The vulnerability could allow a threat actor to disable the security feature on a locked device and gain access to user data.

Source: Simon Dack via Alamy Stock Photo

NEWS BRIEF

Apple has released a security update for a vulnerability that the tech giant reports may have been exploited in an "extremely sophisticated attack."

Not only that, but these attacks targeted specific individuals, though Apple has not provided any further information.

The vulnerability, tracked as CVE-2025-24200, could allow for a physical attack to disable USB Restricted Mode on a locked device.

USB Restricted Mode is a feature that makes it more difficult for threat actors to unlock a user's phone. When active, a phone's lightning port will only allow charging after the device has been locked for more than an hour, meaning that if an unauthorized actor attempted to connect a locked iPhone to a device to access its data, they could only do so with the necessary credentials.

The security update to fix this vulnerability is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, iPad seventh generation and later, and iPad mini fifth generation and later.

Users of any of these devices should install updates as soon as possible and can check if they're updated to the latest software version by going to their settings.

These kinds of vulnerabilities are usually deployed by commercial spyware vendors, such as Pegasus, to target particular individuals, so the average user shouldn't be concerned about being targeted while the details of the attack remain unpublished. However, if they are published, copycat cybercriminals will try to imitate this attack vector, hence the urgency in updating to the latest version.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Releases Urgent Patch for USB Vulnerability

Apple has released an out-of-band security update for a vulnerability which it says may have been exploited in an "extremely sophisticated attack against specific targeted individuals.”

Apple has released an emergency security update for a vulnerability which it says may have been exploited in an “extremely sophisticated attack against specific targeted individuals.”

The update is available for:

*   iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update now

**Technical details**

The new-found zero-day vulnerability is tracked as CVE-2025-24200. When exploited, the vulnerability would allow an attacker to disable USB Restricted Mode on a locked device. The attack would require physical access to your device

The introduction of USB Restricted Mode feature came with iOS 11.4.1 in July 2018. The feature was designed to make it more difficult for attackers to unlock your iPhone. When USB Restricted Mode is active, your device’s Lightning port (where you plug in the charging cable) will only allow charging after the device has been locked for more than an hour. This means that if someone tries to connect your locked iPhone to a computer or other device to access its data, they won’t be able to do so unless they have your passcode.

To enhance data security, especially when traveling or in public places, it is recommended that you enable USB Restricted Mode in your device settings. If your iPhone, iPad or iPod Touch is running iOS 11.4.1 or later, USB Restricted Mode is automatically on by default, but if you want to check and enable USB Restricted Mode, this can be done by going to **Settings** > **Face ID & Passcode** or **Touch ID & Passcode** > **(USB) Accessories** and toggling off (grey) the **(USB) Accessories** option. Enabling this setting adds an extra layer of protection against unauthorized data access.

Accessories are safe now

Please note: toggling the option to green turns this feature off.

Vulnerabilities like these typically target specific individuals as deployed by commercial spyware vendors like Pegasus and Paragon. This means the average user does not need to fear attacks as long as the details are not published. But once they are, other cybercriminals will try to copy them.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes zero-day vulnerability used in &#8220;extremely sophisticated attack&#8221; 

WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

WhatsApp has accused the professional spyware company Paragon of spying on a select group of users.

WhatsApp, the Meta-owned, end-to-end encrypted messaging platform, said it has reliable information that nearly 100 journalists and other “members of civil society” were targets of a spyware campaign conducted by the Israeli spyware company.

“Members of civil society” usually refers to individuals and organizations that operate independently from government and business sectors, often those advocating for public interests, influencing policy, or holding governments accountable.

In a statement, a WhatsApp spokesperson said:

> “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”

Many such targets use WhatsApp because they rely on the end-to-end encryption (E2EE) that it offers by default to safeguard communications, protect sources, and shield sensitive information from prying eyes.

The targets were spread over two dozen countries, including several in Europe. WhatsApp notified the possibly affected accounts through its own app. The platform has the ability notify users about sensitive matters directly via a WhatsApp chat. In such a case, the chat will include a system message at the top of the chat that verifies that it originates from the official account of WhatsApp Support, and there will be a blue checkmark next to WhatsApp Support at the top of the chat.

A spokesperson stated that WhatsApp was able to identify and block the attack vector which Paragon used in these attacks. Reportedly, the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets. The attack apparently required no action from the target, a so-called zero-click attack.

Researchers have often compared Paragon’s Graphite spyware to the Pegasus spyware, a deeply invasive tool developed by a company called NSO that WhatsApp has been fighting in court since 2019. But up until now, Paragon was able to keep a low profile. This is the first time that Paragon has been publicly linked to a hacking campaign that allegedly targeted journalists and members of civil society.

WhatsApp has sent Paragon Solutions a cease-and-desist letter following the series of attempted attacks. Meta also notified Canadian privacy watchdog Citizen Lab. Citizen Lab’s researcher John Scott-Railton says they observed this campaign and have started an investigation.

The attacks reportedly took place in December 2024. If you are a potential target and you received a suspicious PDF you can reach out to Citizen Lab or the non-profit digital security helpline AccessNow.

If you received a WhatsApp notification about the attack, you can contact WhatsApp Support in-app by clicking here.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp says Paragon is spying on specific users 

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including…

WhatsApp recently revealed a targeted spyware campaign linked to the Israeli firm Paragon, which affected 90 individuals, including journalists and civil society members. The platform confirmed that affected users have been directly notified.

Meta-owned messaging app **WhatsApp** confirmed that it was taking action to stop a spyware attack targeting approximately 90 individuals, including journalists and members of civil society organizations. Those affected have been directly notified about the security breach, however, WhatsApp has not disclosed the location of journalists and civil society members, including if any of them were based in the US.

WhatsApp’s investigation points to Paragon Solutions, an Israeli spyware firm acquired by AE Industrial Partners, as the perpetrator of this attack. Reportedly, the attack vector involved the distribution of malicious PDF files through WhatsApp groups. Experts claim the targeting was a “**zero-click**” attack, requiring no malicious links to be infected. WhatsApp has since released a security update to neutralize this vulnerability.  

This campaign was also independently observed and is under investigation by John Scott-Railton, a senior researcher at The Citizen Lab, as he noted in a post on X (formerly Twitter). 

> NEW: @WhatsApp says Israeli mercenary spyware company #Paragon targeted scores of users around world.
> 
> The infection happened with no interaction. No link to click or attachment to open.
> 
> This is called a "zero-click" attack.
> 
> WA says targets included journalists & members of… pic.twitter.com/TekGNMdkoF
> 
> — John Scott-Railton (@jsrailton) February 1, 2025

WhatsApp believes the campaign occurred in December and has issued a cease and desist letter to Paragon. Since its inception in 2019, Paragon has maintained a low profile and has been embroiled in a hacking controversy for the first time, unlike other spyware makers like Intellexa and NSO Group, which have faced U.S. government sanctions and blocklists.

 However, the company has been under scrutiny following Wired Magazine’s October **report** of the company signing a $2m contract with the US Immigration and Customs Enforcement’s homeland security investigations division.

This action follows WhatsApp’s successful legal challenge against NSO Group, another Israeli spyware firm, as **reported** by Hackread.com.  In that case, the NSO Group was found liable for exploiting a WhatsApp vulnerability to deploy its Pegasus spyware on at least 1,400 devices, targeting journalists, activists, and government officials. Hackread.com had **previously reported** that WhatsApp discovered the vulnerability exploited in this attack in May 2019.

The recent Paragon campaign targeted individuals across over two dozen countries, particularly in Europe, with the Italian news outlet fanpage.it confirming it was among those targeted. WhatsApp collaborated with The Citizen Lab, a research group based at the University of Toronto, on its investigation. 

According to Scott-Railton, the targeting of journalists and civil society is a systemic issue within the commercial spyware industry, not an isolated incident.  He also highlighted the potential risk to government personnel from such attacks.  

Paragon and AE Industrial Partners have yet to respond to this news.

WhatsApp’s previous legal victory against NSO Group and its ongoing efforts against Paragon demonstrate its commitment to challenging the spyware industry and protecting user privacy.

“This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” WhatsApp’s spokesperson stated.

Israeli Spyware Firm Paragon Linked to WhatsApp Zero-Click Attack

Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.

The rapid rise of DeepSeek, a Chinese generative AI platform, heightened concerns this week over the United States’ AI dominance as Americans increasingly adopt Chinese-owned digital services. With ongoing criticism over alleged security issues posed by TikTok’s relationship to China, DeepSeek’s own privacy policy confirms that it stores user data on servers in the country.

Meanwhile, security researchers at Wiz discovered that DeepSeek left a critical database exposed online, leaking over 1 million records, including user prompts, system logs, and API authentication tokens. As the platform promotes its cheaper R1 reasoning model, security researchers tested 50 well-known jailbreaks against DeepSeek’s chatbot and found lagging safety protections as compared to Western competitors.

Brandon Russell, the 29-year-old cofounder of the Atomwaffen Division, a neo-Nazi guerrilla organization, is on trial this week over an alleged plot to knock out Baltimore’s power grid and trigger a race war. The trial provides a look into federal law enforcement’s investigation into a disturbing propaganda network aiming to inspire mass casualty events in the US and beyond.

An informal group of West African fraudsters calling themselves the Yahoo Boys are using AI-generated news anchors to extort victims, producing fabricated news reports falsely accusing them of crimes. A WIRED review of Telegram posts reveals that these scammers create highly convincing fake news broadcasts to pressure victims into paying ransoms by threatening public humiliation.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

According to a report by The Wall Street Journal, hacking groups with known ties to China, Iran, Russia, and North Korea are leveraging AI chatbots like Google Gemini to assist with tasks such as writing malicious code and researching potential attack targets.

While Western officials and security experts have long warned about AI's potential for malicious use, the Journal, citing a Wednesday report from Google, noted that the dozens of hacking groups across more than 20 countries are primarily using the platform as a research and productivity tool—focusing on efficiency rather than developing sophisticated and novel hacking techniques.

Iranian groups, for instance, used the chatbot to generate phishing content in English, Hebrew, and Farsi. China-linked groups used Gemini for tactical research into technical concepts like data exfiltration and privilege escalation. In North Korea, hackers used it to draft cover letters for remote technology jobs, reportedly in support of the regime’s effort to place spies in tech roles to fund its nuclear program.

This is not the first time foreign hacking groups have been found using chatbots. Last year, OpenAI disclosed that five such groups had used ChatGPT in similar ways.

**WhatsApp Reveals Targets of Paragon Spyware**

On Friday, WhatsApp disclosed that nearly 100 journalists and civil society members were targeted by spyware developed by the Israeli firm Paragon Solutions. The Meta-owned company alerted affected individuals, stating with “high confidence” that at least 90 users had been targeted and “possibly compromised,” according to a statement to The Guardian. WhatsApp did not reveal where the victims were located, including whether any were in the United States.

The attack appears to have used a “zero-click” exploit, meaning victims were infected without needing to open a malicious link or attachment. Once a phone is compromised, the spyware—known as Graphite—grants the operator full access, including the ability to read end-to-end encrypted messages sent via apps like WhatsApp and Signal.

While it remains unclear who orchestrated the attack, Paragon’s spyware is marketed to government clients, and is similar to that of NSO Group, the controversial Israeli firm behind the Pegasus spyware.

In October, WIRED reported that US Immigration and Customs Enforcement had signed a $2 million contract with the Israeli firm. After our reporting, ICE later issued a stop-work order to review whether the deal complied with a Biden administration executive order restricting the use of spyware to limited circumstances. That 2023 executive order remains in effect, despite the Trump administration rescinding dozens of Biden-era policies in Trump’s first two weeks in office.

**Hackers Used AT&T Breach Data to Hunt for Info on US Politicians**

Hackers behind last year’s massive AT&T data breach sifted through stolen records in search of information linked to high-profile figures, including members of the Trump family, Vice President Kamala Harris, and Jeanette Rubio, the wife of Senator Marco Rubio, according to 404 Media.

In April 2024, hackers breached AT&T’s instance of Snowflake, a widely used data warehousing tool, gaining access to 50 billion records of calls and text messages. According to 404Media, the hackers then enriched the dataset using publicly available tools, appending names to phone numbers to make the records more identifiable as part of a plant to launch a lookup tool that would allow anyone to search the stolen records—for a fee.

Two individuals have been identified as allegedly responsible for the breach: Connor Riley Moucka, a Canadian national who was arrested in November; and John Binns, an American hacker residing in Turkey who was previously arrested for a 2021 breach of T-Mobile. They are linked to a loosely connected online network of criminals called the Com.

**Mystery Drones Over New Jersey Were ‘Authorized,’ White House Says**

At the first press briefing of Donald Trump’s second administration, White House press secretary Karoline Leavitt addressed the surge of unexplained drones spotted over New Jersey and other parts of the East Coast late last year. Leavitt said President Trump personally briefed her on the issue in the Oval Office, stating, “After research and study, the drones that were flying over New Jersey in large numbers were authorized to be flown by the FAA for research and various other reasons.”

Leavitt downplayed concerns about a foreign threat, adding, “In time, it got worse due to curiosity. This was not the enemy.”

The wave of sightings began just before Thanksgiving, with witnesses reporting unidentified drones flying in formation night after night. Some were spotted hovering over military installations and water reservoirs. Within weeks, the FBI received more than 5,000 reports of drone activity—only about 100 cases warranted further investigation.

Despite mounting public pressure, officials offered few definitive answers. By mid-December, a coalition of federal agencies—including the Department of Homeland Security, the FBI, and the Department of Defense—issued a joint statement concluding that the reported aerial objects were a mix of lawful drones, airplanes, helicopters, and stars.

Foreign Hackers Are Using Google’s Gemini in Attacks on the US

Growing sales of the System for Operative Investigative Activities (SORM), a Russian wiretapping platform, in Central Asia and Latin American suggests increasing risks for Western businesses.

Source: Golden Dayz via Shutterstock

A half-dozen governments in Central Asia and Latin American have purchased the System for Operative Investigative Activities (SORM) wiretapping technology from Russian providers, expanding their — and potentially Russian intelligence's — ability to intercept communications.

The technology includes monitoring equipment placed inside a telecommunications provider's facility, which delivers information to the client government's intelligence agency, including mobile numbers, phones identifiers, geolocation, names, email addresses, and IP addresses. That's according to threat intelligence firm Recorded Future, which found in an analysis that the former Soviet territories of Belarus, Kazakhstan, Kyrgyzstan, and Uzbekistan, and the Latin American nations of Cuba and Nicaragua, have very likely acquired the technology to wiretap citizens.

Western companies and citizens should take measures to protect their communications and to understand the risks of surveillance when traveling to countries that have lax civil protections against wiretapping, says a threat analyst with Recorded Future's Insikt threat intelligence group, who asked to remain anonymous due to the sensitivity of the topic.

"Obviously, in countries that don't employ SORM — even Western countries — surveillance frameworks are not immune to abuse, but it's important to look holistically at this when there's evidence of these systems being built with Russian-company inputs in a country with a history of state surveillance operations," the analyst says. "Particularly, human rights defenders, activists, journalists, members of civil society, but also foreign travelers, \[could all be targets\]."

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

The expansion of Russia's SORM kit highlights the gains of digital surveillance technology worldwide. The companies behind the spyware tools used by authoritarian governments — such as NSO Group's Pegasus and Intellexa Consortium's Predator — have made inroads globally, as the companies refine their ability to evade roadblocks on sales to sanctioned nations, according to an in-depth report published by the Atlantic Council in September. Overall, 41% of the 195 countries worldwide have licensed commercial spyware, including 14 of the 27 countries in the European Union, according to the Atlantic Council.

Wiretapping technology and spyware are often used for legitimate reasons, whether that be law enforcement investigations of suspected criminals or intelligence gathering against nation-state rivals. However, in countries with few protections for civil liberties, or poor regulation of digital surveillance technologies, abuses inevitably follow for governments that deploy it without adequate oversight, according to the Atlantic Council analysts.

Related:Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs

"Spyware makes it easier for states to penetrate even the most robust commercial technologies, cell phones, computers, and communications services; makes it far easier to act against citizens beyond state borders; and even provides governments with the ability to target senior officials, both domestically and abroad, where they might otherwise have no means to do so," the Atlantic Council analysts stated in the report. "Where that information is used to facilitate repression and abuse, its harms are untenable."

**The Spyware Nexus: An R Joins the Three I's**

The Atlantic Council identified 435 "entities" — companies and people associated with commercial spyware — and found that two-thirds lead back to three nations: Israel, Italy, and India. Now, Russia has become a major provider of surveillance technology as well.

Existing law in Russia requires that telecommunications providers install and maintain monitoring devices that meet SORM regulations, but the firms are not authorized to access the capabilities of the devices nor audit communications collection, according to Recorded Future's report. Countries in Russia's sphere of influence have passed similar laws mandating SORM-compliant technology, which is typically installed and serviced by Russian providers, likely giving Russia the ability to access intercepted communications.

Related:Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Record Future used a variety of indicators for the adoption of SORM, including marketing materials and the websites of the providers of SORM technologies. The largest providers of SORM technology are companies called Citadel, Norsi-Trans, and Protei, who — along with five other identified technology firms — are likely exporting SORM products and services to at least 15 telecommunications companies, the firm found.

The risks of illicit digital surveillance are growing, argues Vitor Ventura, manager for EMEA and Asia at Cisco's Talos threat intelligence group.

"In certain countries, it might just be legal to do certain kind of interceptions for reasons that are not allowed in other countries, or because you have a law that says that if national security is at risk, you can do whatever you want," he says, adding that there has been a global boom in surveillance technology over the past few years.

"I don't think that the law is changing that much — I just think that there is a bigger appetite, and there's a lot more being offered," he says. "The prices eventually came down, and everyone that has the money for \[surveillance technology\] will actually go for it."

**Know Your Telecom Tech, Wiretapping Laws**

Companies that have employees based in nations with weaker civil liberty protections should note that adopting privacy and encryption tools can help mitigate the risk, but providers of virtual private network (VPN) services often are subject to the same laws as telecommunications providers, according to the Recorded Future report, and might also be turning over intelligence to government agencies.

In many ways, the cyber-risks mirror those argued by the US government in regards to Russian cybersecurity firm Kaspersky, whose antivirus products were banned in mid-2024, the Recorded Future analyst says.

"These \[telecom\] companies might be able to go into systems and have access to such a vast range of data — there's definitely a high intelligence value there," the analyst says. "The same risks that apply to Kaspersky are equally as applicable to Russian SORM providers."

Companies should keep apprised of the spread of the technology in the future. For example, one Russian provider, Protei, markets SORM in trade shows in Africa, the Middle East, and Latin America, raising the likelihood that countries in those regions will adopt the wiretapping platform at some time in the future.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia Carves Out Commercial Surveillance Success Globally

Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 &…

Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 & CVE-2024-9140, including privilege escalation and OS command injection risks. Find mitigation strategies and affected products.

Moxa, an industrial networking and communications provider, has identified a critical vulnerability in its cellular routers, secure routers, and network security appliances, allowing remote attackers to gain root privileges and execute arbitrary commands, potentially leading to code execution.

In its security advisory, MPSA-241155, Moxa addresses two critical vulnerabilities, CVE-2024-9138 (8.6, high severity) and CVE-2024-9140 (9.3, critical severity), identified by Lars Haulin and found to be affecting its routers and network security appliances.

**CVE-2024-9138** exploits hard-coded credentials, allowing an authenticated user to escalate privileges to the root level. This could lead to severe consequences, including system compromise, unauthorized modifications, data exposure, and service disruption. 

On the other hand, **CVE-2024-9140** is an OS Command Injection vulnerability, which allows attackers to exploit special characters in input to execute arbitrary commands on the system. This flaw is particularly dangerous because remote attackers can exploit it to gain unauthorized control over the device. 

The advisory provides detailed information on affected products and firmware versions, along with recommended solutions such as firmware upgrades, which can be checked **here**.

Moxa has confirmed that the vulnerabilities do not affect the MRC-1002 Series, TN-5900 Series, and OnCell 3120-LTE-1 Series. For products without immediate firmware updates available, the advisory recommends mitigating the risks by minimizing network exposure, limiting SSH access, and implementing intrusion detection or prevention systems. Their advisory emphasizes the importance of promptly addressing these critical vulnerabilities to maintain the security and integrity of the affected device

The rise in vulnerabilities affecting routers and network security appliances in recent years demonstrates the necessity for continuous caution and proactive security measures.

Hackread recently reported VulnCheck’s **discovery** of a new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), stemming from a weakness in the router’s system time adjustment functionality. This flaw allowed attackers to remotely execute commands on vulnerable devices.

Censys research earlier **identified** 14 vulnerabilities in DrayTek Vigor routers, allowing attackers to potentially control network devices and launch further attacks. The most impacted regions included Taiwan, Vietnam, Germany, the Netherlands, and the United Kingdom.

Now the Moxa vulnerabilities, with their potential for privilege escalation and remote code execution, further highlight the rising severity of such vulnerabilities. These flaws can allow attackers to gain unauthorized control over devices, disrupt critical operations, steal sensitive data, or use compromised devices as launching points for further attacks.

Therefore, promptly addressing these vulnerabilities through firmware updates, implementing strong access controls, and **regularly reviewing** and updating security configurations are crucial for maintaining a secure network environment.

**John Bambenek**, President at Bambenek Consulting commented on the issue stating, “It has not been a good year for network devices and one of the vulnerabilities being flagged as a device having hard-coded default credentials really begs the question of how these devices end up shipped to the world with no apparent security auditing._“_

_“_If organizations cannot patch, they should restrict inbound access to the devices themselves to prevent exploitation,_“_ John advised_._ _“_This is a reminder for ICS/OT companies to do some basic security hygiene to prevent against these and other as of yet undisclosed vulnerabilities._“_

1.  **TheMoon Malware: 6,000 Asus Routers Hacked in 72 Hours**
2.  **Critical Flaw Exposes Four-Faith Routers to Remote Exploitation**
3.  **D-Link home routers plagued with multiple critical vulnerabilities**

Critical Vulnerabilities in Moxa Routers Allow Root Privilege Escalation

SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…

****SUMMARY:****

*   **Vulnerability**: CVE-2024-12856 impacts Four-Faith routers (models F3x24 and F3x36), allowing remote code execution.

*   **Exploit Path**: Attackers use the /apply.cgi endpoint to exploit the adj_time_year parameter.

*   **Risk**: Over 15,000 devices with default credentials are at high risk.

*   **Impact**: Exploits enable malware installation, data theft, and network disruption.

*   **Fix**: Update firmware, change default credentials, and use Suricata rules for detection.

VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild. This, as per the company, is a post-authentication flaw vulnerability that allows attackers to remotely execute commands on vulnerable devices by exploiting a weakness in the router’s system time adjustment functionality.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices,” VulnCheck researcher Jacob Baines wrote in the blog post shared with Hackread.com.

As per the investigation from the VulnCheck Initial Access team, the attack specifically targets the /apply.cgi endpoint, which allows for system configuration changes. By manipulating the adj\_time\_year parameter (responsible for modifying the router’s system time) within a POST request, attackers can inject malicious commands.

This bypasses authentication as the attack leverages the router’s default credentials. However, this vulnerability should not be confused with CVE-2019-12168 even though both flow through the same apply.cgi endpoint, Baines noted.

In addition, VulnCheck observed exploitation attempts originating from the IP address 178.215.23891. The firmware version’s default credentials could potentially escalate the vulnerability into an unauthenticated and remote OS command execution issue if not altered.

Furthermore, another research blog published in November 2024 also documented the exploitation of this vulnerability, with the observed User-Agent matching the User-Agent VulnCheck observed, although with a different payload, corroborating VulnCheck’s findings.

Successful exploitation allows attackers to execute remote code on a router, install malware, steal sensitive data, disrupt network operations, and use the router as a launch point for further attacks.

To mitigate this threat, VulnCheck has provided a Suricata rule to detect exploitation attempts on the network. This rule monitors HTTP traffic, specifically looking for POST requests to /apply.cgi with the adjust\_sys\_time parameter and suspicious patterns in the adj\_time\_year field.

VulnCheck has also responsibly disclosed this vulnerability to Four-Faith and its customers. Users are advised to contact Four-Faith directly for information on patches, affected models, and firmware versions.

Routers, responsible for directing internet traffic, are often overlooked in security measures, making them easy targets for cybercriminals. The prevalence of default passwords and outdated firmware creates a significant security risk, as they often contain unpatched vulnerabilities. 

Recently, Censys uncovered 14 critical vulnerabilities in DrayTek Vigor routers, including a buffer overflow and OS command injection flaw. Now the discovery of vulnerability in Four-Faith routers further shows the need for improved security measures to protect routers and their users.

1.  **New Botnets Exploit Old D-Link Router for DDoS Attacks**
2.  **Condi DDoS Botnet Targets Vulnerable TP-Link AX21 Routers**
3.  **FBI: Hackers Target Ubiquiti Routers for Data, Botnet Creation**
4.  **ASUS, NordVPN Partner to Integrate VPN Service into Routers**
5.  **6,000 Asus Routers Hacked in 72 Hours by** **TheMoon Malware**

Critical Flaw Exposes Four-Faith Routers to Remote Exploitation

iProov uncovers a major Dark Web operation selling stolen identities with matching biometrics, posing a serious threat to KYC verification systems

****SUMMARY****

*   **Dark Web Identity Fraud Operation:** iProov uncovered a sophisticated dark web network collecting genuine identity documents and facial images to bypass KYC verification.

*   **Voluntary Identity Compromise:** Individuals in regions like LATAM and Eastern Europe are willingly selling their personal and biometric data for short-term financial gain.

*   **Evolving Fraud Techniques:** Attackers use methods ranging from basic static images to advanced tools like deepfake software and custom AI models to defeat liveness checks.

*   **Global Biometric Data Risks:** High-profile breaches (e.g., ZKTeco and ChiceDNA) reveal vulnerabilities in biometric access systems and facial recognition technologies.

*   **Multi-Layered Defense Needed:** Experts recommend advanced real-time verification, challenge-response mechanisms, and continuous monitoring to counter these sophisticated threats.

iProov, a provider of science-based biometric identity verification solutions, has uncovered a large-scale Dark Web operation dedicated to bypassing Know Your Customer (KYC) verification checks. This operation involves systematically collecting genuine identity documents and corresponding facial images.

The iProov Security Operations Center (iSOC) and the company’s Biometric Threat Intelligence service discovered this threat through extensive threat-hunting activities and red team testing. The dark web group has amassed a substantial collection of these identities, potentially obtained through compensated participation where individuals willingly provide their personal information in exchange for payment. This alarming trend extends beyond traditional data theft, as individuals knowingly compromise their identities for short-term financial gain.

“What’s particularly alarming about this discovery is not just the sophisticated nature of the operation, but the fact that individuals are willingly compromising their identities for short-term financial gain,” said Andrew Newell, Chief Scientific Officer at iProov in a press release. Selling identity documents and biometric data not only risks financial security but also provides criminals with genuine identity packages for sophisticated impersonation fraud, Newell added.

This operation, primarily observed in the LATAM and Eastern Europe regions, presents a significant challenge to organizations relying on biometric verification. Genuine credentials paired with matching facial images can easily bypass traditional document verification and basic facial matching systems.

Furthermore, the sophistication of these attacks continues to evolve. While basic attacks utilize simple methods like printed photos or static images, mid-tier attackers employ more advanced techniques such as real-time face-swapping and Deepfake software.

The most sophisticated attackers leverage custom AI models and specialized software to create synthetic faces that can respond to liveness challenges, making it increasingly difficult to distinguish between genuine and fabricated interactions.

This indicates that verification systems face a multi-layered challenge in detecting fake documents and genuine credentials misused by unauthorized individuals. Biometric data, like fingerprints and facial recognition, is increasingly used for identification and security purposes. However, recent incidents involving major vendors and service providers highlight a growing threat to this sensitive information. 

> 📢 EXPOSED: Criminal networks aren't stealing identities anymore.
> 
> They're buying them. Legally. With cash.
> 
> And because these are REAL documents freely given, traditional fraud checks are useless.
> 
> Watch how this works 📷 or Read more: https://t.co/0mX1VSf9my pic.twitter.com/X2KR4tJ61t
> 
> — iProov (@iProov) December 23, 2024

In June 2024, Hackread reported Kaspersky Lab discovered 24 vulnerabilities in ZKTeco’s biometric access systems, which are used for facial recognition and entry control.  The vulnerabilities ranged from SQL injection vulnerabilities to buffer overflow flaws, allowing attackers to inject malicious code.

In September 2024, a separate incident exposed the sensitive data of thousands of customers who used ChiceDNA, an Indiana-based genetic testing and facial matching service. An unsecured WordPress folder left publicly accessible contained biometric images, personal details, and even facial DNA data.

Therefore, organizations should adopt a multi-layered verification approach to combat such threats. This includes verifying the presented identity against official documents and detecting real persons using embedded imagery and metadata analysis.

Real-time verification using unique challenge-response mechanisms, along with managed detection and response through advanced technologies and continuous monitoring, is also essential. Improving protection against sophisticated attacks would make it harder for attackers to spoof verification systems.

1.  **Thousands of UEFA Customer Credentials Sold on Dark Web**
2.  **Stolen Singaporean Identities Sold on Dark Web Starting at $8**
3.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
4.  **Hackers Sell Fake Pegasus Spyware on Clearnet and Dark Web**
5.  **Dark Web Anti-Bot Services Help Phishers Bypass Google Alerts**

Researchers Uncover Dark Web Operation Entirely Focused on KYC Bypass

A US court ruled against NSO Group, an Israeli spyware maker, finding them liable for hacking WhatsApp users. The ruling has major implications for the surveillance technology industry."

****SUMMARY****

*   **NSO Group Held Accountable:** A U.S. court ruled against NSO Group for hacking WhatsApp accounts, violating U.S. law and its terms of service.

*   **Pegasus Spyware Abuse:** NSO exploited a WhatsApp flaw to install Pegasus spyware on 1,400 devices, targeting activists, journalists, and officials.

*   **WhatsApp Lawsuit Victory:** WhatsApp sued NSO in 2019 after discovering the spyware attack, marking a major win for privacy rights.

*   **Court Rejects NSO’s Defense:** The court dismissed NSO’s claims of immunity, holding it liable despite its stated anti-terrorism purpose.

*   **Spyware Industry Implications:** The ruling sets a precedent for accountability, boosting privacy advocacy efforts against invasive technologies.

The Israeli spyware company NSO Group has been held liable for compromising the accounts of hundreds of WhatsApp users, marking a significant legal victory for Meta Platforms.

****The Ruling****

In a landmark ruling, U.S. District Judge Phyllis Hamilton found the NSO Group responsible for hacking and breaching the world’s leading messaging app WhatsApp’s terms of service, compromising the accounts of hundreds of its users. 

According to court documents (PDF), the NSO Group exploited a vulnerability in the messaging app to install its powerful Pegasus spyware on at least 1,400 devices. This spyware, known for its ability to infiltrate phones and extract sensitive data, was allegedly used to target journalists, human rights activists, political dissidents, and government officials, raising serious concerns about privacy and human rights.

****Background Details****

For your information, WhatsApp filed the lawsuit in 2019, accusing NSO Group of accessing its servers without authorization to deploy Pegasus. It was reported by Hackread.com that the NSO Group was suspected of exploiting a new “MMS Fingerprint” attack on WhatsApp, exposing device information without user interaction. 

Hackread.com also reported earlier this year that WhatsApp discovered the vulnerability in May 2019, which let attackers install Pegasus spyware on users’ devices. The flaw was then used to target government officials and activists globally. WhatsApp sued NSO Group for the exploitation 

The Israeli firm, which claims its technology is used to combat terrorism and crime, argued that its actions were justified and that it should be shielded from liability. However, the court rejected these arguments, finding that it was responsible for the breach and that its actions violated US law.

This ruling has major implications for the spyware industry, which operates in a legal gray area. It establishes a precedent that companies like NSO Group can be held accountable for the misuse of their technology, even if they claim to be providing services to legitimate government agencies. The decision is also a major victory for privacy advocates, who have long warned about the dangers of invasive surveillance technologies.

WhatsApp hailed the ruling as a “huge win for privacy,” emphasizing that it would continue to work to protect user communications from such attacks. 

“We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” Will Cathcart, the head of WhatsApp stated.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Apple loses lawsuit against cyber security startup Corellium**
3.  **Amazon Files Lawsuits Against Fraudsters Over Fake Reviews**
4.  **YouTube MP3 Converter Site Shut Down After Labels Win Lawsuit**
5.  **Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data**

Tag

#asus