Its mid-December, if you’re on-call or working to defend networks, this newsletter is for you. Martin discusses the widening gap between threat and defences as well as the growing problem of home devices being recruited to act as proxy servers for criminals.

Thursday, December 12, 2024 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “_clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us._”

To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.

Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.

If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.

Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.

If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.

This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.

**The one big thing **

Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.

Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.

**Why do I care?**

Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.

**So now what?**

Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.

**Top security headlines of the week ****Presidential Elections in Romania hit by Cyber Campaign**

The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.

(BBC News 1 & 2)

**Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement**

The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.

(The Register)

**Wanted Russian Suspected Ransomware Actor Arrested**

Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.

(SecurityWeek)

**Can’t get enough Talos? **

**Upcoming events where you can find Talos**

Cisco Live EMEA (February 9-14, 2025)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week  ****SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Win.Worm.Bitmin-9847045-0

**SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341**

MD5: b6bc3353a164b35f5b815fc1c429eaab

VirusTotal:

https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi

Claimed Product: n/a 

Detection Name: Simple\_Custom\_Detection

**SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**

MD5: 71fea034b422e4a17ebb06022532fdde

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

Typical Filename: VID001.exe

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos

**SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: img001.exe

Claimed Product: n/a 

Detection Name: Win.Trojan.Miner-9835871-0

**SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   **

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Something to Read When You Are On Call and Everyone Else is at the Office Party

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.

In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.

Related:Lessons From the Largest Software Supply Chain Incidents

"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."

**Has the FCC Been Negligent in Enforcing Telco Security?**

In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix \[the FCC's\] own failure to fully implement telecom security requirements already required by federal law."

At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:

Requires a carrier to ensure that any interception of communications or \[call-identifying information\] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.

Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."

Related:Google Launches Open Source Patch Validation Tool

FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.

**What Wyden's Telco Security Bill Misses**

The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.

Related:Large-Scale Incidents & the Art of Vulnerability Prioritization

Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?

In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."

Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."

Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.

"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

****SUMMARY****

*   **Global Dismantling of DDoS Platforms**: Law enforcement from 15 countries shut down 27 websites offering DDoS attack services as part of Operation PowerOFF.

*   **Arrests and Identifications**: Europol coordinated the arrest of three site administrators in France and Germany and identified over 300 users for further action.

*   **Offline Platforms**: Popular DDoS services like zdstresser.net, orbitalstress.net, and starkstresser.net are now offline, displaying seizure notices.

*   **Holiday Season Spike**: The takedown coincides with a rise in DDoS attacks, often targeting gaming platforms and driven by financial, ideological, or extortion motives.

*   **Prevention and Outreach**: Operation PowerOFF combines takedowns with education and deterrence, including online ads and direct warnings to discourage illegal activities.

Law enforcement agencies from 15 countries have dismantled and seized 27 websites used to sell Distributed Denial-of-Service (DDoS) attack services. The takedown was part of the ongoing **Operation PowerOFF**, an initiative to shut down cybercrime and platforms facilitating it.

These websites, commonly referred to as ‘booter’ and ‘stresser’ sites, were popular among cybercriminals and hacktivists. By flooding targets with illegal traffic, these platforms enabled attackers to disrupt services, causing financial losses, reputational damage, and outages for their victims.

****Arrests!****

Coordinated by Europol; the operation targeted everyone involved in this criminal activity, from the administrators running these sites to the users hiring their services. Three administrators were arrested in France and Germany, and over 300 users were identified for further action.

As of now, 27 malicious service providers, including zdstresser.net, orbitalstress.net, and starkstresser.net, have been taken offline and display seizure notices to visitors.

The homepage of the seized sites (Credit: Hackread.com)

This takedown comes at a time when DDoS attacks, especially against gaming platforms, spike during the holiday season. Motivations for these attacks depend on several factors, including financial gain and extortion to ideological reasons, as seen with groups like Russian Killnet and Anonymous Sudan.

****Not Just Takedowns: A Broader Plan of Action****

According to Europol’s press release, Operation PowerOFF isn’t just about shutting down websites. It also aims to prevent future attacks through a combination of education and deterrence.

Europol, working with its international partners, has launched an online ad campaign targeting potential offenders. These ads, appearing on Google search results and YouTube, highlight the consequences of DDoS attacks and aim to dissuade individuals from engaging in this illegal activity.

In addition to online outreach, law enforcement agencies are using more traditional methods like warning letters and “knock-and-talks” to reach out to users of these illegal services.

In a comment to Hackread.com, Derek Manky, Chief Security Strategist at Fortinet, emphasizes the need for continued collaboration: “Turning the tide against cybercrime requires a global effort. Public-private partnerships are essential to disrupt large-scale cybercrime operations and create a safer online environment for everyone.”

1.  **Russian Ransomware Laundering Networks** **Disrupted**
2.  **Criminal Encrypted Messaging Platform MATRIX Taken Down**
3.  **Interpol Arrests 5,500 Cybercriminals, Recovers $400 Million**
4.  **INTERPOL Arrests 41, Takes Down 22,000 IPs and 59 Servers**
5.  **Phishers Impersonating Police Arrested in Multi-Million Euro Scam**

Authorities Shut Down 27 DDoS-for-Hire Platforms, Arrest 3 Admins

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. 

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-787v-v9vq-4rgv: Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

iPadOS update available

Updates are available for:

Safari 18.2

 

macOS Ventura and macOS Sonoma

iOS 18.2 and iPadOS 18.2

 

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

iPadOS 17.7.3

 

iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

macOS Sequoia 15.2

 

macOS Sequoia

macOS Sonoma 14.7.2

 

macOS Sonoma

macOS Ventura 13.7.2

 

macOS Ventura

watchOS 11.2

 

Apple Watch Series 6 and later

tvOS 18.2

 

Apple TV HD and Apple TV 4K (all models)

visionOS 2.2

 

Apple Vision Pro

**Technical details**

Noteworthy is a vulnerability in the open-source XML parser **libexpat** tracked as CVE-2024-45490. This vulnerability has been patched in several popular applications since it was discovered in August.

An important one is the vulnerability tracked as CVE-2024-54529 which is found in the Audio component of macOS and could allow an app to execute arbitrary code with kernel privileges. This means that if you install a malicious app that can exploit this vulnerability, it could take over your system.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more 

Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

Senators introduced a bill on Tuesday that would prohibit data brokers from selling or transferring location and health data.

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

All this when data brokers had already been faced with reforms in the shape of the American Privacy Rights Act (APRA). Hwoever, APRA is not expected to pass before Congress wraps up for the year, and some lawmakers feel the need for extra data regulations.

The newly introduced “Health and Location Data Protection Act of 2024” would provide the Federal Trade Commission (FTC) with $1 billion for enforcement and give the FTC, state attorneys general and victims of data broker abuses the right to sue brokers for violating the law.

Location data are considered extra sensitive because they can be abused by stalkers. Health information often includes highly personal and intimate details about an individual’s life, such as medical history, mental health status, substance abuse, family planning, and genetic testing results.

The bill also mentions a third category which includes other categories of data that address or reveal location or health data.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources. These sources can range from publicly available data to data sets stolen in cybercrimes. They then sell the gathered data for several purposes.

Background checks are required for specific jobs, as well as some insurance policies, loans, and other financial transactions, but some data brokers just deal in marketing and advertising related information.

One of the main dangers of all these data brokers is that they trade amongst themselves. Because of this they not only gather information about more and more people, but also get their hands on information that isn’t even relevant to their field of expertise.

To the victims of a data breach at one of these companies the origin of the stolen data is often a mystery. They have no direct contact with the companies and are usually unaware that they have information about them in the first place.

So, we can only hope that the senators get at least this bill passed prior to the end of the current Congress, or else it will all have to start over again in the next year.

**We don’t just talk about your data, we help remove it from broker sites**

Cybersecurity risks should never spread beyond a headline. Clean up your data using Malwarebytes Personal Data Remover (US only).

 Data brokers should stop trading health and location data, new bill proposes 

Security isn't just about tools — it's about understanding how the enemy thinks and why they make certain choices.

Source: Andriy Popov via Alamy Stock Photo

COMMENTARY

In the past, security professionals were true hackers at heart — passionate individuals who made money doing what they loved: breaking systems, pushing boundaries, and constantly learning. They grew their skills out of sheer curiosity and dedication.

Today, however, many in security are simply "professionals" who found a well-paying job but lack that hacker spirit. They're not driven by a love of the challenge or a hunger to learn. They may take the occasional course or learn a few technical tricks — but often, they're doing the bare minimum. This leads to weak security. Meanwhile, attackers? They still have that old-school hacker passion, constantly learning and evolving for the love of the challenge.

We've completely misunderstood how to do security. Instead of genuinely simulating bad guys and preparing for the real thing, we play around with automated tools and call it "offensive" security. Many red-team exercises simply follow a checklist of known exploits without adapting to the specific environment. In contrast, a genuine adversary simulation requires creativity and a deep understanding of the target's weaknesses — crafting custom attack paths and adjusting tactics on the fly. It's about going beyond technical skills and truly getting into the adversary mindset.

Let's be real — technical skills alone aren't going to save anyone. To outsmart attackers, we need to cultivate a hacker mindset: understand the motivations, tactics, and psychology behind attacks, focusing on creativity and adaptability rather than just checking boxes.

**Why Adversaries Do What They Do**

Too many defenders get stuck on the "how" of an attack — the technical exploits, tools, and vulnerabilities — but to stay ahead, we need to ask "why." Attackers aren't just pushing buttons; they're making strategic decisions, choosing the path of least resistance and maximum gain specific to their objectives.

Attackers know defenders are predictable. They know defenders — often too focused on what looks scary instead of what's actually vulnerable — will patch the big vulnerabilities while ignoring the misconfigurations or overly trusted third-party integrations. Red teams might overlook these, but real adversaries know they're prime opportunities. Attackers exploit trusted integrations to move laterally or exfiltrate data without triggering alarms. This is why understanding the "why" behind attacks is crucial. Attackers aren't just targeting technology — they're going after the path of least resistance, and too often, that's where we're late.

**Stop Being a Button-Pusher**

Here's the harsh truth: Relying solely on automated tools and predefined processes is a recipe for failure. While those tools are useful, attackers thrive on predictability, so the more security teams rely on the same tools and scripts, the easier it is for them to slip through.

Think about the SolarWinds breach, where attackers leveraged a trusted, automated process to compromise thousands of systems — because defenders didn't critically assess their own tools. SolarWinds is a lesson in the danger of blind trust in automation. If you're just pushing buttons, you're making their job easy.

Attackers are constantly testing the boundaries — doing the unexpected, finding unnoticed cracks. To defend against that, you need to do the same. Be curious, be creative, and don't be afraid to challenge the rules. That's what attackers are doing every day.

**Detecting Intent in the Cloud**

The cloud is a whole new ballgame. Old perimeter defenses don't cut it anymore — it's about understanding intent. Attackers aren't just exploiting vulnerabilities; they're using legitimate cloud services against you, moving laterally, escalating privileges, and blending in with regular user activity.

Take the Sisense breach: The attacker exploited cloud misconfigurations and legitimate credentials to access sensitive data. They didn't break in — they logged in. The attacker understood how to blend in with typical user activity. Recognizing intent in the cloud is critical; it's about seeing the attacker's goals and cutting them off before they succeed.

If you notice unusual activity, don't wait for an alert. Assume intent and start digging. The faster you understand why something is happening, the faster you can stop it.

**Building a Hacker Culture**

Growing and honing a hacker mindset is a journey, and it won't come from reading a book or taking a course. It takes time, practice, mentorship, and hands-on experience. Pair up newer team members with people who've been through the trenches, involve the defense team in red team exercises, and let them make mistakes. Real learning happens by doing.

Want to know if you have a hacker mindset? Try the Jack Attack Test (JAT), where creativity — not content — reveals true hacker thinking. For example, finding 10 different ways to "turn off the light" is similar to finding 10 ways to perform a denial-of-service (DoS) attack. Hackers think conceptually, while security professionals might get lost in the details, saying they "don't know anything about electricity."

Another thing: Give your team members the chance to think like attackers. Run attack simulations where they must step into the hacker's shoes. Get a threat intel report, and make them explain the why, not the how. Challenge them to take unconventional approaches. Attackers are masters of the unexpected, and if defenders want to keep up, they need to be too.

**Embracing the Adversary Mindset**

At the end of the day, security isn't just about tools — it's about understanding how the enemy thinks and why they make certain choices. Every move they make — each target, exploit, and escalation — is deliberate. To stay ahead, defenders must adopt this mindset. By understanding the strategy behind their actions, defenders can identify weak points in their defenses. It's not just about technology; it's about understanding intent, anticipating the unexpected, and challenging the norm. No tool can replace a curious mind ready to step into an adversary's shoes and do whatever it takes to stay ahead.

**About the Author**

Field CTO, Mitiga

Roei Sherman, field chief technology officer (CTO) at Mitiga, is a leading expert in cloud incident response and adversarial cybersecurity. With more than a decade of experience, he specializes in red team operations, adopting an adversarial mindset and guerrilla tactics for proactive defense.

Roei’s background includes serving in the field intelligence unit of the Israel Defense Forces, where he remains active in the reserve. He has held notable roles, including global director of offensive services at AB InBev and red team leader at EY Israel. His expertise spans red team engagements, social engineering, physical security, and incident response across various platforms. 

Holding a BA in business administration with a cybersecurity focus and an MA in criminology, Roei merges technical skill with academic insight. He co-organizes BSidesTLV and serves on the CFP team for Diana’s Initiative, underscoring his dedication to advancing the cybersecurity field.

Cultivating a Hacker Mindset in Cybersecurity Defense

Cybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks.
"Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online

The ABB BMS/BAS controller suffers from an unauthenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'portValue' HTTP GET parameter called by obtainPorts.php script.

Title: ABB Cylon Aspect 3.07.00 (obtainPorts.php) Remote Code Execution  
Advisory ID: ZSL-2024-5882  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 12.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an unauthenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'portValue' HTTP GET parameter called by obtainPorts.php script.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.07.00

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[01.06.2023\] Vendor released version 3.07.01 to address this issue.  
\[12.12.2024\] Public security advisory released.

**PoC**

abb\_aspect\_rce15.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstorm.news/files/id/183118/

**Changelog**

\[12.12.2024\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.07.00 (obtainPorts.php) Remote Code Execution

The obtainPorts.php script is accessible without authentication, allowing unauthorized users to retrieve and manipulate configuration parameters. This includes the ability to modify critical settings such as port values, potentially disrupting system functionality or enabling further exploitation.

Title: ABB Cylon Aspect 3.07.00 (obtainPorts.php) Configuration Manipulation  
Advisory ID: ZSL-2024-5881  
Type: Local/Remote  
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (5/5)  
Release Date: 12.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The obtainPorts.php script is accessible without authentication, allowing unauthorized users to retrieve and manipulate configuration parameters. This includes the ability to modify critical settings such as port values, potentially disrupting system functionality or enabling further exploitation.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.07.00

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[01.06.2023\] Vendor released version 3.07.01 to address this issue.  
\[12.12.2024\] Public security advisory released.

**PoC**

abb\_aspect\_info8.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstorm.news/files/id/183117/

**Changelog**

\[12.12.2024\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Latest News