The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Source: Chiew via Shutterstock

Attackers are actively exploiting an authentication bypass flaw found in the Palo Alto Networks PAN-OS software that lets an unauthenticated attacker bypass authentication of that interface and invoke certain PHP scripts.

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108 and first revealed in a blog post on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto's firewall devices; the flaw affects certain versions of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected versions.

Patch info is available in Palo Alto's security advisory on CVE-2025-0108, which is rated as 8.8 and therefore of high severity on the CVSS. The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims.

Indeed, researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

**Active Exploitation of Palo Alto Firewalls**

Threat actors apparently got the memo on the potential for exploit, as attacks on affected devices are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands, according to a blog post on the exploitation.

"Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them," Noah Stone, head of content at GreyNoise Intelligence, wrote in the post.

The increased activity to exploit the flaw compelled the CISA to add it to the Known Exploited Vulnerabilities Catalog this week and urge those affected to apply Palo Alto's patches for affected device versions.

**Why CVE-2025-0108 in PAN-OS Exists**

The flaw exists because of a common architecture present in PAN-OS, "where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior," security researcher Adam Kues wrote in Searchlight Cyber Assenote's post.

"Fundamentally, these architectures lead to header smuggling and path confusion, which can result in many impactful bugs," he explained.

Specifically, a Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. The researchers found that when the authentication by the requester is set at the Nginx level and based on HTTP headers, the request is then reprocessed again in Apache, which may process the path or headers differently to Nginx before finally handing off the request to PHP.

"If there is a difference between what Nginx thinks our request looks like and what Apache thinks our request looks like, we could achieve an authentication bypass," Kues explained.

The risk of exploitation is greatest if a network configuration enables access to the management interface from the Internet (or any untrusted network) either directly or through a dataplane interface that includes a management interface profile, Palo Alto noted in its advisory.

**Eliminate Risk by Patching Auth Bypass Now**

Palo Alto's network devices are widely used and flaws within them are often quickly set upon by attackers, making it imperative that mitigation for CVE-2025-0108 happens sooner rather than later. The best way to eliminate the risk of exploitation completely is to apply Palo Alto's updates to affected devices, according to the CISA and researchers.

Affected organizations also can reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface, according to Palo Alto. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal, the company said.

Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access.

A new report reveals how inexpensive cybercrime can compromise even the most secure organizations. According to Hudson Rock, employees at key US defence entities, including the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies like the FBI, have fallen victim to Infostealer malware.

These infections expose highly sensitive data, sometimes for as little as $10, without the need for advanced hacking techniques due to the most persistent security weakness: human error.

****How Did It Get Here?****

Infostealer doesn’t rely on flashy exploits or brute force. It plays the long game, waiting for unsuspecting users to click on a malicious link or download something they shouldn’t; perhaps a game mod, pirated software, or a booby-trapped PDF. Once triggered, the malware settles in, harvesting credentials, session cookies, and sensitive files without raising any suspicion.

The result? Cybercriminals can now buy this stolen data for as little as $10 per infected computer on dark web marketplaces. Need access to a military VPN? There’s a log for that. Curious about someone’s email inbox? Easy. Want to hijack a session and bypass two-factor authentication? Consider it done.

And the scope? According to Hudson Rock’s report, over 30 million computers worldwide have been hit, with one in five holding corporate credentials. For defence employees, the consequences couldn’t be more alarming. Many of these individuals work on mission-critical projects involving advanced technologies like fighter jets, nuclear submarines, and AI systems. Their compromised devices open the door to large-scale data breaches and cyber espionage, not just for their employers but for the national security of the country they are based.

******Honeywell and the US Navy: Case Studies in Compromise******

The report offers specific examples of the damage already done. At Honeywell, a major defence contractor, nearly 400 employees were infected. This breach exposed access to internal systems, development tools, and, critically, credentials for third-party partners like Microsoft and Cisco.

The U.S. Navy is also affected, with 30 personnel having their credentials stolen. Leaked data includes access to email systems, file-sharing platforms, and military training resources. These credentials could allow attackers to move laterally through military networks, accessing sensitive training platforms or even classified systems.

This creates an opportunity for attackers to launch supply chain attacks. The interconnected nature of global supply chains means a single weak link can lead to widespread damage as described by the ethical hacker duo last week when they discovered a vulnerability in a software supply chain firm that could have had far-reaching consequences if it fell into the wrong hands.

A screenshot reveals a computer with army.mil credentials being sold for just $10 on a cybercrime marketplace. Another shows live FBI.gov cookies from an infected device belonging to an FBI employee, exposing serious security risks. (Credit: Hudson Rock)

****A Wake-Up Call for National Security****

These findings are not just limited to the United States. The National Security of any country can be jeopardised if infostealers continue to breach critical infrastructure. With infostealers like Redline, Vidar and Formbook, Fortune 500 companies to small subcontractors, everyone is a potential target.

Thomas Richards, Director of Network and Red Team Practices at Black Duck, puts it bluntly: “The latest report from Hudson Rock is incredibly concerning. The stolen data could allow an adversary to infiltrate critical networks and compromise additional systems. Immediate action, including password resets and forensic investigations, is essential to mitigate these risks.”

So what’s next? Hudson Rock’s report proves that cybersecurity is not just about firewalls and advanced technology, it is also about the human element demanding a change in focus towards employee cybersecurity training.

The extremely low cost of these Infostealers makes it clear why law enforcement agencies worldwide are determined to shut down the dark web and clearnet cybercrime markets. Nevertheless, cybersecurity isn’t a checkbox; it is a mindset. And if there’s one thing this report makes clear, it is that the time to act is now.

$10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Credible Security's founders bring their varied experiences to help growing companies turn trust into a strategic advantage.

Source: Ronstik via Alamy Stock Photo

Teaching students or learning the classics may not be the typical career path for cybersecurity professionals, but the founders of independent security consultancy Credible Security believe a diversity of backgrounds can be a superpower.

"Working together has taught us that the thing that makes the difference between an acceptable and a great approach to security within any organization is not technical knowledge or skill sets or backgrounds," says co-founder Josh Yavor. Qualifications are a given, but more importantly, a security team needs leadership "empowered in the right ways with empathy and effective communication and a bias toward building relationships that are based on trust."

Yavor, along with Kim Burton and Jessica Walters, launched Credible Security at the start of 2025. The company works with business-to-business companies that offer cloud services and software-as-a-service, with a specific focus on underserved teams within organizations. That includes go-to-market teams that have public-facing functions and early-stage companies that are finding their security footing while still forming a growth strategy.

**Diversity Leads to Stronger Security Mindset**

The founding partners — "We haven't really fought over those titles yet," Yavor jokes — had worked together before at Tessian, Cisco, and Duo Security. When Proofpoint acquired Tessian in 2023, Yavor was CISO, Burton was head of trust and compliance, and Waters was senior security manager. They each had extensive security experience but had taken different paths to get there.

Prior to holding security leadership roles at Cisco Secure, Duo Security, and Facebook, Yavor was a school teacher and owned an IT consulting business. Burton studied literature and classical languages in graduate school. Walters was chief of staff of Cisco's Security Business Group team. All three say their experiences at Duo Security demonstrated the value of bringing together practitioners from different backgrounds. They stayed at Duo through its Cisco acquisition in 2018 and landed in the same team at Cisco. When Yavor joined Tessian in 2021, Burton and Walters "came over to continue the journey."

The team members' varied backgrounds "make it so that when you encounter something that you haven't seen before, everyone is able to actually relate to something that they have, in fact, experienced," Burton says. "When you have a team of people who've come from the same programs, the same location, the same ideas all the time, you actually end up with groupthink. We do not have that problem."

**Developing Strategy With a Trusted Partner**

Having different perspectives is particularly important when helping customers develop and execute their cloud strategies, according to the trio. Cloud services touch every aspect of people's lives, so B2B enterprises need to prioritize building trust with end users as part of their strategy. In the past 10 to 15 years, enterprises have made strides in thinking about risk and how to manage it, but they haven't mastered the strategy in all areas, Yavor says.

The missing part that Credible Security targets "is having consistent strategy and outcomes in evaluating and delivering trust on both sides of the equation \[end users and service providers\]," Yavor says. Trust is critical at every juncture of that pipeline; with some proactive security thinking and investment, businesses can boost results.

"We are helping our clients simplify their strategies and align them to their actual business objectives so that they have a much easier and more efficient approach to developing not just minimum viable security for whatever their product is, but actually using it as a competitive advantage as they try to earn their customers' trust and then maintain it through a long-term relationship," Yavor says.

When managing risk, many companies still conflate trust with compliance, "where you're doing checkbox exercises because you have to show up to an auditor and tell them about it. But that's a backward way of thinking about it," Burton says. Compliance is only a way to verify trustworthiness, and trust develops as consultants show that they are working with the same values and goals in mind.

"It's saying: 'Hey, how can you actually design your product and your process so that the customers that you are finding actually understand this deep-felt sense that they know you will do the best by them?'"

**'Layered Experiences'**

Another advantage Credible Security offers is the ability to tap the team's experience as both buyers of security products and on the developer side of the process.

"All three of us have these layered experiences of both things we've done or built, but then also seeing teams and brands that really showed up in a way that we would want family members to experience," Walters says. The variety of positions they have held — CISO, head of compliance, chief of staff — also give them internal perspective, Yavor adds.

"That's actually one of the most exciting differentiators about our company, that all three of us, we haven't just been in the industry, we have been in the roles that we are seeking to help," he says. "We've actually done the work."

**About the Author**

Contributing Writer, Dark Reading

Mercedes Cardona is a New York-based business journalist. She is the former editor of The Economist Group’s “Marketing Unbound” blog and WP Engine’s “Velocitize.” She also has served as the Assistant Business Editor for features at the Associated Press and Financial Editor at Advertising Age. She has contributed to books including The Advertising Age Encyclopedia of Advertising and Single Women and Money.

This Security Firm's 'Bias' Is Also Its Superpower

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   
For Snort

Friday, February 14, 2025 11:55

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.    

**ClearML XSS and information disclosure vulnerabilities **

_Discovered by Edwin Molenaar of Cisco Meraki._  

ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale. 

TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.  

TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. 

**Nvidia memory corruption and heap-based buffer overflow vulnerabilities **

_Discovered by Dimitrios Tatsis._ 

The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations. 

TALOS-2024-2080 (CVE-2024-0142) and  TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 

 TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

ClearML and Nvidia vulns

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

Thursday, February 13, 2025 14:05

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

_"The term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,"_

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

_"Words matter. We've seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud," INTERPOL Acting Executive Director of Police Services Cyril Gout said._

_"It's time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes."_

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

**The one big thing**

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

**Why do I care?**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY\_SOURCE, saved the day.

**So now what?**

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

**Top security headlines of the week**

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

**Can't get enough Talos?**

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025) San Francisco, CA

TIPS 2025 (May 14-15, 2025) Arlington, VA

**Most prevalent malware files from Talos telemetry over the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A 

Detection Name: Trojan.GenericKD.33515991

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Changing the narrative on pig butchering scams

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.

“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” Gundert says.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.

When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.

Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.

That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.

“That's the disappointing part about this,” says Gundert. “Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”

After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's “most significant cyber-espionage campaign in history.” The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.

In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.

Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.

“They've only gotten more bold,” says Jon Condra, another Recorded Future analyst. “I strongly suspect it's much larger than what we’ve seen.”

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

Source: Alexey Krukovski via Alamy Stock Photo

The US government has joined Australia and the UK in sanctioning a Russia-based bulletproof hosting (BPH) services provider and two of its administrators for the company's role in supporting LockBit ransomware attacks. The move is a continuation of a barrage of law-enforcement actions against the Russia-based cybercriminal organization.

The Department of the Treasury's Office of Foreign Assets Control (OFAC), Australia's Department of Foreign Affairs and Trade, and the United Kingdom's Foreign Commonwealth and Development Office jointly sanctioned Zservers, based in Barnaul, Russia, for enabling "ransomware attacks and other criminal activity," the Treasury Department revealed in a press release Feb. 11. That illicit activity specifically centers on providing the infrastructure to facilitate attacks by LockBit, a prolific Russian-based ransomware-as-a-service (RaaS) group, according to the release.

The latest sanctions against Zservers are a continuation of multinational law-enforcement actions aimed at putting LockBit — which has committed severely disruptive ransomware attacks against numerous global organizations — permanently out of commission.

Specifically, they follow four LockBit-related arrests and device seizures made in October by Europol and Eurojust, which at the time also sanctioned and named as a LockBit affiliate Aleksandr Ryzhenkov (aka Beverley). Ryzhenkov was once second-in-command for the infamous Evil Corp cybercrime organization. Officials also arrested one of LockBit's lead developers in Israel last August, while a separate action by Australia sanctioned LockBit's head honcho, LockBitSupp (aka Dmitry Yuryevich Khoroshev), in May 2024.

Related:President Trump to Nominate Former RNC Official as National Cyber Director

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on Us and international critical infrastructure," Bradley T. Smith, the Treasury Department's acting under secretary for terrorism and financial intelligence, said in a press statement. The sanctions demonstrate the US government's "collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security," he added.

**LockBit Investigation Trail Leads to Zservers**

Law enforcement investigating LockBit discovered the criminal activity of Zservers after the company advertised its BPH services on known cybercriminal forums, according to the Treasury Department. BPH service providers sell access to specialized servers and other computer infrastructure designed to evade detection and thus defy law enforcement attempts to disrupt malicious activities.

Related:Content Credentials Technology Verifies Image, Video Authenticity

Allegedly, Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks, according to international law enforcement, which collected evidence over several years to come to this conclusion.

During a 2022 search of a known LockBit affiliate, Canadian law enforcement uncovered a laptop operating a virtual machine connected to a Zservers' subleased IP address and running a programming interface used to operate LockBit malware. Also that year, a Russian cybercriminal purchased IP addresses from Zservers, which the department said was likely for use to power LockBit chat servers to discuss ransomware operations. In 2023, Zservers also leased infrastructure, including a Russian IP address, to a LockBit affiliate, the department said.

**Do Anti-Russian Sanctions Work?**

The idea behind government sanctions is to prohibit companies in certain countries from doing business with people involved in cybercriminal activity with the aim of deterring that activity. However, given the resilience of professional ransomware and other cybercriminal groups, experts have mixed opinions on whether this strategy actually works in the long run.

Related:India's Cybercrime Problems Grow as Nation Digitizes

"It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they're able to call on," says Andrew Costis, engineering manager of the Adversary Research Team at security firm AttackIQ.

However, sanctions should make it more difficult for cybercriminals to operate by increasing their costs and forcing attackers to find less effective methods to commit ransomware attacks, another security expert says. This can serve to at least slow them down if not totally put them out of service, notes Randolph Barr, CISO at security firm Cequence.

"The recently announced sanctions and law enforcement actions against Zservers will aid in disrupting ransomware groups by targeting their infrastructure, seizing servers, and blocking financial transactions," he says.

Still, sanctions alone may not necessarily disrupt LockBit and other ransomware groups entirely, meaning that organizations must remain vigilant, Barr says. "As threat actors adapt, companies must continue improving incident management and include ransomware scenarios in their preparedness exercises," he notes.

Indeed, Costis says, given the adaptability of RaaS and its network of affiliates in particular, "organizations must stay vigilant and focus on the latest tactics, techniques, and procedures (TTPs) attackers deploy, to stay ahead of ever-changing threats."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Sanction Russian Hosting Provider for Supporting LockBit Attacks

Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.”

Tuesday, February 11, 2025 14:24

Microsoft has released its monthly security update for February of 2025 which includes 63 vulnerabilities affecting a range of products, including 4 that Microsoft marked as “critical” and one marked as "moderate."

There are two notable "critical" vulnerabilities. The first is CVE-2025-21376, which is a remote code execution (RCE) vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP). This vulnerability is a remote unauthenticated Out-of-bounds Write (OOBW) caused by a race condition in LDAP and could potentially result in arbitrary code execution in the Local Security Authority Subsystem Service (lsass.exe). This is a process in the Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Successful exploitation of this vulnerability requires an attacker to win a race condition. CVE-2025-21376 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-21379 is another notable critical remote code execution vulnerability. It was found in the DHCP Client Service and was also patched this month. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This vulnerability has been assigned a CVSS 3.1 score of 7.1 and is considered "less likely to be exploited” by Microsoft.

CVE-2025-21177 is a critical privilege escalation vulnerability in the Microsoft Dynamics 365 Sales customer relationship management (CRM) software. A Server-Side Request Forgery (SSRF) allows an authorized attacker to elevate privileges over a network.

CVE-2025-21381 is a critical remote code execution vulnerability affecting Microsoft Excel and could enable an attacker to execute arbitrary code on vulnerable systems. This vulnerability could be triggered via the preview pane in affected applications. This vulnerability has been listed "less likely to be exploited" by Microsoft.

CVE-2025-21368 and CVE-2025-21369 are RCE vulnerabilities flagged "important" by Microsoft. They have a CVS 3.1 score of 8.8. To successfully exploit one of these remote code execution vulnerability, an attacker could send a malicious logon request to the target domain controller. Any authenticated attacker could trigger these vulnerabilities. It does not require admin or other elevated privileges.

CVE-2025-21400 is also an RCE vulnerability flagged "important" by Microsoft, affecting the Microsoft SharePoint Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This attack requires a client to connect to a malicious server and could allow an attacker to gain code execution on the client. Microsoft considers this vulnerability as "more likely to be exploited".

CVE-2025-21391 and CVE-2025-21418 are the only vulnerabilities this month which are known to be exploited in the wild. Both are privilege elevation vulnerabilities. An attacker can use CVE-2025-21391 to delete critical system files. CVE-2025-21418, nestled within the Ancillary Function Driver (AFD), exposes a pathway to local privilege escalation through the Winsock API. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.

Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important”:   

*   CVE-2025-21190 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21198 Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
*   CVE-2025-21200 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21201 Windows Telephony Server Remote Code Execution Vulnerability
*   CVE-2025-21208 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
*   CVE-2025-21371 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21406 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21407 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21410 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 62022, 62023, 64529-64532, 64537, 64539-64542, 64545. There are also these Snort 3 rules: 300612, 301136, 301137, 301139, 301140.

Tag

#cisco