The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'variant' HTTP POST parameter called by the clearProjectConfigurationAjax.php script.

ABB Cylon Aspect 3.08.02 (clearProjectConfigurationAjax.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by calendarUpdate.php script.

ABB Cylon Aspect 3.08.02 (calendarUpdate.php) Remote Code Execution

Smartphones and face recognition are being combined to create new digital travel documents. The paper passport’s days are numbered—despite new privacy risks.

In a matter of years, no matter where you live or travel, your face will likely be your new passport.

For centuries, people have used some form of passport while moving from place to place. But the widespread standardization of passports as we know them today didn’t really begin until after World War 1, when passports were commonly used as a security measure and to deter spies entering a country. Even then, some considered passports to be an “anachronism in the modern world.”

But the use of paper passports—which were first digitized as “e-Passports” with NFC chips in 2006—is slowly undergoing one of its biggest transformations to date. The travel industry, airports, and governments are working to remove the need to show your passport while flying internationally. Eventually, you may not need to carry your passport at all.

Instead, face recognition technology and smartphones are increasingly being used to check and confirm your identity against travel details before you can fly. These systems, advocates claim, can reduce the amount of waiting time and “friction” you experience at airports. But privacy experts caution that there is little transparency about the technologies being deployed, and their proliferation could lead to data breaches and greater levels of surveillance.

The push to remove paper passports is happening worldwide. So far, airports in Finland, Canada, the Netherlands, the United Arab Emirates, the United Kingdom, Italy, the United States, India, and elsewhere have been trialing various levels of passport-free travel or the technology needed to make it happen. In October, officials in Singapore announced that its residents can fly to and from the country without using their documentation, and foreign visitors can “enjoy the convenience of passport-less clearance when they depart Singapore.” More than 1.5 million people have used the systems, officials claim.

“It’s probably going to become the mainstream way of traveling, as I understand, in the near future,” says Athina Ioannou, a lecturer in business analytics at the University of Surrey in the UK, who has researched the privacy implications that come with different types of travel. Ioannou says the Covid-19 pandemic accelerated contact-free travel, and many efforts are driven by trying to get passengers moving quickly through airports.

While trials around the world are at different stages and use different technical infrastructure, they broadly work in similar ways: Information historically stored in your passport’s NFC chip, including facial data, is instead stored digitally and linked to your phone. The EU is planning to build an official travel app for this. When you are at an airport, the phone can be shown, and a face recognition camera will try to match you to the passport photo.

One of the most commonly tested approaches is using a “digital travel credential.” A DTC, according to the United Nations’ International Civil Aviation Organization (ICAO), which is behind the approach, is made up of two parts: a virtual element, which represents the information stored on passports, and a physical part, the bit on your phone. The two are cryptographically linked to ensure they’re not forgeries. “The key feature of the ICAO DTC is that authorities can verify a digital representation of the passport data before the traveller’s arrival and confirm the data’s integrity and authenticity,” a description of the system says.

Three different approaches to the DTC exist, with two requiring you to carry (but not necessarily use) paper passports, while the third approach, which may be some years down the line, doesn’t require a passport to even be issued. Earlier this year, border officials in Finland held a small-scale trial of a DTC on 22 airline routes, using a mobile app that had been developed. While passengers still had to carry passports, the country’s Border Guard concluded that checks lasted for just eight seconds, with the technical processing happening in two seconds. “Speed is really essential here if we are talking about facilitating a huge number of people,” Mikko Väisänen, the head of the DTC pilot, says.

While ending frustrating airport lines would be welcome for many, the shift to digital travel document also raises concerns about how data is protected, a normalization of problematic surveillance technology such as face recognition, plus whether digital ID systems will be further rolled out to other parts of society and who ultimately controls or builds these pieces of infrastructure.

The ICAO’s documentation around the DTC identifies risks such as “look-alike fraud,” criminals collecting DTC data and duplicating parts of it, delays to journeys if systems face outages, and people being unable to travel if there is a “false rejection” in face-recognition systems and no fallback systems in place. Face-recognition systems have been highly controversial for years.

Multiple companies around the world are building verification systems to help people prove they are who they say, which can involve linking with official government databases or systems. Udbhav Tiwari, the director of global product policy at Mozilla, says there are “privacy by design” and data minimization efforts that are taking place with the development of these products and systems, but there are still a range of other risks.

“We don’t really know how secure these systems are,” Tiwari says, adding that there are generally concerns about the “fairness, accountability, and transparency” with AI systems that can be used. “The fact is that all of these companies develop these systems often do so in deeply proprietary manners,” Tiwari says.

On top of this, Tiwari says, countries can treat people differently. Different nations have data protection regimes of varying quality and may use different standards around how people’s information can be passed to government or law enforcement agencies or sold. “I, for example, would be much more comfortable using biometric-based travel in Germany than I would in many other countries in the world, because I trust the data-protection ecosystem and regulators in Germany and might not in other countries,” Tiwari says.

Adam Tsao, vice president of digital identity at security firm Entrust, says that people using any systems will want to know that their data is being used the way they expect it to be. For instance, he says, among other things people will want to know who has access to information, what purposes they can access it for, and what say they have in what happens to it. “You really want to get to the point where as we move in this digitized world, that you’re giving the exact right amount of information, for the exact right amount of time, for the right purpose to the right people,” Tsao says. And that may not be straightforward.

In India, the Digi Yatra face-recognition boarding system has faced multiple criticisms about how it has been introduced and how people have been signed up for the voluntary scheme, as Biometric Update has reported. “The way that it’s happening in India is no longer voluntary, and it’s no longer something we can hold the government or anybody else accountable for,” says Disha Verma, from the Internet Freedom Foundation.

The Digi Yatra system, which has been operating in 24 airports around the country, may be opening up to foreign citizens in 2025. Meanwhile, there are plans to roll out the identity technology to hotels and historical monuments. Your face could soon be your room key as well.

The Paper Passport Is Dying

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-9mgx-552f-59p6: TCPDF missing certificate validation

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

GHSA-4p8j-vhjm-6pvw: TCPDF lacks SVG sanitization

IN THIS ARTICLE: Hackers have released what they claim to be the second batch of data stolen in…

****IN THIS ARTICLE:****

*   **Hackers’ Claims:** IntelBroker released a second batch of extracted Cisco data, amounting to 4.84 GB, from the October 2024 breach, claiming it is part of a 4.5 TB trove.

*   **Leaked Data Contents:** The data includes sensitive files such as software artifacts, network configurations, testing logs, cloud server images, and cryptographic signatures, exposing intellectual property and operational insights.

*   **Misconfigured Resource Exploitation:** The data originated from a misconfigured, public-facing DevHub resource left exposed without password protection, allowing hackers to download it.

*   **Cisco’s Response:** Cisco acknowledged the incident, stated public access was disabled, and confirmed no servers were breached or sensitive data compromised, though hackers contest this claim.

*   **IntelBroker’s Track Record:** The hacker, known for breaching Apple, AMD, Europol, and others, highlights ongoing exploitation of misconfigured systems, a persistent issue in cybersecurity.

Hackers have released what they claim to be the second batch of data stolen in the alleged Cisco data incident from October 2024. According to **IntelBroker**, the hacker behind the breach, the latest leak, published on Christmas Eve on Breach Forums, contains 4.84 GB of data, part of an allegedly stolen 4.5 TB.

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

As seen by Hackread.com, the leaked data includes a trove of sensitive files, such as proprietary software development artifacts like Java binaries, source code, and application archives; network-related files including Cisco XRv9K virtual router images and configurations; testing logs and scripts; operational data such as Zero Touch Provisioning (ZTP) logs and packages; cloud server disk images; and cryptographic signatures for payment SDKs like Weixin Pay.

Additionally, the leak contains configuration files, internal project archives, and other miscellaneous documents, potentially exposing intellectual property, network configurations, and operational insights.

File tree shared by IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Background****

Notably, the leaked data originates from a misconfigured, public-facing DevHub resource that Cisco reportedly left exposed without password protection or security authentication, enabling the hackers to download the entire dataset **in October 2024.**

IntelBroker who accessed the misconfigured server claims they managed to extract 4.5TB of information. The first part of the data leak, which included 2.9 GB of files, was **published on December 17, 2024**.

****Cisco’s Response****

Cisco **acknowledged** (PDF) the October 2024 incident and stated that public access was disabled. The company also confirmed that none of its servers were breached and no sensitive data was compromised. However, the hackers claim otherwise, particularly regarding the extracted data.

Regarding the latest leak, Cisco noted on its incident response page that it is aware of the claims made by IntelBroker, asserting that the data published this time also stems from the October 14, 2024, incident.

> _“On Wednesday, December 25, 2024, at 17:07 EST, the threat actor IntelBroker posted on X about releasing more data. At 17:40 EST, IntelBroker released 4.45 GB of data for free on BreachForums. We have analyzed the post data, and it aligns with the known data set from October 14, 2024.”_  
> 
> Cisco

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

1.  **IntelBroker Claim Access to Nokia Internal Data, Selling for $20K**
2.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**
3.  **IntelBroker Space-Eyes Breach, Targeting US National Security Data**
4.  **IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access**
5.  **AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info**

Hackers Release Second Batch of Stolen Cisco Data

A vulnerability was found in python-sql where unary operators do not escape non-Expression (like `And` and `Or`) which makes any system exposing those vulnerable to an SQL injection attack.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-pq9p-pc3p-9hm4: python-sql SQL injection vulnerability

Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS)  due to improper neutralization of HTML sanitization.

### Impact

Marp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS).

### Patches

Marp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that.

### Workarounds

If you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor.

```javascript
const marp = new Marp({ html: false })
```

### References

- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)
- https://github.com/marp-team/marp-core/pull/282
- https://github.com/marp-team/marp-core/commit/61a1def244d1b6faa8e2c0be97ec0b68cab3ab49

### Credits

Thanks to @Ry0taK for finding out this vulnerability.

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization

While companies have responded to the new SEC rules by disclosing incidents promptly, many of the reports don't meet the SEC's "material" standard.

Source: Paul Hastings, LLP

The new cybersecurity disclosure rules introduced by the US Securities and Exchange Commission (SEC) last year have resulted in a significant increase of incident reports from public companies, but most of the reports do not include the material impact of those incidents, according to a law firm specializing in finance and M&A activity.

Analysis by Paul Hastings LLP found cybersecurity incident reports have increased by 60% since the disclosure rule went into effect in 2023. The SEC regulation requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. Material, in this instance, means that the incident can impact someone's decision on whether to invest in the company. Determining materiality involves considering the immediate fallout and any longer-term effects on a company's operations, customer relationships, financial impact, reputational or brand perception, and the potential for litigation or regulatory action.

As the chart above shows, the impact of the regulation spans numerous industries. While the financial services sector accounted for the largest number of disclosure reports, industrials and healthcare were also heavily impacted. Automotive retail and retail entities were also hit by cyberattacks and had to report those incidents.

Less than 10% of the disclosures detailed the material impacts of the incidents, suggesting that companies are having difficulty balancing detailed reporting with protecting the details of internal operations. The report included examples of what was considered material, such as Basset Furniture Industries noting that business operations are materially impacted until recovery efforts are completed, or First American Financial disclosing adjusted earning per share for the fourth quarter financial results and quantifying the losses in the company's SEC filings.

Some companies (13%) opted to provide a press release or a reference to a blog post to provide more details about the incident.

**Third-Party Breach Impact**

One in four incidents in the report were third-party breaches. Companies are struggling to figure out whether to disclose third-party breaches, especially if other victims have disclosed the incidents. The automotive retail sector was affected primarily by the ransomware attack on automotive software provider CDK Global in June. The company paid a $25 million ransom. CDK's parent company, Brookfield Business Partners, said in its July disclosure that the company did not "expect this incident to have a material impact." Many of the smaller automotive companies claimed material impact as a result of CDK's incident.

The SEC recently announced enforcement settlements with four SolarWinds customers for allegedly making misleading disclosures related to how they were impacted by the cyberattack. Two of the four publicly disclosed the incidents but did not disclose all material facts known at the time, such as the name of the threat actor, nature of information stolen, and number of accounts accessed. The other two did not disclose the incidents, and the SEC said they should have disclosed the impact.

**Speed or More Details?**

More than three-quarters (78%) of disclosures were made within eight days of discovery of the incident. The SEC specified that the deadline to disclose is not four business days after discovering the incident but rather when materiality has been determined, but most companies opted to act quickly. A third (32%) filed within four days of discovery. This suggests that companies are reporting quickly to avoid being fined by the SEC for delayed disclosure but too quickly because they have not yet determined the full implications of the incident. This may be why 42% of the companies wound up filing multiple reports for the same incident, each time providing more details, such as quantifiable loss, impact to customer personal data, and notification to individuals and regulators.

"Companies should continue to evaluate disclosure controls and engage in tabletop exercises to practice the decision-making required to makes such materiality decisions in the event of a cyber incident," the report's authors said.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

SEC Disclosures Up, But Not Enough Details Provided

From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.

In 2024, we at Dark Reading covered a variety of attacks, exploits, and, of course, vulnerabilities across the board. Here, we recount 10 emerging threats organizations should be prepared for — as detailed by Dr. Jason Clark in "10 Emerging Vulnerabilities Every Enterprise Should Know," a Dark Reading webinar — as they continuously rise and develop in 2025.

**Zero-Day Exploits**

Zero-days and their increase in volume across the cybersecurity landscape is a particularly concerning trend, as there is no patch for these bugs when they're discovered. Attackers are also able to exploit systems using these vulnerabilities undetected, as safeguards have not been put in place by organizations or enterprises yet.

High-profile zero-day vulnerabilities include Log4Shell, tracked as CVE-2021-44228, a critical RCE bug within Log4j's Java Naming and Directory Interface (JNDI). By exploiting the vulnerability, attackers were able to easily take control of vulnerable systems, a considerable threat as Log4j is used in nearly every Java application.

Other vulnerabilities include PrintNightmare and Proxyshell, both remote execution flaws that were exploited quickly and widely, according to Clark.

"The rise in zero-day exploits is partly driven by just more sophisticated threat actors," Clark said in the Dark Reading webinar. "This can include things like nation-states and also using them in targeted attacks."

Chad Graham, cyber incident response team (CIRT) manager at Critical Start, however, believes that advancements with AI will change the landscape in 2025.

"Both attackers and defenders will rely on AI-driven tools to automate the search for hidden software flaws," Graham says. "This shift will likely result in a more dynamic cybersecurity landscape, where continuous innovation and adaptation become the norm."

**Supply Chain Attacks**

Supply chain attacks remain an active threat and tend toward the severe as their impact cascades on to multiple parties: customers, suppliers, and other third parties. Attackers exploit a trusted resource and ultimately gain access to not just one organization, but multiple. These kinds of threats remain concerning as organizations depend more and more on outsourcing services.

The best known example is the SolarWinds breach, which impacted the SolarWinds Orion system, at the hands of a group known as Nobelium. More than 30,000 organizations — including state and federal agencies — used the Orion network management system, resulting in the backdoor malware compromising thousands of data, network, and systems.

Tracked as CVE-2020-10148 with a CVSS score of 9.8, the authentication bypass bug allowed an unauthenticated attacker to execute API commands. The attackers in question were advanced persistent threat (APT) actors who infiltrated into the SolarWinds’ supply chain to insert a backdoor.

"The complexity of modern supply chains makes it challenging to secure all the dependencies," Clark said in the webinar. "This underscores the need for rigorous third-party risk management."

In the year ahead, Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, believes that there will be a sharpened focus on supply chains and third-party risk management.

"The CrowdStrike incident wasn't just a wake-up call — it was a stark reminder that in our interconnected ecosystem, one weak link can trigger a catastrophic chain reaction," Simberkoff says.

**Remote Work Infrastructure Exploits**

Since 2020 and the COVID-19 pandemic, organizations have leaned into remote and hybrid work offerings, increasing the risk of cybersecurity threats and becoming a significant concern. Attackers focus on vulnerabilities that allow users to engage in remote work such as VPNs, remote desktop protocols (RDPs), and phishing attacks through platforms such as Zoom and Microsoft Teams.

There have been several notable incidents in which VPNs and RDPs were leveraged, allowing threat actors to gain access to enterprise systems and networks. In addition, remote workers are often operating from less secure environments, causing an uptick in phishing attacks as the threat actors try to take advantage of these blind spots.

"The shift to remote work has expanded the overall attack surface, Clark said in the webinar. "Remote workers often need more security controls than those that are working \[onsite\], which can lead to significant vulnerabilities."

Recent examples of vulnerabilities remote and hybrid work vulnerabilities include CVE-2024-38199, a remote code execution vulnerability (RCE) in the Windows or Line Printer Deamon (LPD) Service, and CVE-2024-21433, a Windows Print Spooler elevation of privilege vulnerability.

"Remote work infrastructure will continue to be a prime target for cybercriminals in 2025, with an increase in sophisticated attacks on cloud services, VPNs, and collaboration tools," says Stephen Kowski, field CTO at SlashNext Email Security+. "We'll likely see more AI-powered threats designed to bypass traditional security measures, exploiting vulnerabilities in interconnected devices and home networks."

**Exploitation of AI and Machine Learning Systems**

With the rise of AI and its increasing use amid the public, comes widespread risk of exploitation from attackers. Clark noted of adversarial attacks, data poisoning, and model inversion attacks that are at the forefront of emerging threats for AI and machine learning (ML) systems in particular. 

The nature of some ML systems requires feeding a system information for the best results, the system becoming more familiar with the user over time. When attacks target these systems, it can lead to unauthorized access to sensitive data stored and processed within these tools, as well as incorrect predictions or biased decisions.

"AI models will be key areas of exploitation in 2025," says Rom Carmel, co-founder and CEO at Apono. "As AI and machine learning become integral to identity verification systems, attackers will find ways to poison AI models or bypass them."

AI can also simply be manipulated for malicious ends, as seen when an AI deepfake robocall was created to impersonate US President Joe Biden to encourage individuals not to vote in the New Hampshire's Democratic primary, an event that could have had severe consequences on the US electoral process.

"The threat landscape is evolving with the rapid adoption of AI and ML," Clark said in the webinar. "Attackers increasingly focus on these systems to undermine their reliability and exploit vulnerability."

**Cloud Misconfigurations**

As organizations continue to shift their operations to the cloud, it will continue to emerge as a space for threat actors to thrive, often due to the cloud simply not being set up correctly.

Common examples of threats that circulate within the cloud are publicly accessible S3 buckets, misconfigured security groups in AWS, and exposed databases.

"Cloud misconfigurations can have severe impacts related to data breaches, unauthorized access to critical systems, financial loss, and reputational damage," Clark said. He added that the complexity of these environments is going to increase leading to more frequent configuration errors.

In the past, Amazon and Microsoft cloud environments have exposed customer data, such as viewing habits, names, email addresses, email content, and phone numbers. The leaks aren't due to vulnerabilities but misconfigurations ranging from insecure read-and-write permissions to inaccurate access lists and misconfigured policies.

"To successfully prevent cloud breaches in 2025, companies need to focus on three key areas: visibility, access control, and continuous monitoring," says Jason Soroko, senior fellow at Sectigo. "Cloud environments are dynamic, so your security needs to be dynamic too."

**IoT Device Vulnerabilities**

IoT devices are allowing for emerging threats to thrive, being easy targets for threat actors to exploit, whether it be due to weak default passwords, lack of encryption, or insecure firmware.

Common attacks that IoT devices face are data theft, network breaches, and distributed denial-of-service (DDoS) attacks. A recent example emerged in the Common Unix Printing System (CUPS) for managing printers and print jobs. The series of vulnerabilities, tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 could allow bad actors to stage DDoS attacks within seconds for less than 1 cent while using an available cloud platform.

"Just the sheer volume of connected devices really exacerbates the threat," Clark noted in the webinar. "Securing these devices becomes really challenging due to their diversity and often limited processing power for adding security features."

And as the use of IoT, OT, and 5G networks continues to rise, organizations will need cyber threat intelligence (CTI) to extend beyond traditional IT environments, says Callie Guenther, senior manager, cyber threat research at Critical Start. "This expansion, which will continue throughout 2025, will add complexity to CTI, requiring more granular insights and specific intelligence data."

**Cryptographic Weaknesses**

According to Clark, cryptographic weaknesses continue to pose a significant threat because these kinds of vulnerabilities undermine the foundation of secure communication and data protection. These weaknesses often manifest in one of two ways: flaws in encryption algorithms, or how the algorithms are implemented.

"The rising threat is kind of compounded by the fact that as computational capability advances, that previously secure crypto standard now becomes increasingly more vulnerable," Clark said in the webinar.

He recommended regularly updating cryptographic libraries, and enforcing strong encryption protocols to avoid exploitation attempts like man-in-the middle attacks, data integrity issues, and the exposed sensitive information.

Just recently, Acros Security discovered a vulnerability, similar to CVE-2024-38030, that enables an attack in which a vulnerable device is coerced into sending NTLM hashes, which is the cryptographic version of a user's password, to a threat actor.

"We have never before required from \[cloud service providers\] such granular and detailed information on the type of encryption in use, but customers (government and non-government customers alike) will require this level of detail to ensure their encryption standards are being met," says Philip George, executive technical strategist at InfoSec Global Federal.

**API Security Gaps**

More organizations are relying on APIs to connect systems; however, these APIs are at risk when they have flaws in the design or the implementation of the APIs. Attackers are able to breach systems through unauthorized access, allowing them to manipulate certain restricted actions.

A notable example of this is the exposure of user data through Facebook’s API, though these flaws are also abundant in other sectors such as healthcare or financial services. 

Gaps in API security ultimately serve as a launchpad, often for data breaches which can lead to the loss of sensitive information, unauthorized transactions, reputational damage, and significant financial loss.

"The threat is escalating as API is becoming more prevalent, increasing the number of potential attack surfaces," Clark said. "To mitigate these risks, it's essential to secure your API endpoints, enforce robust authentication mechanisms, and regularly update and audit API access."

A Docusign API was recently used in a wide-scale phishing campaign due to its "API-friendly environment," which is beneficial for businesses but also provides a way for bad actors to conduct malicious operations. The flaw could ultimately could have led to instances of fraud, though there are ways for users to avoid and detect such API abuse.

In the coming year, the cyber landscape will continue to evolve, API being in the forefront of these changes.

"We anticipate a rise in sophisticated API attacks using automation, artificial intelligence, and advanced evasion techniques to exploit vulnerabilities and bypass traditional security measures," says Eric Schwake, director of cybersecurity strategy at Salt Security. "One significant risk will stem from the exploitation of API misconfigurations, which often occur due to the fast pace of development and deployment. This situation will challenge organizations to adopt a more proactive and comprehensive approach to API security."

**Ransomware Evolution**

"We could do a whole webinar on ransomware," Clark said in the webinar, which raises the question: Can ransomware even be considered an emerging threat? 

The answer is yes, though ransomware attacks have become one of the most disruptive and costly cyberattacks out there largely due to their rapid evolution.

One of the most notable ransomware attacks occurred on Colonial Pipeline, which shut down its entire operations for the first time, leading to fuel shortages and four states on the East Coast declaring a state of emergency. The ransomware attack prompted action from national security and the executive branch and forced a reevaluation of the nation's critical infrastructure security.

Threat actors know they can win big when demanding ransoms from organizations, such as those in the healthcare sector, which will pay these high prices in order to help patients in need.

"As these attacks are becoming more targeted and, frankly, aggressive, it's crucial to start to implement backup strategies that are robust, strengthen your overall incident response plans, and continuously educate your employees on recognizing and avoiding things like phishing attempts that can often serve as an entry point for ransomware," Clark said in the webinar.

Backups may not always be an option, according to Brandon Williams, chief technology officer at Conversant Group.

"Some threat actors have moved to deleting data as part of their normal motions," he says. "If this gains traction in 2025, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups; however, data shows that backups do not typically survive these breaches."

**5G Network Vulnerabilities**

5G networks are being rapidly deployed, and with them come threat actors' awareness and exploitation of its vulnerabilities. Attackers are increasingly able to target 5G infrastructure with ease, and these open the door for even bigger threats such as large-scale DDoS attacks, unauthorized data access, and disruption of our critical services.

"As we consider the rising threat, the global rollout of 5G brings an increasing number of connected devices," Clark said in the webinar. "The rising number amplifies their attack risk, particularly given their reliance on cloud-native infrastructures."

At Black Hat 2024 in Las Vegas, seven Penn State University researchers detailed how mobile devices are at risk of data theft and denial of service due to 5G technology vulnerabilities. Threat actors use these resources simply by providing someone with an Internet connection, allowing easy access to spying, phishing, and more. 

"Vulnerabilities such as lack of initial broadcast message authentication, spectrum slicing, silent downgrade, and unsecured DNS paging currently affect 5G networks," says Mayuresh Dani, manager, security research, at Qualys Threat Research Unit. "In the year to come, these will continue affecting 5G networks and vulnerabilities in unsecured base stations will multiply snooping attacks."

Tag

#auth