead of processing payments, however, the payment gateway steals credit card numbers, expiration dates, CVVs, billing addresses, and more when people enter their personal data, thinking they are using a legitimate payment gateway. As soon as victims of the plug-in press "enter," the data is sent to a Telegram account controlled by the cybercriminals. Threat actors can use the plug-in like any WordPress plug-in, by either installing it on a legitimate but compromised WordPress site or creating a fraudulent site and using it there.

Related:Thousands of BeyondTrust Systems Remain Exposed

"PhishWP’s features make fake checkout pages look real, steal security codes, send your details to attackers right away, and trick you into thinking everything went fine," SlashNext security researcher Daniel Kelley wrote in the post.

This immediate turnaround of data "equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen data — sometimes within minutes of capturing it," notes Jason Soroko, senior fellow at Sectigo, a certificate life-cycle management (CLM) firm, making it a fast return on their investment to use the plug-in for nefarious purposes.

**Other Key PhishWP Malware Features**

OTP hijacking is one of the plug-in's key features, which when combined provide attackers with a turnkey solution for hijacking payment pages. Included in these are the aforementioned customizable checkout pages that simulate common payment processes through "highly convincing" fake interfaces, Kelley wrote.

Another feature of PhishWP, browser profiling, captures data beyond payment info for the replication of user environments for use in potential future fraud. This includes IP addresses, screen resolutions, and user agents.

The plug-in also gives the hijacked checkout process added legitimacy by using auto-response emails to send fake order confirmations to victims, which delays suspicion and thus detection of the attack. And as mentioned before, PhishWP also integrates with Telegram to instantly transmit stolen data to attackers for potential exploitation in real time.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

The plug-in also comes in an obfuscated version for stealth purposes, or users can use its source code for advanced attacker customizations. Finally, PhishWP also offers multilanguage support so attackers can target victims globally.

**Browser-Based Protection From E-Commerce Phishing**

Creating malicious plug-ins for WordPress sites has become a cottage industry for cyberattackers, giving them a broad attack surface due to the popularity of the platform, which as of today is the basis for some 472 million websites, according to Colorlib, which provides WordPress themes.

One of the reasons that PhishWP — or any malicious WordPress plug-in — is so dangerous is that the malicious process is built directly into the browser, which makes it difficult to detect when it appears as a legitimate part of online engagement.

To defend against such threats, SlashNext recommends using phishing protection that also works from directly inside the browser to spot phishing sites before they reach the end user. These solutions, which are available within various browsers, work within browser memory to block malicious URLs before users engage with them. The company said this provides real-time threat detection and blocking capabilities that traditional security measures might miss.

Related:Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco