Malware

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Blogs

Intruder Alert! Security Breach Leading to Data Breach

Recently 2.9 billion records of data stolen in cyber breach from National Public Data that includes Social Security numbers. Cyber experts assume that sensitive information including Social Security numbers for millions of people could be in the hands of a hacking group.

Reports suggest that after the breach occurred the data may have been released on an online marketplace or dark web.

What does this mean and how does organizations fight to save their clients and brand value?

It is a big question and something that can give restlessness to CISO’s and security teams. The results of breach remains for months and the impact too. This can result in financial losses and if hackers can have unauthorized access to online accounts or financial documents, the result is far reaching.

What it can do is first damage the brand value and result in expenses incurred from investigations.

This include legal fees for lawyers and if suit is bought by any customer or client and goes up to customer notification including compensation, fines.

Loosing brand value due to breach affects regaining the confidence of customers or partners and clients. This is long term as chance of possible loss of business opportunities and lasting reputational damage exist.

Gaining unauthorized access to a device or system leads to security breach and that leads to data breach or other malicious activity and as we know the devastating consequences for organizations at large. Now this can be defined as being over powering and surpassing all security measures that protect data or network systems of the organization including physical hardware assets.

Mostly we are accustomed with few names as

Malware: The attacker infects a system with malware that’s designed to steal sensitive data, hijack system resources.

Phishing: This technique involves a seemingly legitimate email or text or fake websites that come in surface as a scam

Physical asset: Sometimes  attackers gets involved in stealing or meddling with a piece of organizations assets if he can hold on the equipment, tool to get access in enterprise system and steal data.

Breach details of national Public Data:

The hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, reported by Bloomberg Law. The breach was believed to have happened in or around April, according to the lawsuit.

One major aspect of the breach is the data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

(Source: www.usatoday.com)

In recent years, plenty of high-profile examples of security breaches have captured public attention . One security breach that actually captured attention was the Nvidia breach in 2022.

Nvidia, a major chip manufacturer, experienced a cyberattack where up to 1TB of data was stolen, including employee credentials and proprietary information.

The impact was that Hackers demanded Nvidia remove limitations on its GPUs, and internal source code was leaked. The company had to take several security measures to mitigate further damage.

This incident proved that hackers and cybercriminals are in equal terms powerful in their methods and tactics as cyber security teams . Each hacker pushed the boundaries of what was thought possible in the cyber world and their actions have had far-reaching consequences.

They targeted financial institutions and government agencies to exposing vulnerabilities in national defense systems. These incidents have served as wake-up calls, highlighting the critical need for robust cybersecurity measures and a better understanding of digital ethics and law

Preventing security breach:

Enterprise and security teams at times may take more time to rectify or better to prevent a security breach than to resolve one after it occurs. Though not all security breaches are avoidable, applying a few tried-and-tested best practices is always on the cards.

Tips for Best practices for preventing data breaches

Data breach prevention requires a comprehensive, proactive approach and a enterprise level if ots followed its better for security measure to remain strong that are being implemented.

  • A secure coding principles in best practice strategy: Writing secure code involves following best practices such as avoiding hardcoded credentials, implementing input validation, and ensuring proper data encryption. This way organization can reduce vulnerabilities that attackers might exploit.
  • Conducting Regular security audits: Conducting penetration testing and threat modeling helps identify weaknesses in your security framework and routine security assessments to mitigate potential threats.
  • Implementing practices with DevSecOps: Embedding security into the SDLC ensures security considerations are addressed at every stage of development. By integrating application security testing and practices like shift left testing into software development workflows, organizations can identify and fix vulnerabilities early in the process.
  • Creating incident response plans: Having a clear incident response plan allows organizations to detect, contain, and mitigate security breaches more efficiently. Security teams get enough time and  can respond quickly to security incidents, minimizing damage and reducing downtime.
  • Security training for Teams : Educating development teams on cybersecurity best practices helps them recognize threats and implement secure coding practices. Security teams should stay updated on emerging threats and modern security measures.

Protect yourself with GaarudNode from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

  • Our Platform:
    • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
    • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
    • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
    • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Do connect or DM for queries

(Sources:https://www.ibm.com/think/news/national-public-data-breach-publishes-private-data-billions-us-citizens)

Blogs

Android Malware Crocodilus; Threat for cryptocurrency wallet Users

Crocodilus is a new banking malware that evades detection from Google’s play protect.

The Android malware has been specifically targeting to steal sensitive cryptocurrency wallet credentials through social engineering. Its convincing overlay screen warns users to back up their wallet key within 12 hours or risk losing access says security researchers.

Why threat researchers call this trojan ?

Crocodilus includes all the necessary features of modern banking malware: overlay attacks, keylogging, remote access, and “hidden” remote control capabilities. Also the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections as per researchers of Threat fabric.

Unlike any banking trojan which takes over devices, Crocodilus is similar in pattern and uses tactics to load a fake overlay on top of the real app to intercept the victim’s account credentials. These are targeted mostly for banking or cryptocurrency app users.

Another data theft feature of Crocodilus is a keylogger and the malware monitors all Accessibility events and captures all the elements displayed on the screen, i.e. it is an accessibility Logger.

Intricacies of Crocodilus Malware

The modus operandi of the malware makes it easier to preform task to gains access to accessibility service, to unlock access to screen content, perform navigation gestures, monitor for app launches.

The malware also offers remote access Trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe actions.

The malware is fitted with dedicated RAT command to take a screenshot of the Google Authenticator application and capture one-time password codes used for two-factor authentication account protection.

Android users are advised to avoid downloading APKs from outside Google Play and to ensure that Play Protect is always active on their devices.

Researchers discovered source code of malware revealing debug messages left by the developer(s), reveal Turkish speaking.

The Expanding Threat landscape with evolving Modern Malware’s

The Crocodilus malware designed to go after high valued assets that targets cryptocurrency wallets and Banks. These malware can make the defense line up of banking system weak and researchers advise to adopt a layered security approach that includes thorough device and behavior-based risk analysis on their customers’ devices.

Modern malware has the capability to break the security defenses of organization even if they are protected by cutting edge solutions to defend. As the threat landscape expand so are sophisticated attacks rising.

Modern malware can bypass most security solutions, including email filtering, anti-virus applications, sandboxing, and even IPS/IDS and sometime few file-less malware leaves no footprint on your computer and is executed exclusively in run-time memory.

In this sophisticated war against threat criminals enterprise security requires is taking services for active threat hunting and be diligent in scanning files meant for downloads.

To improve enterprise security the important aspects needs to be covered increase usage of multi-layer defenses. Protecting against modern malware is an ongoing effort, and rarely it is “set and forget.” Utilize multiple layers of security, including anti-virus software, network layer protection, secure web gateways, and other tools for best results.

Keep improving your security posture against modern malware is an ongoing effort and includes multiple layers of security. With anti-virus software, advanced network layer protection, secure web gateways, and other tools the security posture at enterprise level increases.

Remember your best defenses can be in trouble, so continue monitoring, adapt and train employees, while using comprehensive multi-layer approach to security.

Source: https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices

Blogs

Security software to represent 60% of worldwide security market; IDC

Worldwide Security Spending to Increase by 12.2% in 2025 as Global Cyberthreats Rise, Says IDC

As we witness complex and more frequent more frequent and complex cyber attacks, a rising concern for global security the spending from worldwide data projects a steady growth. The amount is staggering $377 billion by 2028 says the IDC report. This is an yr on increase of 12.2% year-on-year increase in security spending in 2025.

“Growing digital transformation and hiking emerging technology adoption across the Middle East & Africa (MEA) region — especially countries in the Gulf Cooperation Council (GCC) — have pushed the demand significantly for security solutions to face the evolving threat landscapes,” said Eman Elshewy, senior research manager with IDC Data and Analytics.

The security software market growth will be driven especially by cloud native application protection platform (CNAPP).

This also includes Identity and access management software

security analytics software growth, reflecting the special focus that companies will put on integrated cyberthreats detection and response around their whole organizational perimeter.

Key points on security software market growth

  • Security services will be the second fastest growing technology group in 2025,
  • This is driven by the continuous expansion of managed security services and growths of organizations of all size are included in it. Security hardware will rank third, achieving single-digit but steady growth in 2025.
  • This also include the Banking, federal/central government, telecommunications, capital markets, and healthcare provider will be the industries spending the most at the global level on security in 2025.

 While the fastest-growing will be capital markets, media and entertainment, and life sciences with an expected year-on-year growth rate of 19.4%, 17.1%, and 16.9%, respectively in 2025.

Organisations developing software’s will develop their strategies based on  national and international regulations that still play an important role in guiding organizations’ security strategies — especially in regulated industries .

Cause of rise in the market demand .

The rising malware including virus and Trojan horses are increasing the capacity of cyber criminal and their sophistication in attacks. Cybercriminals deploy attack and employ malware that can take control of devices. With BOYD things are more complicated.

We cannot deny how AI is giving companies a competitive edge and help to fuel more sustainable growth. Forrester predicted that IT services and software will account for nearly two-thirds of global tech spending and, in Europe and North America, this share will be even higher. 

A greater drive for, and increased investment in, cybersecurity will underpin the rise in software spend, says Forrester.

In particular, this includes the updating and modernization of legacy and outdated enterprise systems to better protect organisations in the rapidly evolving threat landscape. 

While large and very large businesses account for the majority of security spending across all regions, small and medium-sized businesses will continue to increase their investments in security throughout the forecast period to address security gaps and protect their assets and processes as their digital transformation accelerates.

Fig 1 Represent the state of security spending 2025

Organizations still lack the internal expertise, to properly assess or address the security implications of this shift. Cyber criminals are making these threats more sophisticated, which is adding to the urgency. IDC says this steady climb in spending will continue through 2028, hitting $377 billion by then.

Now with IDC research finding  reveal investments in security throughout the forecast period to address security gaps and protect organizational assets and processes as their digital transformation accelerates.

Organisations are moving from being secure to being cyber resilient

Right now, business of every models are almost uniformly reliant on digital technology and any disruption here seriously impacts operations and revenue. Cyber criminals are on look out for every scope to launch stealthies attack.

Almost all security strategies often focus on proactively identifying and mitigating threats. Now at this hour as we stand in 2025 we need greater focus on cyber resilience.

Adopting a holistic approach in cyber security is walking the path of cyber resilience and we at Intruceptlabs working in tandem to weave the fabric of security in every workflow that supports this agility.

Recently IntruceptLabs won the Elevate 2024 Program, founded with the mission of “Making applications & digital space safer for businesses,” is encouraging for us as an organization for a cyber resilient future.

Sources: https://www.idc.com/getdoc.jsp?containerId=prEUR253264525

Blogs

Cyberespionage Group Blind Eagle Infects 1,600 Orgs in Colombia

URL manipulation attack; An agile attack methodology

Continue Reading
Security Advisory

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems 

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2018-8639 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2018-8639  Windows  High 

Technical Summary 

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2018-8639 Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019  Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. System compromise, unauthorized access, potential malware persistence 

Remediation

  • Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk. 
  • Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.  

General Recommendations: 

  • Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches. 
  • Adopting the principle of least privilege (PoLP) to limit user access. 
  • Continuous monitoring of anomalous kernel-mode activities. 

Conclusion: 

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2018-8639  
  • https://github.com/ze0r/CVE-2018-8639-exp 

Blogs

Orange Group Suffered Data Breach; Threat Actors Exposes Compromised Data

Threat actors aimed infiltrating on Orange’s systems; A case of Ransomware cannot be denied on the data breach that took place.

Orange has confirmed it has recently experienced a cyber-attack, that exposed compromised data. Orange insists it is still investigating the case. The data breach on Orange group when analyzed found it included thousands of internal documents, including sensitive user records and employee data, after infiltrating the company’s infrastructure.

As per reports one of Orange’s non-critical apps breached in an attack aimed at its Romanian operations after HellCat ransomware gang member “Rey” alleged exfiltrating thousands of internal files with user records and employee details, which have been leaked on Tuesday, according to BleepingComputer.

Key Breach details on Orange Group

  • The data breach aimed at Infiltration of Orange’s systems for more than a month via the exploitation of Jira software and internal portal vulnerabilities.
  • This facilitated the eventual breach and can be a ransomware case as of almost 6.5 GB of corporate data including about 12,000 files over a nearly three-hour period on Sunday.
  • The hacker, known by the alias Rey, is a member of the HellCat ransomware group, noted the intrusion to be independent from the HellCat ransomware operation.
  • The threat actor claims that they have stolen thousands of internal documents of current and former Orange Romania employee, contractor, and partner email addresses, some of which dated from over five years ago, as well as mostly expired partial payment card details.
  • The hacker claims that they gained access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira software (used for issue tracking) and other internal portals.
  • The point was getting access to the company’s systems for over a month before executing the data exfiltration as per the hacker. They also stated that they had dropped a ransom note on the compromised system, but Orange did not engage in negotiations.
  • Orange emphasized that the attack has not impacted operations amid an ongoing investigation into the incident. The company is yet to disclose whether affected individuals will be notified or if additional security measures will be introduced to prevent similar breaches in the future.

Cyber Security Implications 

From cybersecurity point the incident reflected how major organization face cyber threats and what is their strategy for incident response?

How far is the preparedness of enterprises against a ransomware attack?

These are some of the eminent questions organizations must face in order to defend their brand name..Is it proactive, are organizations prepared as Ransomware groups are focusing with advanced techniques.

Cyber security preparedness the next step

It is important that security teams be on their toes to stop any ransomware attack at the source.

AI on the endpoints is the requirement of the day, detecting atypical behavior to predict and block attack advances, at the same time before encryption, having visibility full visibility from the kernel to the cloud enables one to spot signs of compromise .This can also be any ransomware chain or any early indicators of compromise.

Experts keep on warning how to protect assets from getting compromised warning customers and employees to remain vigilant for potential phishing attempts based on the data that has been leaked.

AI Leveraging Ransomware campaigns

Earlier we witnessed cybercriminals would encrypt data and provide the decryption key once payment was received.

Now threats has doubled up with double or triple extortion attacks to expose stolen information on data leak sites in exchange for larger ransoms.

The greater availability of artificial intelligence and machine learning tools has led to these gangs be more sophisticated in their attack methods. Now the attack vectors leverage AI and ML capabilities to evade detection, spread more effectively to reach their final goals.

AI Reshaping Cyber security Roadmap

AI in cybersecurity firstly integrates artificial intelligence technologies that are required to gain critical insights and automate time-consuming processes and this includes machine learning and neural networks, into security frameworks.

These technologies are a must to enable cybersecurity teams and systems to analyze vast amounts of data, recognize attack patterns, and being able to adapt new evolving threats that can be performed with minimal human intervention. Read our blog: AI Reshaping Roadmap for Cyber security

With AI capabilities what is the next scenario we may witness in Ransomware campaigns

    • Making ransom calls using Voice Cloning

    • Malware that can target key personnel within the organization

    • The ability to decipher financial data and demand ransom amounts accordingly

AI-driven systems learn from experiences and AI will empowers organizations, enterprises in future and still doing to enhance their cybersecurity posture and reduce the likelihood of breaches, identify potential risks by acting independently.

Sources:

https://www.scworld.com/brief/orange-group-hack-confirmed-following-leak-by-hellcat-ransomware-member

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Security Advisory

Banshee Stealer: A Growing Threat to macOS Users 

Overview 

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS. 

Key Threat Details: 

Malware Capabilities: 

  • Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security. 
  • User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access. 
  • Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging. 

C&C decryption     Source: Cybersecurity News 

Evasion Tactics: 

  • Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems. 
  • Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods. 

Distribution Mechanisms: 

  • Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files. 
  • Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware. 

Repository releases     source: Cybersecurity News 

Recent Developments: 

  • Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally. 
  • Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape. 

Impact: 

  • Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses. 
  • Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications. 
  • Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide. 

Indicators of Compromise (IOCs): 

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link

IP Address and Domain  File Hash 
41.216.183[.]49 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 
Alden[.]io 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 
api7[.]cfd 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab 
Authorisev[.]site b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 

Recommendations: 

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures: 

  1. Avoid Untrusted Downloads: 
  • Refrain from downloading software from unverified sources, particularly free or “cracked” versions. 
  • Verify the authenticity of GitHub repositories before downloading any files. 
  1. Strengthening System Defenses: 
  • Regularly update macOS and all installed applications to patch known vulnerabilities. 
  • Deploy advanced security solutions with real-time threat detection and proactive intelligence. 
  1. Enhance Awareness and Training: 
  • Educate users on identifying phishing websites and suspicious downloads. 
  • Encourage caution when responding to system prompts or entering credentials. 
  1. Enable Two-Factor Authentication (2FA): 
  • Secure accounts with 2FA to minimize the impact of stolen credentials. 
  1. Monitor System Activity: 
  • Regularly review system logs for unauthorized changes or suspicious activity. 
  • Use tools to monitor unexpected outgoing data transmissions. 
  • Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.  
  • Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early. 

Conclusion: 

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats. 

References

Scroll to top