Globally, security researchers and whistleblowers face increasingly hostile laws and judiciaries that are ready to levy fines and prison sentences.

Source: bestfoto77 via Shutterstock

While disclosure of software vulnerabilities and data breaches has become more accepted over the past three decades, researchers and whistleblowers continue to risk lawsuits and criminal charges depending on the country in which they live.

In April 2022, for example, police in Istanbul arrested independent Turkish journalist İbrahim Haskoloğlu after he revealed details of a breach of government data in Turkey. The country's ruling party has since proposed a law to make the false reporting of a data breach a crime punishable by two to five years in prison — a law that critics say will prevent disclosure of real data breaches.

And in the island nation of Malta, three computer-science students and their lecturer at the University of Malta will be charged in March, two years after they found vulnerabilities in scheduling service FreeHour and notified the company. FreeHour claimed the disclosure appeared to be a ransom demand and reported the students to the police — although, since then the firm has criticized the nation's lack of clear exemptions for researchers.

The students continue to face charges, however.

"I hope that at the end of this case, it results in a better climate for cybersecurity, but I'm genuinely exhausted from this whole situation," Michael Debono, one of the students, stated in a post on Facebook. "It's crazy that I've had to spend almost two years now dealing with the fallout of an incident that should have been resolved over a table in a day with FreeHour and the police."

Turkey and Malta are not the only countries to crack down people who report data breaches and software vulnerabilities. In Poland, a train manufacturer threatened to sue three ethical hackers who circumvented a kill code that the cybersecurity professionals claim disabled trains that had been parked in a third-party repair facility. In China, vulnerability researchers who do not first report software issues to the government risk prison time.

Even in the US, where vulnerability-disclosure issues have been debated for decades, companies and government agencies still occasionally resort to legal attacks rather than civil engagement. In September 2024, the city government of Columbus, Ohio, filed a lawsuit against whistleblower David L. Ross after he disputed the significance of a data breach, claiming that Ross colluded with the ransomware gang behind the breach. Two months later, the city settled the lawsuit.

**Defensive Driving and Disclosure**

Worldwide, vulnerability researchers need to take care when disclosing software security issues. Erring on the side of safety, like defensive driving, should be the default for cybersecurity researchers and whistleblowers, says Trey Ford, chief information security officer at San Francisco-based Bugcrowd, who connects its stable of independent penetration testers with clients.

The October 2022 email that resulted in three students and their lecturer facing charges. Source: Lecturer Luke Collins' site

In the best case, researchers should obtain permission from the targeted organization to conduct research and disclose findings, he says.

"The reality now is: If you see something, and you're not absolutely sure — and don't have receipts and proof — maybe don't say anything, or you risk going to jail," Ford says, pointing out that defensive or vindictive organizations can cause trouble. Any risk can be "further amplified by the misaligned incentives of companies that would prefer not to address an issue. These companies have the power to almost completely silence the reporter."

In addition, working with the organization rather than immediately adopting an adversarial approach can help minimize potential misinformation about what constitutes a breach or vulnerability, says Ilona Cohen, chief legal and policy officer at HackerOne, a hacking-services platform.

Researchers should also always be cognizant of local law, she says.

"Whether a data breach has occurred or a vulnerability is present are not always clear-cut," Cohen says. "It’s not uncommon for countries to have laws against fraudulent misrepresentation, but lawmakers must take care not to target individuals that do not intend to deceive or to cause harm."

**Benign Intent or Hostile Actions**

So far, the researchers and whistleblowers are paying the price of the lack of clarity. Turkish journalist Haskoloğlu, for example, claimed he notified the Turkish government two months before his disclosure, after being contacted by the hackers that the data had been stolen. Last month, he announced he would leave Turkey following escalating death threats.

In December, Newag — the train manufacturer in Poland that allegedly bricked trains not repaired in its workshops — filed a lawsuit against the three hackers who discovered and publicized their workaround for the kill code. While the European Union adopted a right-to-repair law for consumer goods in 2024, it's unclear whether industrial equipment, such as trains and machinery, are covered.

The incidents highlight that organizations are aiming to silence researchers, rather than engage publicly with them, says Dustin Childs, the head of threat awareness and the Zero Day Initiative at Trend Micro, which maintains a third-party bug bounty program.

"It’s a disturbing trend I hope reverses soon," he says. "We need to offer safe harbor to researchers who are willing to report vulnerabilities in a coordinated manner. Unfortunately, this trend is unlikely to change without either litigation or legislation."

Globally, however, legislation appears to be moving in a different direction. In August 2024, the UN General Assembly adopted the Convention Against Cybercrime, which makes it a crime to "access ... an information or communications technology (ICT) system without right" or to intercept data or communications. Digital-rights groups worry that the treaty will lead to more laws that penalize legitimate security research.

While Turkey appears to be the first country since August to pass a more strict cybercrime statue, tougher regulations seem increasingly likely, Childs says.

"Overall, we are currently in a climate where governments favor businesses over individual researchers," he says. "It would not surprise me to see similar measures in other countries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reporting a Breach or Vuln? Be Sure Your Lawyer's on Call

The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.

Source: Lutsenko via Oleksandr via Shutterstock

Fortinet has patched an actively exploited zero-day authentication bypass flaw affecting its FortiOS and FortiProxy products, which attackers have been exploiting to gain super-administrative access to devices to conduct nefarious activities, including breaching corporate networks.

Fortinet characterized the flaw, rated as critical and tracked as CVE-2024-55591 (CVSS 9.6), as an "authentication bypass using an alternate path or channel vulnerability" that "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module," according to a FortiGuard Labs security advisory last week.

Fortinet observed threat actors performing various malicious operations by exploiting the flaw. These activities included: creating an admin account on the device with a random user name; creating a local user account on the device with a random user name; creating a user group or adding a local user to an existing SSL VPN user group; adding and/or changing other settings, including firewall policy and/or firewall address; and logging in to the SSL VPN to get a tunnel to the internal network.

Fortinet recommended that customers using affected products follow the recommended upgrade path on its website to mitigate the flaw. It also offered workaround options in its advisory.

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**First Signs of Fortinet Zero-Day Exploitation**

The first signs that something was amiss came earlier this month, when researchers at Arctic Wolf revealed that a zero-day flaw was likely to blame for a series of recent attacks on FortiGate firewall devices with management interfaces exposed on the public Internet. Attackers were targeting the devices to create unauthorized administrative logins and make other configuration changes, create new accounts, and perform SSL VPN authentication.

Fortinet quietly informed its customer base of the issue before revealing the patch and extent of the situation late last week; this low-key revelation is how Arctic Wolf got wind of it, according to a blog post analyzing the flaw by watchTowr Labs published on Jan. 27. However, security researchers did not yet know exactly what the flaw was or what the exploitation entailed.

That's become clearer now. The flaw resided within the jsconsole functionality, which is a graphical user interface (GUI) feature to execute command line interface (CLI) commands inside FortiOS's management interface, according to watchTowr Labs. "Specifically, the weakness in this functionality allowed attackers to add a new administrative account," according to the post.

Related:Change Healthcare Breach Impact Doubles to 190M People

Jsconsole is a WebSocket-based Web console to the CLI of the affected Fortinet appliances. "This CLI is all-powerful, since it is effectively the same as the actual provided CLI that is used by legitimate administrators to configure the device," according to watchTowr Labs. Therefore, if an attacker gains access to the Web console, the appliance itself should be considered compromised.

The researchers took a deep dive into the vulnerability and found that it was actually a chain of issues combined into one critical vulnerability that allowed attackers to follow four key steps to achieve super administrative access.

Those steps are: creating a WebSocket connection from a pre-authenticated HTTP request; using a special parameter local\_access\_token to skip session checks; exploiting a race condition in the WebSocket Telnet CLI to send authentication before the server does; and picking the access profile that an attacker wishes to assume, which in the case of the researchers' proof-of-concept was to become a super administrator.

**Mitigation & Protection Against CVE-2024-55591**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products often widely exploited to breach not only devices but also act as a point of entry to attack corporate networks.

Related:The Case for Proactive, Scalable Data Protection

Organizations using the devices affected by the flaw are advised to follow the appropriate update path or apply the workaround provided by Fortinet.

Fortinet also noted in its advisory that an attacker generally would need to know an admin account's username to perform the attack and log in to the CLE to exploit the flaw. "Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice," according to the advisory.

However, the company added, since the targeted WebSocket is not itself an authentication point, attackers still have the possibility of brute-forcing the username to exploit the flaw.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Attackers aim to steal people's personal and payment-card data in the campaign, which dangles the threat of an undelivered package and has the potential to reach organizations in more than 50 countries.

Source: Francis Vachon via Alamy Stock Photo

Attackers impersonating the US Postal Service (USPS) are striking again, this time in a widescale mobile phishing campaign that taps people's trust in PDF files. This time it uses a novel evasion tactic to steal credentials and compromise sensitive data in SMS phishing (smishing) attacks.

Discovered by researchers at Zimperium zLabs, the smishing campaign uses malicious SMS messages informing people that their package can't be delivered because of "incomplete address information," they revealed in a blog post published Jan. 27. The messages direct people to click on a PDF file that contains a malicious phishing link, leading them to a landing page that asks them to provide personal details, including name, address, email, and phone number. A further redirection collects people's payment-card data, claiming to require service fees for successful delivery of the package.

"This tactic leverages the perception of PDFs as safe and trusted file formats, making recipients more likely to open them," Zimperium researcher Fernando Ortega wrote in the post.

ZLabs researchers uncovered more than 630 phishing pages, 20 malicious PDF files, and a malicious infrastructure of landing pages related to the campaign, demonstrating a significant scale that potentially could impact organizations across more than 50 countries, he said.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Moreover, attackers use "a complex and previously unseen technique to hide clickable elements" of the campaign, making it difficult for most endpoint security solutions to properly analyze the hidden links and thus detect the threat, Ortega wrote.

"This strategy highlights the evolving tactics of cybercriminals, who exploit both trusted file formats and advanced evasion methods to deceive users and compromise their data," he wrote.

**Manipulating PDFs to Escape Detection**

Attackers use their knowledge of the back-end composition of PDF files to create a novel evasion tactic that makes the malicious campaign harder for automated security systems to detect as suspicious, the researchers found.

In PDF files, links are typically represented using the /URI tag, which is part of an Action Dictionary object, specifically within a Go-To-URI action, Ortega explained in the post. This instructs a PDF viewer to navigate to a uniform resource identifier (URI), which is usually a Web address (URL).

The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, "making it more challenging to extract URLs during analysis," Ortega wrote.

"Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions," he added. In contrast, these solutions detect the same URLs when the standard /URI tag was used.

Related:Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

"This highlights the effectiveness of this technique in obscuring malicious URLs," Ortega explained.

**Package-Themed Phishing Not New, But Evolving**

Campaigns that impersonate the USPS and other trusted brands are hardly new, as attackers often leverage the urgency that comes with a person waiting for a package or piece of mail as a convincing lure for phishing attacks. One USPS-anchored campaign in October 2023 was linked to Iranian attackers and used close to 200 different domains as infrastructure for the attacks, as an example.

However, the scale and sophisticated evasion tactic used in the latest USPS impersonation effort makes it a notable threat, and part of a disturbing trend to take advantage of "limited mobile device security worldwide," threatening corporate users, one security experts says.

"While organizations have robust email security, the critical tension between finance, HR, and technology teams around mobile devices has created a significant and dangerous gap in protection, leading to underinvestment in web and mobile messaging security despite these becoming primary attack vectors," says Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

Indeed, organizations need to get a handle on the issue of unsecured mobile devices in the workplace, another expert says. To do this, notes Darren Guccione, CEO and co-founder at Keeper Security, they should adopt a layered security approach that combines employee education with the use of multifactor authentication (MFA) to prevent credential compromise even if a corporate user falls for an attack.

As far as enterprise security goes, he explains, employing zero-trust security frameworks that use privileged access management (PAM) solutions can serve to further mitigate risks "by restricting access to sensitive systems, ensuring only authorized users can interact with critical data."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

USPS Impersonators Tap Trust in PDFs in Smishing Attack Wave

The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.

Cisco Meeting Management is a management tool for Cisco's on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for "video operators," who only have access to the meetings and overview pages.

The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because "proper authorization" is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.

This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.

The management system is vulnerable to the bug regardless of device configuration, according to the advisory. So, anyone using Cisco Meeting Management 3.9 or earlier would need to migrate to a supported version in order to fix the bug. Those with version 3.9 should upgrade to version 3.9.1; and those with version 3.10 remain unaffected. There are no workarounds to address the vulnerability.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Cisco: Critical Meeting Management Bug Requires Urgent Patch

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.

Friday, January 24, 2025 08:37

*   Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as "poisoning") in the second half of 2024.
*   Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
*   Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

**Introduction to hidden text salting**

Hidden text salting (or "poisoning") is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

**Technical explanation**

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

A phishing email impersonating the Wells Fargo brand.

The HTML source of the above email is shown below. The **<style>** tag is used to define style information for an email via CSS. Inside the **<style>** element, one can specify how HTML elements should render in a browser or email client. The **<style>** element must be included inside the **<head>** section of the document. In this example, threat actors have set the **display** property to **inline-block**. When **inline-block** is used instead of **inline**, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the **overflow** property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

The HTML source snippet of the above phishing email shows how the 'width' property in CSS is used to hide the irrelevant characters inserted between the letters of the Wells Fargo brand.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

A phishing email impersonating the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

The HTML source snippet of the above phishing email, with Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters inserted between the letters of the Norton LifeLock brand.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

A phishing email impersonating the Harbor Freight brand.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the **LANG** field of Microsoft's **X-Forefront-Antispam-Report anti-spam** header. The LANG field specifies the language in which the message was written, and the **X-Forefront-Antispam-Report** header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft's cloud-based filtering service.

A snippet of the above email’s header shows French as the identified language of this email by Microsoft's cloud-based filtering service, called EOP.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the **display** property of the **div** element to hide the French words, thus confusing the language detection module of Microsoft.

The HTML source snippet of the above phishing email, with French characters that are hidden using the display property.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A spear phishing email with an HTML attachment.

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

The HTML source snippet of the above phishing email, with irrelevant comments inserted between the base64-encoded characters.

**Mitigation**

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

**Advanced filtering techniques**: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

**Relying on visual features**: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

**Protection**

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the _content_ of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.

Seasoning email threats with hidden text salting

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Source: Brian Jackson via Alamy Stock Photo

A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.

That's according to a 15-year-old security researcher who goes by only "Daniel," who published research on GitHub Gist about the flaw — which he discovered three months ago — as a warning for journalists, activists, and hackers, who could be at physical risk.

The flaw allows an attacker to grab the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or even as a background application on their laptop. Using either a one-click or zero-click approach, an attacker can use the app to "send a malicious payload and deanonymize you within seconds — and you wouldn't even know," Daniel wrote.

**Cloudflare Content Caching Is the Cyber Culprit**

The core of the flaw lies in one of Cloudflare's most used features: caching, Daniel explained. Cloudflare's cache stores copies of frequently accessed content, such as images, videos, or webpages, in its datacenters, ostensibly to reduce server load and improve website performance.

When a device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage, if possible, or from the origin server. It then caches it locally, and returns it. "By default, some file extensions are automatically cached but site operators can also configure new cache rules," Daniel explained.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Because of this process flow, if an attacker can get a user's device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, they can then enumerate all Cloudflare data centers to identify which one cached the resource. "This would provide an incredibly precise estimate of the user's location," Daniel explained.

Daniel did have to overcome a hurdle to this attack flow in that someone "can't simply send HTTP requests to individual Cloudflare datacenters," he wrote. However, he discovered a bug via a forum post that demonstrates how someone can send requests to specific Cloudflare datacenters with Cloudflare Workers, and created a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers that redirects HTTP requests to specific datacenters.

**How to Exploit the Cloudflare Location Flaw**

Daniel went on to demonstrate how he could send images via both Signal and Discord that would expose the recipient's location. For Signal, which is an app favored by journalists and activists due to its privacy features, a one-click attack allows someone to send either an attachment or an avatar to a user that exploits the cache geolocation method to pinpoint the recipient's location.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

An attacker also could use a zero-click attack in Signal by taking advantage of push notifications, which occur when a message is sent to a user while they are not actively using the app. In this case, the recipient doesn't even have to open the Signal conversation for their device to download the attachment, he said.

Attackers can exploit the flaw similarly in Discord, with potentially wider impact, using a custom emoji that's loaded from Discord's CDN and configured to be cached on Cloudflare, he explained.

"So, instead of sending an attachment in a Discord channel, an attacker can display a custom emoji in their user status and simply wait for the target to open their profile to run a deanonymization attack," Daniel wrote. A one-click attack vector also is possible in Discord by changing a user's avatar and sending a friend request to someone, which triggers a push notification, he added.

**Signal, Discord, Cloudflare Response & Mitigation**

Daniel contacted Signal, Discord, and Cloudflare about the bug. The first two companies did nothing to mitigate it, with Signal claiming users are responsible for protecting their own identities, and Discord claiming it was Cloudflare's responsibility.

Related:Trump Overturns Biden Rules on AI Development, Security

For its part, Cloudflare did fix the Cloudflare Workers bug that allowed Daniel to create the Teleport tool. The bug was reported to its HackerOne program a year ago by another researcher, but the company had not responded to the report. It reopened the case after Daniel's report and mitigated the issue, awarding him a $200 bug bounty in the process.

However, even after the mitigation, Daniel was able to exploit the flaw by reprogramming his Cloudflare Teleport tool to use a VPN instead, choosing a VPN provider with more than 3,000 servers located in various locations across 31 different countries worldwide. "Using this new method, I'm able to reach about 54% of all Cloudflare datacenters again," he explained.

At this time, "any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken," Daniel wrote.

And this can be especially dangerous for people who need to protect their location for various reasons, such as a woman who may be hiding from a violent boyfriend or husband, or a political dissident who is being targeted by a hostile government, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios … where it could be a problem," he tells Dark Reading. Moreover, Grimes suspects that Cloudflare CDN is not the only CDN affected by such a flaw, as "the attack is just generic enough that I think it can be applied to more CDNs," he says.

Daniel advised that people concerned about their privacy should limit their exposure on the affected apps, which "can make a significant difference" when it comes to protecting their location data.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cloudflare CDN Bug Outs User Locations on Signal, Discord

Joe shares his recent experience presenting at the 32nd Crop Insurance Conference and how it's important to stay curious, be a forever student, and keep learning.

Thursday, January 23, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

**The one big thing**

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

**Why do I care?**

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

**So now what?**

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

**Top security headlines of the week**

*   Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
*   Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR \[sic\] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
*   Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

**Can’t get enough Talos?**

*   My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
*   In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**Typical Filename:** endpoint.query  
**Claimed Product:** Endpoint-Collector  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Everything is connected to security

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

Source: LJSphotography via Alamy Stock Photo

Dozens of organizations have been infected with router malware that uses a packet-sniffing technique to minimize its footprint.

Rather than their far more popular Cisco counterparts, the campaign, which Black Lotus Labs named "J-magic," hones in on Juniper-brand routers at the edge of high-value networks. Exposed enterprise routers are tapped with a variant of a quarter-century-old backdoor, "cd00r," which stays dormant until it receives an activation phrase — a "magic packet." Only then does it grant access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices.

"There's been a lot of emphasis on small office/home office (SOHO) devices, but attackers are just as active in the enterprise space," warns Danny Adamitis, principal information security engineer with Black Lotus Labs. "It's just that they're living on these devices that don't really have endpoint detection and response (EDR), that are in front of a firewall, and don't really run things like Sysmon, so it's a little bit harder for people to detect these attacks."

**Backdoor Malware Infests Juniper Routers**

Exactly how the hackers obtained initial access to affected routers is unknown, but the openings they exploited are clear. Around half the Juniper routers victimized by J-magic were configured as virtual private network (VPN) gateways, and the other half possessed exposed Network Configuration Protocol (NETCONF) ports, which allow administrators to remotely manage and configure network settings, but also allow attackers to sneak through and do the same. These routers served as points of entry and control for much larger networks, affording attackers a wide canvas for their malicious deeds.

Related:Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

To exploit these prized devices, the attackers install their malware, cd00r, in a position where it can observe all TCP traffic coming into the edge device. Then it waits for one of five predefined packets meeting highly specific conditions, which act like an activation phrase. When a packet meeting one of these presets is received, the program will spawn a reverse shell connected to the attacker's IP address, through the port specified in the magic packet.

The technique works because it circumvents the already limited methods defenders have for picking up on edge malware. In a typical infection, Adamitis says, "If you're able to monitor traffic from a firewall or router, you can see that there is a beacon that occurs at a set interval. And if you perform a time series analysis, you can see activity continuously occurring with that interval, and it kind of stands out. With something like this, you don't have that consistent call out. This will evade that form of detection."

Related:Automox Releases Endpoint Management With FastAgent

A J-magic attack isn't entirely complete upon reception of the magic packet, though. To confirm that the handler is the intended attacker — not just some passerby trying to piggyback on their work — cd00r sends out a "challenge" string encrypted with a hardcoded public key. Only if the attacker passes this test — by returning the string back using their associated private key — do they obtain control over the reverse shell, and with it the power to control the infected device, steal enterprise data, and deploy further malware.

Evidence of these J-magic infections dates back to September 2023, but the majority of cases appear to have popped up in the spring and summer of 2024. In that year or so, cd00r spread to the US, the UK, Russia, Norway, India, and more countries in between, affecting organizations in construction, bioengineering, insurance, and IT services, among others.

**Blind Spot in Edge Network Cybersecurity**

Easily overlooked is the fact that cd00r, though updated with new features, is a 25-year-old program. It was originally developed and released in 2000, as a proof-of-concept (PoC) for an "invisible" backdoor, on the information security website Packet Storm.

Related:15K Fortinet Device Configs Leaked to the Dark Web

That such an old, and in some ways atavistic, malware would still suffice in 2025 speaks to just how much attackers can get away with in edge networks.

"On your corporate laptop, you probably have Windows Defender and something from your favorite EDR vendor. There tend to be a lot of vendors for end-user workstations, but edge devices don't really seem to have anything on them. So by living in those blind spots, attackers are able to get away with using this 20-year-old malware, because there's no one and nothing on that particular device to actually capture that sort of user interaction," Adamitis says.

"The reporting around these kinds of enterprise-grade routers tends to be a lot more sparse," he adds. "What we're trying to say is: We think there might be this low visibility spot in the perimeter."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Black 'Magic' Targets Enterprise Juniper Routers With Backdoor

Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances.
The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management.
"This

Tag

#cisco