Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Credible Security's founders bring their varied experiences to help growing companies turn trust into a strategic advantage.

Source: Ronstik via Alamy Stock Photo

Teaching students or learning the classics may not be the typical career path for cybersecurity professionals, but the founders of independent security consultancy Credible Security believe a diversity of backgrounds can be a superpower.

"Working together has taught us that the thing that makes the difference between an acceptable and a great approach to security within any organization is not technical knowledge or skill sets or backgrounds," says co-founder Josh Yavor. Qualifications are a given, but more importantly, a security team needs leadership "empowered in the right ways with empathy and effective communication and a bias toward building relationships that are based on trust."

Yavor, along with Kim Burton and Jessica Walters, launched Credible Security at the start of 2025. The company works with business-to-business companies that offer cloud services and software-as-a-service, with a specific focus on underserved teams within organizations. That includes go-to-market teams that have public-facing functions and early-stage companies that are finding their security footing while still forming a growth strategy.

**Diversity Leads to Stronger Security Mindset**

The founding partners — "We haven't really fought over those titles yet," Yavor jokes — had worked together before at Tessian, Cisco, and Duo Security. When Proofpoint acquired Tessian in 2023, Yavor was CISO, Burton was head of trust and compliance, and Waters was senior security manager. They each had extensive security experience but had taken different paths to get there.

Prior to holding security leadership roles at Cisco Secure, Duo Security, and Facebook, Yavor was a school teacher and owned an IT consulting business. Burton studied literature and classical languages in graduate school. Walters was chief of staff of Cisco's Security Business Group team. All three say their experiences at Duo Security demonstrated the value of bringing together practitioners from different backgrounds. They stayed at Duo through its Cisco acquisition in 2018 and landed in the same team at Cisco. When Yavor joined Tessian in 2021, Burton and Walters "came over to continue the journey."

The team members' varied backgrounds "make it so that when you encounter something that you haven't seen before, everyone is able to actually relate to something that they have, in fact, experienced," Burton says. "When you have a team of people who've come from the same programs, the same location, the same ideas all the time, you actually end up with groupthink. We do not have that problem."

**Developing Strategy With a Trusted Partner**

Having different perspectives is particularly important when helping customers develop and execute their cloud strategies, according to the trio. Cloud services touch every aspect of people's lives, so B2B enterprises need to prioritize building trust with end users as part of their strategy. In the past 10 to 15 years, enterprises have made strides in thinking about risk and how to manage it, but they haven't mastered the strategy in all areas, Yavor says.

The missing part that Credible Security targets "is having consistent strategy and outcomes in evaluating and delivering trust on both sides of the equation \[end users and service providers\]," Yavor says. Trust is critical at every juncture of that pipeline; with some proactive security thinking and investment, businesses can boost results.

"We are helping our clients simplify their strategies and align them to their actual business objectives so that they have a much easier and more efficient approach to developing not just minimum viable security for whatever their product is, but actually using it as a competitive advantage as they try to earn their customers' trust and then maintain it through a long-term relationship," Yavor says.

When managing risk, many companies still conflate trust with compliance, "where you're doing checkbox exercises because you have to show up to an auditor and tell them about it. But that's a backward way of thinking about it," Burton says. Compliance is only a way to verify trustworthiness, and trust develops as consultants show that they are working with the same values and goals in mind.

"It's saying: 'Hey, how can you actually design your product and your process so that the customers that you are finding actually understand this deep-felt sense that they know you will do the best by them?'"

**'Layered Experiences'**

Another advantage Credible Security offers is the ability to tap the team's experience as both buyers of security products and on the developer side of the process.

"All three of us have these layered experiences of both things we've done or built, but then also seeing teams and brands that really showed up in a way that we would want family members to experience," Walters says. The variety of positions they have held — CISO, head of compliance, chief of staff — also give them internal perspective, Yavor adds.

"That's actually one of the most exciting differentiators about our company, that all three of us, we haven't just been in the industry, we have been in the roles that we are seeking to help," he says. "We've actually done the work."

**About the Author**

Contributing Writer, Dark Reading

Mercedes Cardona is a New York-based business journalist. She is the former editor of The Economist Group’s “Marketing Unbound” blog and WP Engine’s “Velocitize.” She also has served as the Assistant Business Editor for features at the Associated Press and Financial Editor at Advertising Age. She has contributed to books including The Advertising Age Encyclopedia of Advertising and Single Women and Money.

This Security Firm's 'Bias' Is Also Its Superpower

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   
For Snort

Friday, February 14, 2025 11:55

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.    

**ClearML XSS and information disclosure vulnerabilities **

_Discovered by Edwin Molenaar of Cisco Meraki._  

ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale. 

TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.  

TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. 

**Nvidia memory corruption and heap-based buffer overflow vulnerabilities **

_Discovered by Dimitrios Tatsis._ 

The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations. 

TALOS-2024-2080 (CVE-2024-0142) and  TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 

 TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

ClearML and Nvidia vulns

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

Thursday, February 13, 2025 14:05

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

_"The term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,"_

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

_"Words matter. We've seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud," INTERPOL Acting Executive Director of Police Services Cyril Gout said._

_"It's time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes."_

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

**The one big thing**

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

**Why do I care?**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY\_SOURCE, saved the day.

**So now what?**

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

**Top security headlines of the week**

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

**Can't get enough Talos?**

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025) San Francisco, CA

TIPS 2025 (May 14-15, 2025) Arlington, VA

**Most prevalent malware files from Talos telemetry over the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A 

Detection Name: Trojan.GenericKD.33515991

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Changing the narrative on pig butchering scams

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.

“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” Gundert says.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.

When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.

Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.

That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.

“That's the disappointing part about this,” says Gundert. “Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”

After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's “most significant cyber-espionage campaign in history.” The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.

In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.

Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.

“They've only gotten more bold,” says Jon Condra, another Recorded Future analyst. “I strongly suspect it's much larger than what we’ve seen.”

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

Source: Alexey Krukovski via Alamy Stock Photo

The US government has joined Australia and the UK in sanctioning a Russia-based bulletproof hosting (BPH) services provider and two of its administrators for the company's role in supporting LockBit ransomware attacks. The move is a continuation of a barrage of law-enforcement actions against the Russia-based cybercriminal organization.

The Department of the Treasury's Office of Foreign Assets Control (OFAC), Australia's Department of Foreign Affairs and Trade, and the United Kingdom's Foreign Commonwealth and Development Office jointly sanctioned Zservers, based in Barnaul, Russia, for enabling "ransomware attacks and other criminal activity," the Treasury Department revealed in a press release Feb. 11. That illicit activity specifically centers on providing the infrastructure to facilitate attacks by LockBit, a prolific Russian-based ransomware-as-a-service (RaaS) group, according to the release.

The latest sanctions against Zservers are a continuation of multinational law-enforcement actions aimed at putting LockBit — which has committed severely disruptive ransomware attacks against numerous global organizations — permanently out of commission.

Specifically, they follow four LockBit-related arrests and device seizures made in October by Europol and Eurojust, which at the time also sanctioned and named as a LockBit affiliate Aleksandr Ryzhenkov (aka Beverley). Ryzhenkov was once second-in-command for the infamous Evil Corp cybercrime organization. Officials also arrested one of LockBit's lead developers in Israel last August, while a separate action by Australia sanctioned LockBit's head honcho, LockBitSupp (aka Dmitry Yuryevich Khoroshev), in May 2024.

Related:President Trump to Nominate Former RNC Official as National Cyber Director

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on Us and international critical infrastructure," Bradley T. Smith, the Treasury Department's acting under secretary for terrorism and financial intelligence, said in a press statement. The sanctions demonstrate the US government's "collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security," he added.

**LockBit Investigation Trail Leads to Zservers**

Law enforcement investigating LockBit discovered the criminal activity of Zservers after the company advertised its BPH services on known cybercriminal forums, according to the Treasury Department. BPH service providers sell access to specialized servers and other computer infrastructure designed to evade detection and thus defy law enforcement attempts to disrupt malicious activities.

Related:Content Credentials Technology Verifies Image, Video Authenticity

Allegedly, Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks, according to international law enforcement, which collected evidence over several years to come to this conclusion.

During a 2022 search of a known LockBit affiliate, Canadian law enforcement uncovered a laptop operating a virtual machine connected to a Zservers' subleased IP address and running a programming interface used to operate LockBit malware. Also that year, a Russian cybercriminal purchased IP addresses from Zservers, which the department said was likely for use to power LockBit chat servers to discuss ransomware operations. In 2023, Zservers also leased infrastructure, including a Russian IP address, to a LockBit affiliate, the department said.

**Do Anti-Russian Sanctions Work?**

The idea behind government sanctions is to prohibit companies in certain countries from doing business with people involved in cybercriminal activity with the aim of deterring that activity. However, given the resilience of professional ransomware and other cybercriminal groups, experts have mixed opinions on whether this strategy actually works in the long run.

Related:India's Cybercrime Problems Grow as Nation Digitizes

"It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they're able to call on," says Andrew Costis, engineering manager of the Adversary Research Team at security firm AttackIQ.

However, sanctions should make it more difficult for cybercriminals to operate by increasing their costs and forcing attackers to find less effective methods to commit ransomware attacks, another security expert says. This can serve to at least slow them down if not totally put them out of service, notes Randolph Barr, CISO at security firm Cequence.

"The recently announced sanctions and law enforcement actions against Zservers will aid in disrupting ransomware groups by targeting their infrastructure, seizing servers, and blocking financial transactions," he says.

Still, sanctions alone may not necessarily disrupt LockBit and other ransomware groups entirely, meaning that organizations must remain vigilant, Barr says. "As threat actors adapt, companies must continue improving incident management and include ransomware scenarios in their preparedness exercises," he notes.

Indeed, Costis says, given the adaptability of RaaS and its network of affiliates in particular, "organizations must stay vigilant and focus on the latest tactics, techniques, and procedures (TTPs) attackers deploy, to stay ahead of ever-changing threats."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Sanction Russian Hosting Provider for Supporting LockBit Attacks

Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.”

Tuesday, February 11, 2025 14:24

Microsoft has released its monthly security update for February of 2025 which includes 63 vulnerabilities affecting a range of products, including 4 that Microsoft marked as “critical” and one marked as "moderate."

There are two notable "critical" vulnerabilities. The first is CVE-2025-21376, which is a remote code execution (RCE) vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP). This vulnerability is a remote unauthenticated Out-of-bounds Write (OOBW) caused by a race condition in LDAP and could potentially result in arbitrary code execution in the Local Security Authority Subsystem Service (lsass.exe). This is a process in the Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. Successful exploitation of this vulnerability requires an attacker to win a race condition. CVE-2025-21376 has been assigned a CVSS 3.1 score of 8.1 and is considered “more likely to be exploited” by Microsoft. 

CVE-2025-21379 is another notable critical remote code execution vulnerability. It was found in the DHCP Client Service and was also patched this month. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This vulnerability has been assigned a CVSS 3.1 score of 7.1 and is considered "less likely to be exploited” by Microsoft.

CVE-2025-21177 is a critical privilege escalation vulnerability in the Microsoft Dynamics 365 Sales customer relationship management (CRM) software. A Server-Side Request Forgery (SSRF) allows an authorized attacker to elevate privileges over a network.

CVE-2025-21381 is a critical remote code execution vulnerability affecting Microsoft Excel and could enable an attacker to execute arbitrary code on vulnerable systems. This vulnerability could be triggered via the preview pane in affected applications. This vulnerability has been listed "less likely to be exploited" by Microsoft.

CVE-2025-21368 and CVE-2025-21369 are RCE vulnerabilities flagged "important" by Microsoft. They have a CVS 3.1 score of 8.8. To successfully exploit one of these remote code execution vulnerability, an attacker could send a malicious logon request to the target domain controller. Any authenticated attacker could trigger these vulnerabilities. It does not require admin or other elevated privileges.

CVE-2025-21400 is also an RCE vulnerability flagged "important" by Microsoft, affecting the Microsoft SharePoint Server. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems. This attack requires a client to connect to a malicious server and could allow an attacker to gain code execution on the client. Microsoft considers this vulnerability as "more likely to be exploited".

CVE-2025-21391 and CVE-2025-21418 are the only vulnerabilities this month which are known to be exploited in the wild. Both are privilege elevation vulnerabilities. An attacker can use CVE-2025-21391 to delete critical system files. CVE-2025-21418, nestled within the Ancillary Function Driver (AFD), exposes a pathway to local privilege escalation through the Winsock API. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.

Talos would also like to highlight the following vulnerabilities that Microsoft considers to be “important”:   

*   CVE-2025-21190 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21198 Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
*   CVE-2025-21200 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21201 Windows Telephony Server Remote Code Execution Vulnerability
*   CVE-2025-21208 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
*   CVE-2025-21371 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21406 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21407 Windows Telephony Service Remote Code Execution Vulnerability
*   CVE-2025-21410 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 62022, 62023, 64529-64532, 64537, 64539-64542, 64545. There are also these Snort 3 rules: 300612, 301136, 301137, 301139, 301140.

Microsoft Patch Tuesday for February 2025 — Snort rules and prominent vulnerabilities

Cisco denies recent data breach claims by the Kraken ransomware group, stating leaked credentials are from a resolved 2022 incident. Learn more about Cisco's response and the details of the original attack.

Cisco has refuted claims of a recent data breach after the Kraken ransomware group published sensitive information, allegedly stolen from the company’s internal network, on its dark web leak site. Cyber Press reported on the ransomware group’s claims, which included the exposure of credentials linked to Cisco’s Windows Active Directory environment. 

According to the report, the leaked dataset contained usernames and their associated domains, unique relative identifiers (RIDs) for each user account, and hashed representations of passwords (NTLM hashes). The compromised accounts include privileged administrator accounts, regular user accounts, service and machine accounts linked to domain controllers, and the crucial Kerberos Ticket Granting Ticket (krbtgt) account.

The report further revealed that credential-dumping tools like Mimikatz, pwdump, or hashdump were likely used to extract this information. These tools are commonly employed by cybercriminals and advanced persistent threat (APT) groups to harvest credentials stored within system memory. Alongside the leaked data, the attackers left a threatening message, hinting at their intent to inflict further damage.  

“You lied to us and play for time to kick us out. We will meet you soon, again. Next time you’ll have no chance,” attackers stated.

Files published by the Kraken ransomware group (Image via: CyberPress)

However, Cisco has issued an official statement contradicting the ransomware group’s claims, revealing that the exposed credentials stem from a previously disclosed security incident that occurred back in May 2022.  

“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers,” the company stated.

Hackread.com reported a breach where attackers gained control of a Cisco employee’s personal Google account containing company credentials. Through sophisticated voice phishing (vishing) attacks, the attackers bypassed multi-factor authentication (MFA) and gained access to the target user’s VPN. Cisco confirmed it successfully removed the intruder, who made several unsuccessful attempts to regain access in the following weeks.

Cisco’s CSRIT and Talos teams found no evidence suggesting the attacker accessed critical internal systems, such as the production environment or code signing architecture.  

At the time of the 2022 incident, Cisco believed the perpetrator was an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapsus$ threat collective and the Yanluowang ransomware operation.  

While the current claims by the Kraken ransomware group involve data from an older incident, the re-emergence of this information highlights the increasing prevalence of credential-based cyberattacks and the need to implement advanced yet reliable security measures.

Organizations should adopt proactive defences, such as forced password resets, disabling NTLM authentication, implementing multi-factor authentication, monitoring access logs for unauthorized activity, and enhancing network monitoring to detect intrusion attempts.

Cisco Rejects Kraken Ransomware’s Data Breach Claims

The popular generative AI (GenAI) model allows hallucinations, easily avoidable guardrails, susceptibility to jailbreaking and malware creation requests, and more at critically high rates, researchers find.

Source: Mundissima via Alamy Stock Photo

Organizations might want to think twice before using the Chinese generative AI (GenAI) DeepSeek in business applications, after it failed a barrage of 6,400 security tests that demonstrate a widespread lack of guardrails in the model.

That's according to researchers at AppSOC, who conducted rigorous testing on a version of the DeepSeek-R1 large language model (LLM). Their results showed the model failed in multiple critical areas, including succumbing to jailbreaking, prompt injection, malware generation, supply chain, and toxicity. Failure rates ranged between 19.2% and 98%, they revealed in a recent report.

Two of the highest areas of failure were the ability for users to generate malware and viruses using the model, posing both a significant opportunity for threat actors and a significant threat to enterprise users. The testing convinced DeepSeek to create malware 98.8% of the time (the "failure rate," as the researchers dubbed it) and to generate virus code 86.7% of the time.

Such a lackluster performance against security metrics means that despite all the hype around the open source, much more affordable DeepSeek as the next big thing in GenAI, organizations should not consider the current version of the model for use in the enterprise, says Mali Gorantla, co-founder and chief scientist at AppSOC.

Related:CISA Places Election Security Staffers on Leave

"For most enterprise applications, failure rates about 2% are considered unacceptable," he explains to Dark Reading. "Our recommendation would be to block usage of this model for any business-related AI use."

**DeepSeek's High-Risk Security Testing Results**

Overall, DeepSeek earned an 8.3 out of 10 on the AppSOC testing scale for security risk, 10 being the riskiest, resulting in a rating of "high risk." AppSOC recommended that organizations specifically refrain from using the model for any applications involving personal information, sensitive data, or intellectual property (IP), according to the report.

AppSOC used model scanning and red teaming to assess risk in several critical categories, including: jailbreaking, or "do anything now," prompting that disregards system prompts/guardrails; prompt injection to ask a model to ignore guardrails, leak data, or subvert behavior; malware creation; supply chain issues, in which the model hallucinates and makes unsafe software package recommendations; and toxicity, in which AI-trained prompts result in the model generating toxic output.

The researchers also tested DeepSeek against categories of high risk, including: training data leaks; virus code generation; hallucinations that offer false information or results; and glitches, in which random "glitch" tokens resulted in the model showing unusual behavior.

Related:Data Leaks Happen Most Often in These States — Here's Why

According to Gorantla's assessment, DeepSeek demonstrated a passable score only in the training data leak category, showing a failure rate of 1.4%. In all other categories, the model showed failure rates of 19.2% or more, with median results in the range of a 46% failure rate.

"These are all serious security threats, even with much lower failure rates," Gorantla says. However, the high failure results in the malware and virus categories demonstrate significant risk for an enterprise. "Having an LLM actually generate malware or viruses provides a new avenue for malicious code, directly into enterprise systems," he says.

**DeepSeek Use: Enterprises Proceed With Caution**

AppSOC's results reflect some issues that have already emerged around DeepSeek since its release to much fanfare in January with claims of exceptional performance and efficiency even though it was developed for less than $6 million by a scrappy Chinese startup.

Soon after its release, researchers jailbroke DeepSeek, revealing the instructions that define how it operates. The model also has been controversial in other ways, with claims of IP theft from OpenAI, while attackers looking to benefit from its notoriety already have targeted DeepSeek in malicious campaigns.

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

If organizations choose to ignore AppSOC's overall advice not to use DeepSeek for business applications, they should take several steps to protect themselves, Gorantla says. These include using a discovery tool to find and audit any models used within an organization.

"Models are often casually downloaded and intended for testing only, but they can easily slip into production systems if there isn't visibility and governance over models," he says.

The next step is to scan all models to test for security weaknesses and vulnerabilities before they go into production, something that should be done on a recurring basis. Organizations also should implement tools that can check the security posture of AI systems on an ongoing basis, including looking for scenarios such as misconfigurations, improper access permissions, and unsanctioned models, Gorantla says.

Finally, these security checks and scans need to be performed during development (and continuously during runtime) to look for changes. Organizations should also monitor user prompts and responses, to avoid data leaks or other security issues, he adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco