An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

The attack used a stolen remote support SaaS API key to exfiltrate data from workstations in the Treasury Department's Office of Foreign Assets Control.

Source: World History Archive via Alamy Stock Photo

NEWS BRIEF

The Chinese threat actor group known as "Silk Typhoon" has been linked to the December 2024 hack on an agency that's part of the US Department of the Treasury.

In the breach, the threat actors were able to use a stolen Remote Support SaaS API key through third-party cybersecurity vendor BeyondTrust to steal data from workstations in the Office of Foreign Assets Control (OFAC).

Silk Typhoon, also known as Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations. 

Using tools such as the China Chopper Web shell, the group's cyber-espionage campaigns focus mainly on data theft.

The group also targeted the Treasury Department's Office of Financial Research; this latest breach is still being investigated and assessed.

The Cybersecurity and Infrastructure Security Agency (CISA) has since confirmed that these exploits are limited to just the agency, and there is no indication that any other federal agencies have been impacted by the incident.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Hacking Group 'Silk Typhoon' Linked to US Treasury Breach

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like _Candy Crush_ and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as _Candy Crush_, _Temple Run_, _Subway Surfers_, and _Harry Potter: Puzzles & Spells_; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is _Call of Duty: Mobile_, and specifically its Season 5 iteration, which launched in May 2024.

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

Google did not respond to multiple requests for comment for this article. Neither did Apple.

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS \[Global Navigation Satellite System\]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

Texas has become a leading enforcer of internet rules. Its latest probe includes some platforms that privacy experts describe as unusual suspects.

Over the past decade, Texas attorney general Ken Paxton has wielded his office’s significant resources to investigate well-known tech giants including Google and Meta over how they moderate content and treat rivals. He helped win settlements against Apple for allegedly misleading users and is suing TikTok for allegedly endangering children's privacy. Now, Paxton’s latest tech investigation includes an expansive number of targets, WIRED has learned.

Rumble, Quora, and WeChat are among the 15 companies from which Texas has demanded answers by next week about their collection and use of data of people under 18 years old. Paxton announced the investigation in a press release last month but named only four of the companies being probed—Character.AI, Red­dit, Insta­gram, and Dis­cord. WIRED obtained the names of additional targeted companies through a public records request. They also include Kick, Kik, Pinterest, Telegram, Twitch, Tumblr, WhatsApp, and Whisper.

Paxton’s office did not respond to requests for comment, including about how it chose which businesses to investigate. But the variety of companies questioned highlights the sprawling reach of a new Texas law aimed at increasing oversight of minors’ use of social media and chat services.

Three experts in youth privacy regulations who have been following Paxton’s enforcement efforts say the new investigation should be treated credibly, and they believe it could result in companies agreeing to improve their practices. The alternative could be up to hundreds of millions of dollars in penalties per company. “When you bring all the statutes together, Texas has a pretty significant hammer,” says Paul Singer, a partner and section chair at the law firm Kelley Drye & Warren.

Spokespeople for Character.AI and Tumblr say they take safety issues seriously. Meta and WeChat declined to comment. Other companies under investigation did not respond to requests for comment.

Paxton launched his probe three days after the families of an 11-year-old girl and 17-year-old boy in Texas sued chatbot startup Character.AI, claiming the company designed its product in an unsafe way that exposed the kids to sexualized and violent responses. In October, a similar case was filed in Florida by the family of a 14-year-old who shot himself to death allegedly following conversations with a Character.AI chatbot. Character.AI later introduced an experience aimed at kids and plans to roll out parental controls.

Other services under investigation including Kik, Instagram, and Discord have faced public scrutiny over their use by children. But less so WeChat, a messaging app popular among Chinese Americans, and Quora, a forum for crowdsourcing information that’s recently expanded into AI chatbots.

Paxton’s interest in Rumble, a YouTube-like website popular among US conservative political commentators, is also perhaps unexpected given his track record of partisan views about social media companies. Rumble has touted itself as a haven for free expression, unlike platforms that engage in allegedly heavier content moderation. Paxton is a Republican and has criticized platforms that unfairly silence Texans.

The privacy experts who spoke with WIRED described Rumble, Quora, and WeChat as unusual suspects but declined to speculate on the rationale behind their inclusion in the investigation. Josh Golin, executive director of the nonprofit Fairplay, which advocates for digital safety for kids, says concerns aren’t always obvious. Few advocacy groups worried about Pinterest, for example, until the case of a British teen who died from self-harm following exposure to sensitive content on the platform, he says.

Paxton’s press release last month called his new investigation “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”

The United States Congress has never passed a comprehensive privacy law, and it hasn’t significantly updated child online safety rules in a quarter century. That has left state lawmakers and regulators to play a big role.

Paxton’s investigation centers on compliance with Texas’ Securing Children Online through Parental Empowerment Act, or SCOPE, which went into effect in September. It applies to any website or app with social media or chat functions and that registers users under the age of 18, making it more expansive than the federal law, which covers only services catering to under-13 users.

SCOPE requires services to ask for users’ age and provide parents or guardians power over kids’ account settings and user data. Companies also are barred from selling information gathered about minors without parental permission. In October, Paxton sued TikTok for allegedly violating the law by providing inadequate parental controls and disclosing data without consent. TikTok has denied the allegations.

The investigation announced last month also referenced the Texas Data Privacy and Security Act, or TDPSA, which became effective in July and requires parental consent before processing data about users younger than 13. Paxton’s office has asked the companies being investigated to detail their compliance with both the SCOPE Act and the TDPSA, according to legal demands obtained through the public records request.

In total, companies must answer eight questions by next week, including the number of Texas minors they count as users and have barred for registering an inaccurate birthdate. Lists of whom minors’ data is sold or shared with have to be turned over. Whether any companies have already responded to the demand couldn’t be learned.

Tech company lobbying groups are challenging the constitutionality of SCOPE Act in court. In August, they secured an initial and partial victory when a federal judge in Austin, Texas, ruled that a provision requiring companies to take steps to prevent minors from seeing self-harm and abusive content was too vague.

But even a complete win might not be a salve for tech companies. States including Maryland and New York are expected to enforce similar laws starting later this year, says Ariel Fox Johnson, an attorney and principal of the consultancy Digital Smarts Law & Policy. And state attorneys general could resort to pursuing narrower cases under their tried-and-true laws barring deceptive business practices. “What we see is often information gets shared or sold or disclosed in ways families didn’t expect or understand,” Johnson says. “As more laws are enacted that create firm requirements, it seems to be becoming more clear that not everybody is in compliance.”

Rumble Among 15 Targets of Texas Attorney General’s Child Privacy Probe

The fate of TikTok now rests in the hands of the US Supreme Court. If a law banning the social video app this month is upheld, it won’t disappear from your phone—but it will get messy fast.

The law says it will be “unlawful” for entities to “distribute, maintain or update” the app including its source code, or by “providing services” that allow it to keep running as it is now. This distribution, maintenance, or updates could be, the law says, by means of mobile app stores that can be accessed in the US or by “providing internet hosting services.”

“The law really deliberately avoided saying that it was illegal to have the app on your phone,” says Milton Mueller, a professor and cofounder of the Internet Governance Project at the Georgia Institute of Technology, who filed an amicus brief to the Supreme Court in opposition of the ban. “Their attempt is to say nobody new can download it from the Apple or Google stores, and nobody who has it can update it through those stores,” Mueller says. “There’s nothing in the law that says ‘TikTok you must block US users,’ which is again interesting.”

If TikTok is removed from Apple’s App Store and Google’s Play Store in the US, it will not be possible to directly install new updates that will add new features, fix bugs within the code, or quash security flaws. Over time, that means TikTok will stop functioning properly. Apple didn’t respond to WIRED’s request for comment, while Google declined to comment on what it will do if the law comes into effect.

The law’s other focus is on stopping “hosting” companies from providing services to TikTok—and the definition is pretty wide. Hosting companies “may include file hosting, domain name server hosting, cloud hosting, and virtual private server hosting,” the law says. Since the summer of 2022, as TikTok faced pressure about its Chinese ownership, the company has hosted US user data within Oracle’s cloud services. Oracle also did not respond to WIRED’s request for comment.

Even so, other systems such as content delivery networks, advertising networks, payment providers, and more are used as part of TikTok’s infrastructure. The law does not specifically mention these services, but differing legal readings could make them question whether they help to “maintain” or “distribute” TikTok’s fully functioning service.

Hall says a recent test of TikTok’s website showed 185 embedded domains on the page. “They pull in code, content from that array of third-party providers and their own domains too,” he says. “The apps will start to decay and rot as either services stop working, things like content distribution networks or services who feel like they can't take the risks of the ambiguous nature of the language or the potential enforcement by the incoming administration.”

There’s one internet infrastructure player that the ban does not specifically put pressure on: internet service providers. Countries such as Russia and China have developed censorship measures that allow them to block entire websites from being accessed through web bowsers. Mueller believes this omission by US lawmakers was likely deliberate, as it avoids setting up a Chinese-style internet firewall. “They knew that a system of ISP-based blocking and filtering would obviously be a form of First Amendment restriction,” he says.

**Avoiding a TikTok Ban**

While TikTok’s service in the US would likely degrade over time, there remain some potential ways around any ban—both for individuals and potentially also the company itself. How effective these measures would be likely depends on how motivated people are to keep using TikTok and what the company decides to do.

“TikTok has 170 million users,” says Alan Rozenshtein, an associate professor of law at the University of Minnesota, who is in favor of the law but says it is the “best of a bunch of bad options” relating to TikTok. “This law will not prevent every one of them from accessing TikTok. I don’t think that was ever the goal of the law. The law is to make it meaningfully harder to access TikTok.”

How the US TikTok Ban Would Actually Work

Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions.

Thursday, January 9, 2025 14:15

Welcome to the first edition of the Threat Source newsletter for 2025.  

Upon returning to work this week from my Lindt chocolate reindeer coma, my first task was to write this newsletter. As I stared at a blank template hoping for inspiration to suddenly strike, I did what any security professional should do at the start (and indeed any) time of year. I listened to Wendy Nather. 

Legendary Security Hall of Famer Wendy recently gave the keynote at BSides NYC and the video has just landed. The theme? “When do we get to play in easy mode?” I.e why is security still so hard? 

Wendy showed a list of the InfoSec Research Council’s “Hard Problems” list of 2005. Any of these sound familiar? 

*   Global scale identity management 
*   Insider threat 
*   Availability of time critical systems 
*   Building scalable secure systems 
*   Attack attribution and situational understanding 
*   Information provenance 
*   Security with privacy 
*   Enterprise level security metrics 

If the toughest challenges we face in 2025 are also the same challenges we were dealing with twenty years ago, what hope is there? 

Plus, if anything, security is even harder today than it was then, due to all the added complexity. Wendy also pointed out the larger ripple effect of breaches today due to supply chains, stolen credentials up for sale, and shared infrastructure. 

Jeez Hazel, way to start 2025 on a massive downer. 

However, something we can perhaps do more of this year is to go a bit easier on ourselves. Plus, ﻿if something you’ve been trying for a while isn’t working and is only leading to deeper frustrations, is it possible to come at from it a different way? 

One of Wendy’s recommendations on how to do just that uses the example of user awareness training. As she said in her keynote, it’s easy to get someone to click on a link (sorry to any bad guys reading this, but you’re not exactly carrying out rocket surgery with your phishing campaigns). 

Getting 1000 people NOT to click on a link is infinitely harder. Wendy even said that she once worked in an organization where the people who attended cybersecurity awareness training were even MORE likely to click on malicious links. The theory being that these people really wanted to help the security team, and were more than happy to respond to emails asking them to test the strength of their passwords. 

And that’s where social engineering, defender style, can come in. "People are your greatest asset, if you treat them that way." 

I'm seeing a lot of "how to thrive in 2025!" posts right now. For anyone who isn't ready for that, or tired of it all, I just want to say, I'm right there with you. But if you're also feeling like it's "new year, same problems"  perhaps there's one thing that you can pick this year which has the potential to change that story.

Wendy’s keynote contains a bunch of insights for defenders on how to go about picking something to change or improve, from knowledge sharing, to hiring, and addressing complexity. I’m also looking forward to reading the upcoming National Academy of Science’s report on Cyber Hard Problems, of which Wendy is on the committee for. 

I'd thoroughly recommend checking out the full keynote, if only to see Wendy yielding a hammer in a moderately threatening manner.

**The one big thing**

Attacks in which malicious actors are deliberately installing known vulnerable drivers, only to exploit them later, is a technique referred to as Bring Your Own Vulnerable Driver (BYOVD).   

Cisco Talos recently published our research into the real-world application of the BYOVD technique. We identified three major payloads used, as well as recent activity linked to ransomware groups. 

** Why do I care?  **

With the wide availability of tools exploiting vulnerable drivers, exploitation has moved from the domain of advanced threat actors into the domain of commodity threats - primarily ransomware. Malicious actors use corrupted drivers to perform a myriad of actions that help them achieve their goals, such as escalating privileges, deploying unsigned malicious code, or even terminating EDR tools. 

**So now what?  **

There are a few things we can do to mitigate the risks and detect potential campaigns using BYOVD technique. This could include enforcement of Extended Validation (EV) and Windows Hardware Quality Labs (WHQL) certified drivers, preventing risks associated with legacy drivers. If the blocking of all legacy drivers is not possible, employing the Windows Defender Application Control (Windows Security) drivers blocklist is recommended way to prevent the execution of known vulnerable drivers. Read more in the Talos blog. 

**Top security headlines of the week   **

*   CISA says there is ‘no indication’ of a wider government hack beyond the treasury, following the disclosure that the department had been the target of a “major incident” in December. TechCrunch 
*   FireScam Android spyware campaign fakes the Telegram Premium app and delivers information-stealing malware. Researchers say this is a prime example of the rising threat of adversaries leveraging everyday applications. Dark Reading. 
*   Meduza stealer analysis: A closer look at its techniques and attack vector. Splunk Threat Research 

**Can’t get enough Talos?  **

*   Talos Takes is now in video format! Catch up on the latest discussion, all about the major shifts and changes in ransomware since the very first iteration over 35 years ago. 

*   The evolution and abuse of proxy networks – check out this piece of research by Nick Biasini and Vitor Ventura. 

**Upcoming events where you can find Talos     **

Cisco Live EMEA (February 9-14, 2025)  

Amsterdam, Netherlands  

**Most prevalent malware files of the week**

**SHA 256:**  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f

**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  

**VirusTotal :** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5**: 7bdbd180c081fa63ca94f9c22c457376 

**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5**: 71fea034b422e4a17ebb06022532fdde 

**VirusTotal:**  https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d  

**VirusTotal:** https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8

Do we still have to keep doing it like this?

**Vulnerability Summary**
A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay `node` interface.

**Affected Components**
- Strawberry GraphQL relay integration
- Specifically impacts implementations using:
  - Django integration
  - SQLAlchemy integration
  - Pydantic integration

**Technical Details**

The vulnerability manifests when:
1. Multiple GraphQL types inherit from `relay.Node`
2. These types are mapped to the same database model
3. The global `node` field is used for type resolution

Example of vulnerable code:

```python
from fruits.models import Fruit
import strawberry_django
import strawberry

@strawberry_django.type(Fruit)
class FruitType(relay.Node):
    name: strawberry.auto

@strawberry_django.type(Fruit)
class SpecialFruitType(relay.Node):
    secret_name: strawberry.auto

@strawberry.type
class Query:
    node: relay.Node = strawberry_django.node()
```

**Security Impact**

When querying for a specific type using the global `node` field (e.g., `FruitType:some-id`), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., `SpecialFruitType`). This can lead to:

1. Information disclosure if the alternate type exposes sensitive fields
2. Potential privilege escalation if the alternate type contains data intended for restricted access

**Note**
Even with knowledge of the correct type name (e.g., `SpecialFruitType`), attackers may still be able to access unauthorized data through direct type queries.

We recommend to use permission on fields instead of creating a dedicate type.

**Recommendations**
1. Avoid mapping multiple relay Node types to the same model
2. Implement strict access controls at the field resolution level (using permissions)
3. Consider using separate models for different access levels of the same data
4. Update to `strawberry-graphql>=0.257.0`
5. If using `strawberry-graphql-django`, update to `strawberry-graphql-django>=0.54.0`

**Vulnerability Summary**  
A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface.

**Affected Components**

*   Strawberry GraphQL relay integration
*   Specifically impacts implementations using:
    *   Django integration
    *   SQLAlchemy integration
    *   Pydantic integration

**Technical Details**

The vulnerability manifests when:

1.  Multiple GraphQL types inherit from relay.Node
2.  These types are mapped to the same database model
3.  The global node field is used for type resolution

Example of vulnerable code:

from fruits.models import Fruit
import strawberry\_django
import strawberry

@strawberry\_django.type(Fruit)
class FruitType(relay.Node):
    name: strawberry.auto

@strawberry\_django.type(Fruit)
class SpecialFruitType(relay.Node):
    secret\_name: strawberry.auto

@strawberry.type
class Query:
    node: relay.Node \= strawberry\_django.node()

**Security Impact**

When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to:

1.  Information disclosure if the alternate type exposes sensitive fields
2.  Potential privilege escalation if the alternate type contains data intended for restricted access

**Note**  
Even with knowledge of the correct type name (e.g., SpecialFruitType), attackers may still be able to access unauthorized data through direct type queries.

We recommend to use permission on fields instead of creating a dedicate type.

**Recommendations**

1.  Avoid mapping multiple relay Node types to the same model
2.  Implement strict access controls at the field resolution level (using permissions)
3.  Consider using separate models for different access levels of the same data
4.  Update to strawberry-graphql>=0.257.0
5.  If using strawberry-graphql-django, update to strawberry-graphql-django>=0.54.0

**References**

*   GHSA-5xh2-23cc-5jc6
*   strawberry-graphql/strawberry@526eb82

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving…

Discover how AI revolutionizes cybersecurity with real-time threat detection, adaptive protection, and advanced data protection to combat evolving cybersecurity risks.

Cybersecurity threats are no longer luxuries of the big corporations and reach every part of our connected world making big and small businesses both vulnerable. With attacks becoming smarter and more sophisticated, traditional security measures frequently can’t keep up.

Enter Artificial Intelligence (AI) and how they have begun to change how we defend against cybersecurity risks. In this article, we’ll talk about how AI powers threat intelligence and strengthen cyber defence strategies so that organizations never find themselves behind the curve of malicious actors.

****The Foundation of AI in Cybersecurity****

AI revolutionized the cybersecurity field by providing tools beyond static defences. AI learns patterns from millions of data and reports the anomalies that were otherwise left unnoticed. Thus, unlike conventional systems, AI developed as an already mature and powerful response to what could be learned in certain usage scenarios with time, also because it doesn’t require any extensive manual configuration, making it perfect for proactive threat intelligence.

One key application is Two-Factor Authentication Methods. In complement to the authentication process, AI analyzes login patterns and signals on unusual access attempts. This can, for example, block login attempts with the correct credentials from risky locations – just another level of security. Integrating machine learning models means both security and user convenience.

****Identifying Threats Before They Strike****

Hence, AI driven cybersecurity is all about being able to predict and react to threats. Using machine learning, we build predictive models that aggregate and analyze data from previous attacks, and then try to detect warning signs before breaches take place. That’s proactive, saves time, and minimizes damage.

For instance, AI tools detect system behaviours in real-time, alerting them of anything unusual and escalating cases, such as an unexpected increase in outbound traffic or unauthorized access to some data. These early warnings help the security teams to do something before the harm is already done. Anomaly detection algorithms and other advanced AI systems mean that even the slightest hints of an attack don’t slip under the radar.

****AI-Powered Defense Mechanisms****

It’s not just detecting threats; it’s defending against threats in real-time. AI-powered automated response systems immediately block attacks. AI helps to quickly and efficiently counteract threats, by enchasing firewalls and neutralizing malware.

A standout example is its role in implementing multi-factor authentication windows. AI aids in physical identity verification more reliably than people could using a manual system by monitoring access requests on devices and across time zones. It’s combined with intelligent firewalls so that attackers are stopped at the gate, and no unauthorized entry is allowed.

****Adapting to Evolving Cyber Threats****

Things change quickly in the cyber threat space but when it comes to AI it changes even faster. The AI is constantly trained using new data in order to counter emerging risks. From ransomware to zero-day exploits, AI systems will evolve to tackle new problems.

Take phishing, for instance. Because AI knows what patterns to look for in the text, as well as sender and email behaviour, as well as embedded links, it has the ability to recognize fraudulent emails. Phishing tactics undergo regular change, where AI’s ongoing process of information digestion and processing means that it keeps a step ahead. However, flexibility had to exist to combat ever-changing attack strategies.

****Protecting Data with AI****

Attackers seek out data, so protecting it is job one. In turn, AI encrypts data more securely and at a faster rate while also being able to detect unauthorized access attempts. For instance, if one wishes to monitor file transfers anywhere sensitive documents are being accessed outside approved parameters, the AI will do this and will alert administrators or supervisors when required.

Offloading the work and analysis of your users allows an organization to better protect its users and secure sensitive data, and is an integral part of AI’s predictive analytics that also prevent data breaches. It analyzes historical trends of high-risk behaviours that could result in leaks. Such measures protect customer trust as well as adherence to data protection laws.

****AI’s Role in Network Security****

Networks are the foundation of any organization’s digital infrastructure, with AI strengthening protection through proper security and traffic monitoring.

An example would be AI-driven tools that can spot abnormal behaviours such as this spike in bandwidth usage. Analyzing such patterns makes AI able to prevent Distributed Denial-of-Service (DDoS) attacks. Besides, the use of AI in access control guarantees that only nominated gadgets connect to the network, making the organization less vulnerable.

****Enhancing Endpoint Protection****

Attackers often use endpoints like laptops, phones, and IoT devices. AI recognizes and microscopically halts threats, preventing such compromises.

Instead, an AI-powered antivirus will see the behaviour of a file rather than just relying on a signature database. This approach guarantees the detection of even new or modified malware. Additionally, through surveillance of user behaviour, and anomalies such as abnormal data downloads, AI ensures an additional security blanket against insider threats.

****Coordinating Incident Responses With AI****

Quick response is crucial when there is a breach. AI allows for better incident management, automating key incidents and leading to faster recovery time. This results in identifying the root cause and neutralizing threats to mitigate damage.

It also helps security teams provide actionable insights with AI. It can simulate what attack paths could be and allows teams to proactively patch vulnerabilities. Being this ready means companies can bounce back quickly and keep operating without losing much time.

****Ethical Concerns and Limitations of AI****

While AI has many benefits, it’s not trouble-free. A very good solution is the usage of machine learning, however ethical considerations, for example in the form of potential bias of the algorithms, can hinder its usage. An example is an AI system trained on biased data that may miss out on threats making organisations vulnerable.

In addition, human oversight may decrease because of over-dependence on automation. Finding a balance between AI manpower and human intervention is something important. With these concepts addressed, AI continues to be a viable position tool in cyber security.

****The Future of AI in Cyber Defense****

As technology develops, AI will assume more and more of a role in cybersecurity. Innovations that are emerging, such as federated learning will make AI systems even more secure and effective. These technologies will work to strengthen interactions between these organizations, putting up more formidable bulwarks against cyber threats.

Ahead, it is important for organizations to invest in AI-powered tools while keeping human expertise intact. A combination of technology and human insight will make our security strong against future next-generation cyber risks.

****Summary****

Cyber defence is being revolutionized by AI, which allows for both real-time threat detection and adaptive protection, as well as a quick response to attacks. Organizations can protect data better, improve security processes, and get ahead of changing risks by integrating AI tools.

Improved detection accuracy and proactive defences work together, and compatibility with tools you may already employ, such as two-factor authentication. As AI remains continuously advancing, the systems stay effective and ethical.

When you combine AI and human expertise, you get strong protection able to handle the cyber challenges you face now and will face in the future and also secure a resilient digital future.

1.  **Key Features Of Threat Intelligence Platforms**
2.  **A Step-by-Step Guide to How Threat Hunting Works**
3.  **ANY.RUN Upgrades Threat Intelligence to Identify Threats**
4.  **Criminal IP and Maltego Expand Threat Intelligence Search**
5.  **Leveraging AI for Enhanced Threat Detection and Prevention**

Latest News