The advancement of technology has also impacted sectors like gaming. Blockchain technology has surfaced as an asset that…

The advancement of technology has also impacted sectors like gaming. Blockchain technology has surfaced as an asset that provides an angle on honesty and equality in the industry. Developers are incorporating blockchain into gaming to establish a fairer setting for players. This article digs deep into how blockchain games guarantee transparency and impartiality while discussing their advantages and obstacles.

****Exploring the World of Blockchain Technology****

Blockchain is a system of distributed ledgers that records transactions on computers to prevent tampering with data and ensure transparency. Every transaction is visible to all participants involved in the process without relying on a central authority for trust among users in the system’s decentralized environment. Blockchain games are an excellent example of how this technology innovates the gaming industry.

****Exploring the Integration of Blockchain Technology****

Integrating technology into gaming means utilizing ledgers to handle game items and transactions smoothly and securely for players to have genuine ownership of digital assets like characters and weapons or skins in a game environment with verification and safeguarding through blockchain for added security measures with sustainable assurance for peer to peer trades feasible, without intermediaries involvement leading to cost savings. 

****Improving Clarity****

Blockchain technology emphasizes transparency as an element in gaming by allowing players to validate the fairness of in-game events, such as loot drops and purchases, through unchangeable records maintained by the blockchain system. This openness builds trust as players can personally verify the authenticity of game rules. 

****Making Sure Things Are Fair****

Players have always been worried about fairness in gaming! Blockchain technology tackles this problem by allowing game algorithms and results to be easily verified by all parties. To guarantee fairness in games powered by technology and to prevent any play or cheating from happening during gameplay or outcome determination processes, smart contracts are utilized to automate and enforce the rules fairly according to mutually agreed conditions with no chance for any manipulation. 

****Ensuring Honesty and Integrity****

In traditional gaming settings, cheating and fraud are issues that disrupt play for all participants involved. However, with the integration of blockchain technology, every transaction and action taken by players is meticulously documented, making it harder for individuals to engage in deceitful practices. The unchangeable nature of these records is a deterrent against cheating since tampering with past data becomes nearly impossible. This transparency ultimately promotes equality among players, ensuring a level playing field where everyone can compete fairly. 

****Securing Ownership and Assets** **

In games online, belongings usually don’t belong to the players themselves. Blockchain alters this by enabling gamers to own virtual items separately from the game creators or developers who made them in the first place. Gamers can freely sell these possessions with confidence in their ownership security. This newfound freedom enriches the gaming journey as players engage deeply with their realms. 

****The Obstacles Encountered in Blockchain Gaming****

While blockchain gaming offers advantages and opportunities for growth in the industry, it also encounters obstacles along the way. One key issue is scalability, with blockchain networks finding it challenging to handle several transactions efficiently. Moreover, the intricate nature of technology may deter gamers from embracing it fully. To overcome these challenges and gain acceptance, education and user-friendly interfaces play roles.

Blockchain also faces challenges due to its energy consumption levels. However, new technologies are being developed to address this issue and make the gaming industry more eco-friendly by adopting sustainable practices. 

****The Upcoming Trajectory of Blockchain-Based Gaming****

The outlook for games seems bright as technology progresses. Developers are expected to address existing constraints shortly to encourage wider acceptance of these games among players and enthusiasts alike. The overall gaming experience will improve and appeal to a more extensive audience base through advancements in scalability and energy conservation measures. There is potential for blockchain-based games to find their way into the mainstream market and transform the industry by introducing transparency and equity principles. 

****Final Thoughts** **

Blockchain technology promotes transparency and fairness in gaming by providing players with ownership and verifiable results in blockchain games that cultivate a fairer environment for all participants despite obstacles ahead; the promise of advancement and creativity persists substantially. Adopting this technology has the potential to revolutionize our interaction with realms and redefine our understanding of gaming by paving the way for a future where fairness and transparency reign supreme. 

1.  In Gaming Item Scams and How to Avoid Them?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Blockchain in cybersecurity: opportunities and challenges
5.  GAM3S.GG and Immutable Partner for Web3 Gaming Expansion

How Blockchain Games Ensure Transparency and Fairness

The education sector is changing quickly as it adopts digital tools for better learning experiences. These days, learning…

The education sector is changing quickly as it adopts digital tools for better learning experiences. These days, learning management systems (LMS), offered as Software as a Service (SaaS), have become crucial for schools and businesses looking to offer flexible online education options. This guide takes a look at ten LMS SaaS platforms that are perfect for expanding online learning opportunities. We won’t be focusing on brands. 

****1\. Exploring LMS SaaS Platforms****

Cloud-based LMS SaaS platforms provide solutions for delivering content and organizing learning activities without requiring extensive infrastructure. They offer access for both instructors and learners while reducing maintenance expenses and ensuring regular updates for a seamless learning process. Moreover, the scalability of SaaS platforms enables institutions to grow without sacrificing quality. 

****2\. User-Friendly Functionality****

Ease of use is an important consideration when choosing an LMS system that fits your needs. Platforms with intuitive user interfaces ensure navigation for both teachers and students. User engagement is improved with features like drag-and-drop tools for creating courses and customizable dashboards. It’s advisable to focus on platforms that provide a well-organized onboarding process to reduce training time when comparing options. 

****3\. Versatility** **

Different organizations have unique requirements that highlight the importance of customization for a learning management system. LMS must offer administrators the flexibility to personalize content delivery methods and assessments based on their objectives. Furthermore, the ability to smoothly integrate third-party software like video conferencing tools and document editors enhances the functionality of the platform. 

****4\. The Ability to Adjust and Grow As Needed****

As organizations expand,​​​ their system must scale accordingly to accommodate a growing number of users while maintaining efficiency. A well-organized LMS should dynamically adjust resources based on demand, ensuring smooth performance regardless of the number of learners.​ ​When selecting a solution for this purpose,​ ​it is important to choose options that can flexibly adjust resources based on the needs.

****5\. Compatibility with Devices****

Education in this era heavily relies on technology to provide accessible learning experiences even while on the move. Many learning management systems now offer mobile-friendly interfaces, allowing learners to interact with content anytime and anywhere. Responsive design and specialized mobile apps enhance user experiences by ensuring transitions between devices. It is essential to prioritize features that support offline access, enabling users to download materials for reference. 

****6\. Data Presenting Findings** **

Successful learning necessitates data-driven insights, making analytics and reporting tools essential in an LMS. These platforms empower teachers to monitor student advancement and pinpoint areas that need enhancement effectively. Interactive dashboards, detailed reports, and visual data representations support educators in making informed decisions. 

****7\. Adherence to Regulations** **

Ensuring the security of information is crucial in the realm of online learning systems. These platforms need to follow established security measures to protect data effectively. Look for options that provide encryption, reliable authentication procedures, and consistent security patches. Additionally, these platforms need to comply with regulations like GDPR and FERPA to guarantee that they meet the necessary data protection standards. 

****8\. Interaction****

Encouraging communication between students and teachers enriches the online learning journey. LMS platforms with communication features like discussion forums, chat functions, and video calls help foster teamwork. These features encourage students to engage and establish a sense of belonging in online learning environments. Look into learning management system choices that promote engagement-driven components. 

****9\. Cost-Efficiency****

Choosing an LMS is heavily influenced by budget factors. SaaS platforms are known for offering cost-effective options by eliminating the need for expensive hardware and minimizing maintenance fees. Consider pricing structures that match your company’s budget constraints, like subscription-based packages or pay-per-user models. Assess the cost of ownership, which includes any charges to guarantee a good return on investment. 

****10\. Support Services****

The quality of support services and available resources offered by LMS vendors influence user satisfaction levels. The platforms that provide responsive assistance, tutorials, and active user forums tend to improve the overall experience. It is recommended that you choose options that provide 24/7 customer service to resolve any problems efficiently. Having access to a knowledge base and an active user community also promotes self-assistance and collaboration among peers. 

****Conclusion****

Picking the LMS SaaS platform is vital for providing online learning opportunities that cater well to learners globally. By taking into account factors like user-friendliness, customization, scalability, and mobile support, organizations can improve educational experiences. Robust data analysis, security measures, and efficient communication tools also play a key role in successful integration. Ultimately, selecting an affordable solution with reliable assistance guarantees a smooth transition toward achieving digital education success.

10 Best LMS SaaS Platforms for Scalable Online Learning

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update…

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update firmware now!

Rapid7 researchers uncovered security weaknesses in Xerox Versalink C7025 multifunction printers, specifically models running firmware version 57.69.91 and earlier. These vulnerabilities designated CVE-2024-12510 and CVE-2024-12511, expose the devices to “pass-back” attacks.

According to Rapid7’s research shared with Hackread.com, these are a type of attacks that allow a malicious actor who has compromised the printer’s administrative functions to redirect authentication requests to a system under their control. This can be achieved by altering settings related to services like Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP).

The LDAP vulnerability allows an attacker to modify the LDAP server’s IP address within the printer’s configuration. By then triggering an LDAP lookup, the printer unwittingly sends authentication credentials to the attacker’s rogue server. The attacker can then capture these credentials in clear text. Similarly, the SMB/FTP vulnerability allows modification of the SMB or FTP server’s IP address in the user’s address book configuration.  

The image illustrates how an attacker might manipulate the server IP address to redirect authentication attempts to a rogue server, thereby stealing the credentials. Predefined login credentials, with the username “MFPservice,” are used for authentication.

While the password itself is obscured, its presence indicates that the printer is configured to authenticate to the LDAP server, a detail central to the pass-back vulnerability where these credentials could be captured by an attacker.

Source: Rapid7

This can be exploited by triggering a scan-to-file operation, which sends authentication credentials to the attacker-controlled server. In the case of SMB, this could expose NetNTLMV2 handshakes, potentially allowing further compromise of Active Directory file servers. For FTP, credentials would be transmitted in clear text.

Successful exploitation of these vulnerabilities requires either administrative access to the printer’s settings or, in some cases, physical access to the console or remote access via the web interface if user-level remote control is enabled. 

The impact of these vulnerabilities is significant, as attackers could potentially gain access to sensitive credentials, including those for Windows Active Directory. This could enable lateral movement within a network, compromising critical servers and systems.

Rapid7 responsibly disclosed these vulnerabilities to Xerox, coordinating the disclosure timeline and working with the vendor to confirm the effectiveness of the patches. Organizations using affected Xerox Versalink printers should immediately upgrade to the latest patched firmware version.

In case immediate patching is not feasible, it is recommended to set a strong and unique password for the printer’s administrative account, avoid the use of domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

For more than a decade now, Russian cyberwarfare has used Ukraine as a test lab for its latest hacking techniques, methods that often target Ukrainians first before they're deployed more broadly. Now Google is warning of a Russian espionage trick that's been used to obtain Ukrainians' messages on the encrypted platform Signal—and one that both Ukrainians and other Signal users worldwide should protect themselves against with a new update to the app.

Google's threat intelligence team on Wednesday released a report revealing how multiple hacker groups that serve Russian state interests are targeting Signal, the end-to-end encrypted messaging tool that has become widely accepted as a standard for private communications and is now often used by Ukrainians, including in the Ukrainian military's battlefield communications. Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device—in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

“It looks exactly like a group invite, and everything would function exactly like that, except when you scan it, it links the device out,” says Dan Black, a Google cyberespionage researcher and former NATO analyst. “It instantly pairs your device with theirs. And all your messages are now, in real time, being delivered over to the threat actor while you're receiving them.”

Two months ago, Google began warning the Signal Foundation that maintains the private communications platform about Russia's use of the QR code phishing technique, and Signal last week finished rolling out an update for iOS and Android designed to counter the trick. The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires a form of authentication such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device.

In fact, Signal had already been working to update those forms of phishing protections aimed specifically at exploitation of its linked device feature prior to Google's warning, says Signal's senior technologist, Josh Lund. But Google's report about Russia's spying in Ukraine provided an “acute” example of the problem that pushed them to move quickly to protect users, he says.

“We're really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Lund, using the cybersecurity term for tricks that deceive victims into giving hackers sensitive information or access to their systems.

Both Google and Signal emphasized that the phishing technique Google has seen in use in Ukraine doesn't suggest that Signal's encryption is broken or that the app's messages can otherwise be eavesdropped in transit. Instead, the trick essentially combines two legitimate features—QR-code group invites and QR-code device linking that pairs a smartphone with a laptop—invisibly swapping one with the other to deceive users. “Phishing is a big problem on the internet, and it's never nice to hear that someone has fallen victim to one of these attacks,” Lund says. “But we're trying to do our best to keep users safe, and we think these recent improvements will really help.”

Google notes that it's seen Russia use similar techniques to target other communications platforms like WhatsApp and Telegram, too. But the hackers tied to Russia's military have focused on Signal because of its widespread tactical use in the Ukrainian military. One of the two hacker groups that has exploited the QR code phishing technique, for instance, has disguised the codes as invites to groups associated with an artillery guidance app used by the Ukrainian military called Kropyva. In other instances, the spoofed QR codes have impersonated invites to other groups from a trusted contact, or security alerts from Signal itself.

Russia's hackers have targeted Signal as part of the country's war efforts in Ukraine since as early as 2023, a year into its full-scale invasion, says Google's Black. That's when the Russian hacker group known as Sandworm, a notorious unit of Russia's GRU military intelligence agency, began pivoting from disruptive cyberattacks to tactical espionage that included penetrating tablet computers used by the Ukrainian military. In some cases, Sandworm's hackers have also aided front-line Russian troops in off-loading Signal messages from captured devices, including by using the linked-device feature to pair compromised phones with their own PCs. Google says that Turla, a hacker group linked to Russia's FSB security agency, has also targeted Signal messages on PCs that it's infected with malware.

Google's Black says that the company's analysts nonetheless waited to highlight Russia's use of the QR-code phishing technique to target Signal until the Signal Foundation could push out new protections, in part to prevent other hackers from copying the technique. Black warns, in fact, that Russia's targeting of Signal in Ukraine shouldn't be seen as a problem limited to Ukraine nor to military conflicts in general. The trick is just as likely to be used for targeting dissidents and activists who use Signal worldwide, or even a broader set of targets. In December, for instance, US officials recommended Americans use end-to-end encrypted apps in response to the Chinese hacker group Salt Typhoon's widespread penetrations of US telecom networks.

“The use case for these techniques is just so wide," says Black. “We've seen history tell us a very particular story in terms of tradecraft, that the things that happen in Ukraine don't seem to stay confined there.”

A Signal Update Fends Off a Phishing Technique Used in Russian Espionage

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The flaws are listed below -

CVE-2025-0108 (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS

CISA Adds Palo Alto Networks and SonicWall Flaws to Exploited Vulnerabilities List

The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along with improved operational security.

In the campaign, dubbed "DEEP#DRIVE" by security firm Securonix, the threat group used fake work logs, insurance documents, and crypto-related files to convince users to download and run a zipped shortcut file that gathers system configuration information and then executes PowerShell and .NET scripts. The attack tools upload the system data to Dropbox folders and then download additional commands and capabilities for further compromise.

While the attackers showed some interest in quick financial wins — such as targeting cryptocurrency users — for the most part, the threat group focused on stealing sensitive data from South Korean government agencies and businesses, says Tim Peck, a senior threat researcher at Securonix.

"We observed evidence of both espionage and financial motivation, though leaning more toward espionage," he says. "This aligns with Kimsuky's historical targeting of South Korean government agencies, enterprises, and strategic industries."

North Korean cyber-operations groups have consistently targeted South Korea and the US, with South Korean government agencies and companies among the most popular targets. In September 2024, the FBI warned that North Korean groups planned to launch a surge of attacks against organizations with significant cryptocurrency reserves, and Kimsuky launched a similar multistage attack against South Korean targets last year.

**A Prolific Group**

Kimsuky isn't monolithic, but has five threat groups that have overlap with what other companies consider to be the same group, says threat intelligence firm Recorded Future. One group tends to focus on the healthcare and hospitality sectors, for example, while another focuses on cryptocurrency markets.

By mid-2023, Kimsuky became the most prolific North Korean group. (More recent data not available.) Source: Recorded Future's "North Korea's Cyber Strategy" report

The Kimsuky groups accounted for the most attacks identified as North Korean in origin between 2021 and 2023, according to Recorded Future's "North Korea Cyber Strategy" report. In 2024, the groups continued to account for a high volume of attacks, says Mitch Haszard, senior threat intelligence analyst with Recorded Future.

"These groups conduct high volume phishing campaigns, primarily targeting individuals and organizations in South Korea, while occasionally targeting entities in other countries," he says. "In the activity we see, these groups appear to be going for volume, rather than more time-consuming, tailored spear-phishing operations."

Other well known North Korean groups, such as Lazarus and Andariel, are not as prolific as the Kimsuky threat actors. While some of those groups are more focused on gathering sensitive information, nearly all also have a financial motivation.

**Thousands of Victims?**

In the DEEP#DRIVE campaign, following the compromise of a system, the Kimsuky group's attack scripts upload data on the system configuration to one of several Dropbox folders. While the Securonix researchers were not able to gather intelligence from all the suspected Dropbox locations, they uncovered signs of more than 8,000 configuration files, although some appear to be duplicates, Peck says.

While that means they likely came from the same victim organizations, the campaign appears to be quite successful, he says.

"There were two factors which contributed to the 'uniqueness' of the configuration file, the username, and IP address," Peck says. "Some usernames were associated with dozens of similar IP addresses, which could indicate lateral movement by the attacker — \[that is\], infecting dozens of machines from the same entity."

The data from a compromised system includes the host IP address, the system uptime, details about the OS type and version, any installed security software, and a list of running processes.

**Kimsuky Improves Its OpSec**

The campaign also highlighted North Korean cyber-operations groups' improvements to operational security. The group used OAuth-based authentication on its Dropbox folders, preventing traditional URL-blocking or network-based defenses from following the links. The threat actors also quickly took down components of their infrastructure soon after the Securonix researchers began investigating, Securonix's Peck says.

"This level of operational awareness is not always present in phishing-driven malware campaigns," he says.

For companies, the threat group's tactics underscore that the hidden file extensions should be disabled, shortcut files should be blocked from executing in user folders, and only signed PowerShell scripts be allowed to execute. Those three countermeasures make the attackers' activity much easier to detect, Peck says.

In addition, companies in targeted industries — such as cryptocurrency exchanges and government agencies — should bolster their email security and regularly train employees on how to spot phishing threats, says Recorded Future's Haszard.

"Most North Korean cyberattacks still start with social engineering and a phish," he says. "Companies should ensure that they have an email security solution in place and regularly train employees on phishing threats, as well as conduct simulated phishing tests."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

North Korea's Kimsuky Taps Trusted Platforms to Attack South Korea

Acquisition strengthens Deepwatch Platform capabilities with actionable insights and risk-based prioritization.

Source: Gajus via Adobe Stock Photo

NEWS BRIEF

Deepwatch, an artificial intelligence (AI) and human cyber-resilience platform provider, has announced its acquisition of security intelligence solutions startup Dassana. Deepwatch plans to integrate Dassana's AI-powered risk and threat exposure management technology, CISO Copilot, into its Deepwatch Platform.

The integration will also allow CISOs and security leaders to get real-time insights into their security posture, said Deepwatch CEO John DiLullo in a statement. The acquisition will give Deepwatch's internal SOC operations and customers better tools around automation, compliance reporting, and proactive security management.

Dassana's products integrate with existing security infrastructure and aggregate and normalize data from various security tools to provide a unified view of an organization's security environments. Organizations gain real-time visibility into their security posture and can apply the actionable insights to expedite remediation efforts and enhance the effectiveness of security controls. CISO Copilot automates evidence collection for compliance, allocates resources based on business impact, and accesses real-time board-level metrics, allowing CISOs to make data-driven decisions.

"By joining forces with Dassana, our mission to democratize and make our AI capabilities available to companies of all sizes has taken a giant leap forward," DiLullo said. "We believe cyber-resilience should be available to all and that everyone deserves to conduct their businesses free from the scourge of cyber attacks."

Financial details of the deal were not disclosed.

**About the Author**

Deepwatch Acquires Dassana to Boost Cyber-Resilience With AI

A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access.

A new report reveals how inexpensive cybercrime can compromise even the most secure organizations. According to Hudson Rock, employees at key US defence entities, including the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies like the FBI, have fallen victim to Infostealer malware.

These infections expose highly sensitive data, sometimes for as little as $10, without the need for advanced hacking techniques due to the most persistent security weakness: human error.

****How Did It Get Here?****

Infostealer doesn’t rely on flashy exploits or brute force. It plays the long game, waiting for unsuspecting users to click on a malicious link or download something they shouldn’t; perhaps a game mod, pirated software, or a booby-trapped PDF. Once triggered, the malware settles in, harvesting credentials, session cookies, and sensitive files without raising any suspicion.

The result? Cybercriminals can now buy this stolen data for as little as $10 per infected computer on dark web marketplaces. Need access to a military VPN? There’s a log for that. Curious about someone’s email inbox? Easy. Want to hijack a session and bypass two-factor authentication? Consider it done.

And the scope? According to Hudson Rock’s report, over 30 million computers worldwide have been hit, with one in five holding corporate credentials. For defence employees, the consequences couldn’t be more alarming. Many of these individuals work on mission-critical projects involving advanced technologies like fighter jets, nuclear submarines, and AI systems. Their compromised devices open the door to large-scale data breaches and cyber espionage, not just for their employers but for the national security of the country they are based.

******Honeywell and the US Navy: Case Studies in Compromise******

The report offers specific examples of the damage already done. At Honeywell, a major defence contractor, nearly 400 employees were infected. This breach exposed access to internal systems, development tools, and, critically, credentials for third-party partners like Microsoft and Cisco.

The U.S. Navy is also affected, with 30 personnel having their credentials stolen. Leaked data includes access to email systems, file-sharing platforms, and military training resources. These credentials could allow attackers to move laterally through military networks, accessing sensitive training platforms or even classified systems.

This creates an opportunity for attackers to launch supply chain attacks. The interconnected nature of global supply chains means a single weak link can lead to widespread damage as described by the ethical hacker duo last week when they discovered a vulnerability in a software supply chain firm that could have had far-reaching consequences if it fell into the wrong hands.

A screenshot reveals a computer with army.mil credentials being sold for just $10 on a cybercrime marketplace. Another shows live FBI.gov cookies from an infected device belonging to an FBI employee, exposing serious security risks. (Credit: Hudson Rock)

****A Wake-Up Call for National Security****

These findings are not just limited to the United States. The National Security of any country can be jeopardised if infostealers continue to breach critical infrastructure. With infostealers like Redline, Vidar and Formbook, Fortune 500 companies to small subcontractors, everyone is a potential target.

Thomas Richards, Director of Network and Red Team Practices at Black Duck, puts it bluntly: “The latest report from Hudson Rock is incredibly concerning. The stolen data could allow an adversary to infiltrate critical networks and compromise additional systems. Immediate action, including password resets and forensic investigations, is essential to mitigate these risks.”

So what’s next? Hudson Rock’s report proves that cybersecurity is not just about firewalls and advanced technology, it is also about the human element demanding a change in focus towards employee cybersecurity training.

The extremely low cost of these Infostealers makes it clear why law enforcement agencies worldwide are determined to shut down the dark web and clearnet cybercrime markets. Nevertheless, cybersecurity isn’t a checkbox; it is a mindset. And if there’s one thing this report makes clear, it is that the time to act is now.

$10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit

Attackers are using patched bugs to potentially gain unfettered access to an organization's Windows environment under certain conditions.

Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

**Complete Access to Windows Environments**

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

**An Ideal Scenario for Threat Actors**

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Xerox Printer Vulnerabilities Enable Credential Capture

Winnti once used a variety of malware but is now focused on SQL vulnerabilities and obfuscation, updated encryption, and new evasion methods to gain access.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

Winnti, a China-affiliated threat actor, has been linked to a new cyber campaign called RevivalStone, which has been observed targeting Japanese companies within the manufacturing, materials, and energy sectors.

Winnti has been active since at least 2012, but only started targeting Asian manufacturing and materials organizations within the past few years. 

The group's activity, according to researchers at LAC, notably overlaps with a group known as Earth Freybug, a subset of APT41, a well-known cyber espionage group.

In targeting organizations in the Asia-Pacific region, Winnti is exploiting vulnerabilities found in applications like IBM Lotus Domino to deploy malicious malware, including DEATHLOTUS, UNAPIMON, PRIVATELOG, CUNNINGPIGEON, WINDJAMMER, and SHADOWGAZE.

LAC researchers have also observed Winnti exploiting an SQL injection vulnerability in an enterprise resource planning system to drop Web shells on an infected server. Once gaining access, the threat actor collects credentials, performs reconnaissance, and delivers the Winnti malware.

This malware is an improved version, capable of expanding further to breach a managed service provider.

According to a statement by the LAC researchers, "The new Winnti malware has been implemented with features such as obfuscation, updated encryption algorithms, and evasion by security products, and it is likely that this attacker group will continue to update the functions of the Winnti malware and use it in attacks."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tag

#auth