The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Source: Chiew via Shutterstock

Attackers are actively exploiting an authentication bypass flaw found in the Palo Alto Networks PAN-OS software that lets an unauthenticated attacker bypass authentication of that interface and invoke certain PHP scripts.

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108 and first revealed in a blog post on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto's firewall devices; the flaw affects certain versions of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected versions.

Patch info is available in Palo Alto's security advisory on CVE-2025-0108, which is rated as 8.8 and therefore of high severity on the CVSS. The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims.

Indeed, researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

**Active Exploitation of Palo Alto Firewalls**

Threat actors apparently got the memo on the potential for exploit, as attacks on affected devices are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands, according to a blog post on the exploitation.

"Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them," Noah Stone, head of content at GreyNoise Intelligence, wrote in the post.

The increased activity to exploit the flaw compelled the CISA to add it to the Known Exploited Vulnerabilities Catalog this week and urge those affected to apply Palo Alto's patches for affected device versions.

**Why CVE-2025-0108 in PAN-OS Exists**

The flaw exists because of a common architecture present in PAN-OS, "where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior," security researcher Adam Kues wrote in Searchlight Cyber Assenote's post.

"Fundamentally, these architectures lead to header smuggling and path confusion, which can result in many impactful bugs," he explained.

Specifically, a Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. The researchers found that when the authentication by the requester is set at the Nginx level and based on HTTP headers, the request is then reprocessed again in Apache, which may process the path or headers differently to Nginx before finally handing off the request to PHP.

"If there is a difference between what Nginx thinks our request looks like and what Apache thinks our request looks like, we could achieve an authentication bypass," Kues explained.

The risk of exploitation is greatest if a network configuration enables access to the management interface from the Internet (or any untrusted network) either directly or through a dataplane interface that includes a management interface profile, Palo Alto noted in its advisory.

**Eliminate Risk by Patching Auth Bypass Now**

Palo Alto's network devices are widely used and flaws within them are often quickly set upon by attackers, making it imperative that mitigation for CVE-2025-0108 happens sooner rather than later. The best way to eliminate the risk of exploitation completely is to apply Palo Alto's updates to affected devices, according to the CISA and researchers.

Affected organizations also can reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface, according to Palo Alto. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal, the company said.

Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

**Where can I get it?** 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors.

 Malwarebytes introduces native ARM support for Windows devices  

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

 Google now allows digital fingerprinting of its users 

The advancement of technology has also impacted sectors like gaming. Blockchain technology has surfaced as an asset that…

The advancement of technology has also impacted sectors like gaming. Blockchain technology has surfaced as an asset that provides an angle on honesty and equality in the industry. Developers are incorporating blockchain into gaming to establish a fairer setting for players. This article digs deep into how blockchain games guarantee transparency and impartiality while discussing their advantages and obstacles.

****Exploring the World of Blockchain Technology****

Blockchain is a system of distributed ledgers that records transactions on computers to prevent tampering with data and ensure transparency. Every transaction is visible to all participants involved in the process without relying on a central authority for trust among users in the system’s decentralized environment. Blockchain games are an excellent example of how this technology innovates the gaming industry.

****Exploring the Integration of Blockchain Technology****

Integrating technology into gaming means utilizing ledgers to handle game items and transactions smoothly and securely for players to have genuine ownership of digital assets like characters and weapons or skins in a game environment with verification and safeguarding through blockchain for added security measures with sustainable assurance for peer to peer trades feasible, without intermediaries involvement leading to cost savings. 

****Improving Clarity****

Blockchain technology emphasizes transparency as an element in gaming by allowing players to validate the fairness of in-game events, such as loot drops and purchases, through unchangeable records maintained by the blockchain system. This openness builds trust as players can personally verify the authenticity of game rules. 

****Making Sure Things Are Fair****

Players have always been worried about fairness in gaming! Blockchain technology tackles this problem by allowing game algorithms and results to be easily verified by all parties. To guarantee fairness in games powered by technology and to prevent any play or cheating from happening during gameplay or outcome determination processes, smart contracts are utilized to automate and enforce the rules fairly according to mutually agreed conditions with no chance for any manipulation. 

****Ensuring Honesty and Integrity****

In traditional gaming settings, cheating and fraud are issues that disrupt play for all participants involved. However, with the integration of blockchain technology, every transaction and action taken by players is meticulously documented, making it harder for individuals to engage in deceitful practices. The unchangeable nature of these records is a deterrent against cheating since tampering with past data becomes nearly impossible. This transparency ultimately promotes equality among players, ensuring a level playing field where everyone can compete fairly. 

****Securing Ownership and Assets** **

In games online, belongings usually don’t belong to the players themselves. Blockchain alters this by enabling gamers to own virtual items separately from the game creators or developers who made them in the first place. Gamers can freely sell these possessions with confidence in their ownership security. This newfound freedom enriches the gaming journey as players engage deeply with their realms. 

****The Obstacles Encountered in Blockchain Gaming****

While blockchain gaming offers advantages and opportunities for growth in the industry, it also encounters obstacles along the way. One key issue is scalability, with blockchain networks finding it challenging to handle several transactions efficiently. Moreover, the intricate nature of technology may deter gamers from embracing it fully. To overcome these challenges and gain acceptance, education and user-friendly interfaces play roles.

Blockchain also faces challenges due to its energy consumption levels. However, new technologies are being developed to address this issue and make the gaming industry more eco-friendly by adopting sustainable practices. 

****The Upcoming Trajectory of Blockchain-Based Gaming****

The outlook for games seems bright as technology progresses. Developers are expected to address existing constraints shortly to encourage wider acceptance of these games among players and enthusiasts alike. The overall gaming experience will improve and appeal to a more extensive audience base through advancements in scalability and energy conservation measures. There is potential for blockchain-based games to find their way into the mainstream market and transform the industry by introducing transparency and equity principles. 

****Final Thoughts** **

Blockchain technology promotes transparency and fairness in gaming by providing players with ownership and verifiable results in blockchain games that cultivate a fairer environment for all participants despite obstacles ahead; the promise of advancement and creativity persists substantially. Adopting this technology has the potential to revolutionize our interaction with realms and redefine our understanding of gaming by paving the way for a future where fairness and transparency reign supreme. 

1.  In Gaming Item Scams and How to Avoid Them?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Blockchain in cybersecurity: opportunities and challenges
5.  GAM3S.GG and Immutable Partner for Web3 Gaming Expansion

How Blockchain Games Ensure Transparency and Fairness

Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.

These are the dangers of “infostealers,” which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lion’s share of infostealer activity—racking up 70% of known infostealer detections on Mac.

These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.

With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.

****The threat of infostealers****

“Infostealers” are a type of malware that do exactly as they say—they steal information from people’s devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.

With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers don’t even require an additional step—they can take cryptocurrency directly from a victim’s online accounts. 

But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.

In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a person’s device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.

By 2018, TrickBot was the largest threat to businesses.

Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isn’t interested in Windows devices.

****The next Mac malware****

Malware is “malicious software,” and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesn’t automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesn’t work on iPhones.

For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.

During this time, most Mac threats were bothersome pieces of malware that would hijack a victim’s web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businesses—and as demand for Windows computers has waned—cybercriminals have readjusted their thinking.

In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new features—much like TrickBot—it has also been gussied up with some of the markings of a legitimate business.  

For instance, AMOS can be “licensed” out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didn’t just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.

By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotion—seriously—and even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.

But in the world of cybercrime, malware _features_ only mean so much. Another important piece of cybercrime is getting malware _onto_ a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.

Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to “malicious advertising” or “malvertising.” This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.

On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.

This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.

As we warned in the State of Malware report:

> “Poseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.”

Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.

Interestingly, Poseidon is just another “fork” of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.

Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertising—hackers can target malicious ads based on a potential victim’s location, operating system, software, and search terms—Mac users must be on watch.

****How to stay safe****

In 2025, Mac users don’t need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.

Here’s how you can stay safe:

*   Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
*   Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
*   Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Macs targeted by infostealers in new era of cyberthreats 

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update…

Xerox Versalink printers are vulnerable to pass-back attacks. Rapid7 discovers LDAP & SMB flaws (CVE-2024-12510 & CVE-2024-12511). Update firmware now!

Rapid7 researchers uncovered security weaknesses in Xerox Versalink C7025 multifunction printers, specifically models running firmware version 57.69.91 and earlier. These vulnerabilities designated CVE-2024-12510 and CVE-2024-12511, expose the devices to “pass-back” attacks.

According to Rapid7’s research shared with Hackread.com, these are a type of attacks that allow a malicious actor who has compromised the printer’s administrative functions to redirect authentication requests to a system under their control. This can be achieved by altering settings related to services like Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP).

The LDAP vulnerability allows an attacker to modify the LDAP server’s IP address within the printer’s configuration. By then triggering an LDAP lookup, the printer unwittingly sends authentication credentials to the attacker’s rogue server. The attacker can then capture these credentials in clear text. Similarly, the SMB/FTP vulnerability allows modification of the SMB or FTP server’s IP address in the user’s address book configuration.  

The image illustrates how an attacker might manipulate the server IP address to redirect authentication attempts to a rogue server, thereby stealing the credentials. Predefined login credentials, with the username “MFPservice,” are used for authentication.

While the password itself is obscured, its presence indicates that the printer is configured to authenticate to the LDAP server, a detail central to the pass-back vulnerability where these credentials could be captured by an attacker.

Source: Rapid7

This can be exploited by triggering a scan-to-file operation, which sends authentication credentials to the attacker-controlled server. In the case of SMB, this could expose NetNTLMV2 handshakes, potentially allowing further compromise of Active Directory file servers. For FTP, credentials would be transmitted in clear text.

Successful exploitation of these vulnerabilities requires either administrative access to the printer’s settings or, in some cases, physical access to the console or remote access via the web interface if user-level remote control is enabled. 

The impact of these vulnerabilities is significant, as attackers could potentially gain access to sensitive credentials, including those for Windows Active Directory. This could enable lateral movement within a network, compromising critical servers and systems.

Rapid7 responsibly disclosed these vulnerabilities to Xerox, coordinating the disclosure timeline and working with the vendor to confirm the effectiveness of the patches. Organizations using affected Xerox Versalink printers should immediately upgrade to the latest patched firmware version.

In case immediate patching is not feasible, it is recommended to set a strong and unique password for the printer’s administrative account, avoid the use of domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

Xerox Versalink Printers Vulnerabilities Could Let Hackers Steal Credentials

A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access.

A new report reveals how inexpensive cybercrime can compromise even the most secure organizations. According to Hudson Rock, employees at key US defence entities, including the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies like the FBI, have fallen victim to Infostealer malware.

These infections expose highly sensitive data, sometimes for as little as $10, without the need for advanced hacking techniques due to the most persistent security weakness: human error.

****How Did It Get Here?****

Infostealer doesn’t rely on flashy exploits or brute force. It plays the long game, waiting for unsuspecting users to click on a malicious link or download something they shouldn’t; perhaps a game mod, pirated software, or a booby-trapped PDF. Once triggered, the malware settles in, harvesting credentials, session cookies, and sensitive files without raising any suspicion.

The result? Cybercriminals can now buy this stolen data for as little as $10 per infected computer on dark web marketplaces. Need access to a military VPN? There’s a log for that. Curious about someone’s email inbox? Easy. Want to hijack a session and bypass two-factor authentication? Consider it done.

And the scope? According to Hudson Rock’s report, over 30 million computers worldwide have been hit, with one in five holding corporate credentials. For defence employees, the consequences couldn’t be more alarming. Many of these individuals work on mission-critical projects involving advanced technologies like fighter jets, nuclear submarines, and AI systems. Their compromised devices open the door to large-scale data breaches and cyber espionage, not just for their employers but for the national security of the country they are based.

******Honeywell and the US Navy: Case Studies in Compromise******

The report offers specific examples of the damage already done. At Honeywell, a major defence contractor, nearly 400 employees were infected. This breach exposed access to internal systems, development tools, and, critically, credentials for third-party partners like Microsoft and Cisco.

The U.S. Navy is also affected, with 30 personnel having their credentials stolen. Leaked data includes access to email systems, file-sharing platforms, and military training resources. These credentials could allow attackers to move laterally through military networks, accessing sensitive training platforms or even classified systems.

This creates an opportunity for attackers to launch supply chain attacks. The interconnected nature of global supply chains means a single weak link can lead to widespread damage as described by the ethical hacker duo last week when they discovered a vulnerability in a software supply chain firm that could have had far-reaching consequences if it fell into the wrong hands.

A screenshot reveals a computer with army.mil credentials being sold for just $10 on a cybercrime marketplace. Another shows live FBI.gov cookies from an infected device belonging to an FBI employee, exposing serious security risks. (Credit: Hudson Rock)

****A Wake-Up Call for National Security****

These findings are not just limited to the United States. The National Security of any country can be jeopardised if infostealers continue to breach critical infrastructure. With infostealers like Redline, Vidar and Formbook, Fortune 500 companies to small subcontractors, everyone is a potential target.

Thomas Richards, Director of Network and Red Team Practices at Black Duck, puts it bluntly: “The latest report from Hudson Rock is incredibly concerning. The stolen data could allow an adversary to infiltrate critical networks and compromise additional systems. Immediate action, including password resets and forensic investigations, is essential to mitigate these risks.”

So what’s next? Hudson Rock’s report proves that cybersecurity is not just about firewalls and advanced technology, it is also about the human element demanding a change in focus towards employee cybersecurity training.

The extremely low cost of these Infostealers makes it clear why law enforcement agencies worldwide are determined to shut down the dark web and clearnet cybercrime markets. Nevertheless, cybersecurity isn’t a checkbox; it is a mindset. And if there’s one thing this report makes clear, it is that the time to act is now.

$10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit

Attackers are using patched bugs to potentially gain unfettered access to an organization's Windows environment under certain conditions.

Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

**Complete Access to Windows Environments**

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

**An Ideal Scenario for Threat Actors**

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Xerox Printer Vulnerabilities Enable Credential Capture

Winnti once used a variety of malware but is now focused on SQL vulnerabilities and obfuscation, updated encryption, and new evasion methods to gain access.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

Winnti, a China-affiliated threat actor, has been linked to a new cyber campaign called RevivalStone, which has been observed targeting Japanese companies within the manufacturing, materials, and energy sectors.

Winnti has been active since at least 2012, but only started targeting Asian manufacturing and materials organizations within the past few years. 

The group's activity, according to researchers at LAC, notably overlaps with a group known as Earth Freybug, a subset of APT41, a well-known cyber espionage group.

In targeting organizations in the Asia-Pacific region, Winnti is exploiting vulnerabilities found in applications like IBM Lotus Domino to deploy malicious malware, including DEATHLOTUS, UNAPIMON, PRIVATELOG, CUNNINGPIGEON, WINDJAMMER, and SHADOWGAZE.

LAC researchers have also observed Winnti exploiting an SQL injection vulnerability in an enterprise resource planning system to drop Web shells on an infected server. Once gaining access, the threat actor collects credentials, performs reconnaissance, and delivers the Winnti malware.

This malware is an improved version, capable of expanding further to breach a managed service provider.

According to a statement by the LAC researchers, "The new Winnti malware has been implemented with features such as obfuscation, updated encryption algorithms, and evasion by security products, and it is likely that this attacker group will continue to update the functions of the Winnti malware and use it in attacks."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

China-Linked Threat Group Targets Japanese Orgs' Servers

PRESS RELEASE

BOSTON, Feb. 13, 2025 (GLOBE NEWSWIRE) -- Thrive, a global technology outsourcing provider for cybersecurity, Cloud, and IT managed services, today announced the acquisition of Secured Network Services (SNS), a leading New Hampshire-based IT provider for organizations across industries, including healthcare, non-profit, and municipal government. The acquisition will enable Thrive to enter the New Hampshire market to deepen its presence in New England, bringing its industry-leading global Security Operation Center (SOC) & Hybrid Cloud solutions to SNS’ customers.

Cyber regulations are continuing to get more complex across industries – for example, the Health Insurance Portability and Accountability Act (HIPAA) is facing several proposed changes to its Privacy and Security rules in 2025. With the acquisition of SNS, Thrive will deepen its vertical industry knowledge, ensuring healthcare, non-profit, and government customers are backed with the latest industry insights to navigate these challenging landscapes. Together, Thrive and SNS will enable customers in New Hampshire and beyond to have access to industry-leading resources and Thrive’s global high-touch 24x7x365 service mandate.

“SNS’ similar philosophy of providing the highest caliber of technical expertise and unwavering dedication to customers greatly resonated with us,” said Bill McLaughlin, CEO of Thrive. “Coupled with their deep vertical knowledge, SNS will ensure we continue delivering the best technology solutions to businesses across industries.”

This acquisition builds upon Thrive’s tremendous growth, having completed eleven previous acquisitions over the past two years, most recently acquiring Michigan-based Safety Net and North Carolina-based The Longleaf Network. Along with geographic expansion, Thrive also received a strategic investment from Berkshire Partners and Court Square Capital Partners to continue scaling the capabilities of the company.

“Our team is excited to accelerate our growth and enable our customers to have access to Thrive’s NextGen solutions,” Kevin M. Low, Founder & CEO at SNS. “Our mission of helping businesses get the most from their technology aligns seamlessly with Thrive’s dedication to delivering outsized ROI and the best technology outcomes for each customer. We look forward to advancing our capabilities to better help our customers navigate the complex IT landscape with Thrive’s partnership.”

To learn more about Thrive and its offerings, visit the website.  

About Thrive    
Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com or follow us on LinkedIn.

Tag

#web