A timing attack vulnerability exists in ABB Cylon FLXeon's authentication process due to improper comparison of password hashes in login.js and uukl.js. Specifically, the verifyPassword() function in login.js and the verify() function in uukl.js both calculate the password hash and compare it to the stored hash. In these implementations, small differences in response times are introduced based on how much of the password or the username matches the stored hash, making the system vulnerable to timing-based analysis.

Title: ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack  
Advisory ID: ZSL-2025-5925  
Type: Local/Remote  
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 14.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

A timing attack vulnerability exists in ABB Cylon FLXeon's authentication process due to improper comparison of password hashes in login.js and uukl.js. Specifically, the verifyPassword() function in login.js and the verify() function in uukl.js both calculate the password hash and compare it to the stored hash. In these implementations, small differences in response times are introduced based on how much of the password or the username matches the stored hash, making the system vulnerable to timing-based analysis.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[14.02.2025\] Public security advisory released.

**PoC**

ntime.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189254/

**Changelog**

\[14.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack

Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities.

Source: Zoonar GmbH via Alamy Stock Photo

Attackers are finding more and more ways to post malicious projects to Hugging Face and other repositories for open source artificial intelligence (AI) models, while dodging the sites' security checks. The escalating problem underscores the need for companies pursuing internal AI projects to have robust mechanisms to detect security flaws and malicious code within their supply chains.

Hugging Face's automated checks, for example, recently failed to detect malicious code in two AI models hosted on the repository, according to a Feb. 3 analysis published by software supply chain security firm ReversingLabs. The threat actor used a common vector — data files using the Pickle format — with a new technique, dubbed "NullifAI," to evade detection.

While the attacks appeared to be proofs-of-concept, their success in being hosted with a "No issue" tag shows that companies should not rely on Hugging Face's and other repositories' safety checks for their own security, says Tomislav Pericin, chief software architect at ReversingLabs.

"You have this public repository where any developer or machine learning expert can host their own stuff, and obviously malicious actors abuse that," he says. "Depending on the ecosystem, the vector is going to be slightly different, but the idea is the same: Someone's going to host a malicious version of a thing and hope for you to inadvertently install it."

Related:This Security Firm's 'Bias' Is Also Its Superpower

Companies are quickly adopting AI, and the majority are also establishing internal projects using open source AI models from repositories — such as Hugging Face, TensorFlow Hub, and PyTorch Hub. Overall, 61% of companies are using models from the open source ecosystem to create their own AI tools, according to a Morning Consult survey of 2,400 IT decision-makers sponsored by IBM.

Yet many of the components can contain executable code, leading to a variety of security risks, such as code execution, backdoors, prompt injections, and alignment issues — the latter being how well an AI model matches the intent of the developers and users.

**In an Insecure Pickle**

One significant issue is that a commonly used data format, known as a Pickle file, is not secure and can be used to execute arbitrary code. Despite vocal warnings from security researchers, the Pickle format continues to be used by many data scientists, says Tom Bonner, vice president of research at HiddenLayer, an AI-focused detection and response firm.

"I really hoped that we'd make enough noise about it that Pickle would've gone by now, but it's not," he says. "I've seen organizations compromised through machine learning models — multiple \[organizations\] at this point. So yeah, whilst it's not an everyday occurrence such as ransomware or phishing campaigns, it does happen."

Related:How Banks Can Adapt to the Rising Threat of Financial Crime

While Hugging Face has explicit checks for Pickle files, the malicious code discovered by ReversingLabs sidestepped those checks by using a different file compression for the data. Other research by application security firm Checkmarx found multiple ways to bypass the scanners, such as PickleScan used by Hugging Face, to detect dangerous Pickle files.

Despite having malicious features, this model passes security checks on Hugging Face. Source: ReversingLabs

"PickleScan uses a blocklist which was successfully bypassed using both built-in Python dependencies," Dor Tumarkin, director of application security research at Checkmarx, stated in the analysis. "It is plainly vulnerable, but by using third-party dependencies such as Pandas to bypass it, even if it were to consider all cases baked into Python, it would still be vulnerable with very popular imports in its scope."

Rather than Pickle files, data science and AI teams should move to Safetensors — a library for a new data format managed by Hugging Face, EleutherAI, and Stability AI — which has been audited for security. The Safetensors format is considered much safer than the Pickle format.

Related:Warning: Tunnel of Love Leads to Scams

**Deep-Seated AI Vulnerabilities**

Executable data files are not the only threats, however. Licensing is another issue: While pretrained AI models are frequently called "open source AI," they generally do not provide all the information needed to reproduce the AI model, such as code and training data. Instead, they provide the weights generated by the training and are covered by licenses that are not always open source compatible.

Creating commercial products or services from such models can potentially result in violating the licenses, says Andrew Stiefel, a senior product manager at Endor Labs.

"There's a lot of complexity in the licenses for models," he says. "You have the actual model binary itself, the weights, the training data, all of those could have different licenses, and you need to understand what that means for your business."

Model alignment — how well its output aligns with the developers' and users' values — is the final wildcard. DeepSeek, for example, allows users to create malware and viruses, researchers found. Other models — such as OpenAI's o3-mini model, which boasts more stringent alignment — has already been jail broken by researchers.

These problems are unique to AI systems and the boundaries of how to test for such weaknesses remains a fertile field for researchers, says ReversingLabs' Pericin.

"There is already research about what kind of prompts would trigger the model to behave in an unpredictable way, divulge confidential information, or teach things that could be harmful," he says. "That's a whole other discipline of machine learning model safety that people are, in all honesty, mostly worried about today."

Companies should make sure to understand any licenses covering the AI models they are using. In addition, they should pay attention to common signals of software safety, including the source of the model, development activity around the model, its popularity, and the operational and security risks, Endor's Stiefel says.

"You kind of need to manage AI models like you would any other open source dependencies," Stiefel says. "They're built by people outside of your organization and you're bringing them in, and so that means you need to take that same holistic approach to looking at risks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source AI Models: Perfect Storm for Malicious Code, Vulnerabilities

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

Source: Backyard Productions via Alamy Stock Photo

Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured.

So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters.

The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are more plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government's General Services Administration, called GSAi.

Related:How Public & Private Sectors Can Better Align Cyber Defense

DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. The comments below were gathered from cybersecurity law and policy expert Stewart Baker; Evan Dornbush, former NSA cybersecurity expert; and Willy Leichter, chief marketing officer with AppSOC.

**Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?**

Stewart Baker: Of course DOGE's rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. The rule for software design is "fast, secure, and cheap — pick any two." Elon Musk has achieved enormous success in business by eliminating procedures and organizations and parts that the experts said were essential.

He's running Twitter/X with one-fifth the employees it had before he took over. He has dramatically simplified rocket design, enabling faster manufacturing and turnaround. So it's no surprise he'd want to challenge and ignore a lot of government rules, including those that protect information security. But the security rules protect against active adversaries. Taking shortcuts that seem sensible to smart guys in a hurry could lead to serious problems down the road, and it may take us a while to realize the damage. 

Related:President Trump to Nominate Former RNC Official as National Cyber Director

Musk's impatience is understandable, though. I'm sure that there are employees using the security rules to slow him down or thwart him entirely. It's important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay.

Evan Dornbush: It's quite reasonable for people to be concerned, even alarmed, at how DOGE is currently operating. For any organization, the process of securing data is often developed over years, taking in myriad perspectives to ensure confidential data is minimally accessible, and that logging can recreate a picture of accessed data, or data in transit, when required.

Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. The arrogance, deliberate ignorance, malevolence, and sheer stupidity of this gang of untrained and unaccountable hackers roaming sensitive government networks is staggering. If this type of activity happened in the private sector, with this level of highly sensitive and regulated information, we would be talking about massive fines and personal criminal liability for all the actors involved.

Related:Content Credentials Technology Verifies Image, Video Authenticity

This could not be happening at a more precarious time for government cybersecurity. China and other countries have been ramping up attacks, already targeting many of the same networks, stealing data and planting the tools to cripple our critical infrastructure. Putting this data in inexperienced and reckless hands, while dismantling defense systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will inevitably have disastrous consequences. The only questions are whether this will cost us billions versus trillions in losses, and whether it will take years versus decades to recover.

**Question 2: What has DOGE done specifically that causes you concern?**

Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Given all the other sources of information about individuals, reconstructing full names is something a hostile foreign service would seek to do, so they'll be trying to intercept the list of names. My question is why DOGE thinks that's a risk worth taking? Will the list of names do DOGE any good? I assume the request was tied to possible layoffs at the CIA, but did DOGE really need the names to decide who to lay off? If not, this was an unnecessary risk and irresponsible.

Dornbush: Lack of transparency. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. It is unclear if anyone from DOGE is even replying. Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. Even if it is ultimately determined that DOGE does have authorization to access this data, \[if\] it has physically removed the data from these hardened and professionally monitored networks, how is DOGE ensuring the data is responsibly protected from its own compromise or disclosure? How is it able to certify that the data is destroyed once it is no longer required?

Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one.

These include forcing entry to restricted and classified systems without proper authorization. Officials doing their sworn duty to prevent this were put on administrative leave. DOGE members were also given excessive access to sensitive systems that went far beyond what was necessary for their advisory roles. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.

Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, \[and were provided\] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked.

**Question 3: What do you think needs to happen to secure the data in DOGE custody?**

Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Judicial rulings that try to protect the data by denying DOGE access should be lifted.

Dornbush: DOGE securing the data is an impossibility. DOGE is newly formed. The data it is looking at sat behind years of accumulated people, products, and policy that specialize only in the security of that data set. Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful. If you want to see this data, fine. Work from the office.

Leichter: It's probably impossible to undo this type of damage. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. All of this seems highly unlikely, as the administration is deliberately disabling as much of the federal government as possible and replacing highly trained experts with incompetent political hires.

**Question 4: What are you paying attention to most regarding DOGE and its information security strategy?**

Baker:  I'm still waiting to hear what DOGE's infosec strategy and commitments are.

Dornbush: What DOGE is purportedly doing is important and has merit. I'd love to know what the infosec strategy is. Right now, it seems like sharing the security steps they are taking with the public is not a priority.

Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only discernable strategy of DOGE and the administration is to dismantle as much of the government as quickly as possible, purging experience, which they seem to view as a liability.

The only question is how quickly judicial intervention can kick in and whether it will be ignored. The one thing that might influence this administration is widespread public condemnation after the next major security incident, which is probably lurking right around the corner. That’s a terrible security strategy.

Would you like to weigh in on any of the above four questions? If so, please send a note to \[email protected\] to be included in a follow-up story with reader reactions.

Roundtable: Is DOGE Flouting Cybersecurity for US Data?

With investment in cybersecurity capabilities and proactive measures to address emerging challenges, we can work together to navigate the complexities of combating cybercrime.

Chris Henderson, Senior Director of Threat Operations, Huntress

February 13, 2025

5 Min Read

Source: wsf AL via Alamy Stock Photo

COMMENTARY

Cybercrime isn't just an inconvenience — it's a serious threat capable of disrupting essential infrastructure, endangering public safety, and shaking the foundations of our financial systems and economy.

We've all seen the headlines in recent years — from a cyberattack on an energy pipeline that disrupted the fuel supply across parts of the US to a large-scale ransomware attack on a health insurance provider that led to a massive leak of personal data. Uncovering and combating cybercrime remains a complex challenge for many reasons, but chief among them is the disconnect in data collection, sharing, and collaboration between the public and private sectors.

Critical infrastructure, essential utilities like power and water, local municipalities and services (think 911 and EMS), small and midsize businesses, and healthcare — not one of these is off-limits to cybercriminals. And as threat actors become more aggressive, our defenses must keep up.

**Plenty of Red Tape, but No Clear Defenses**

The US government has a duty to take the lead in defending the nation against cybercrime. But while there's been some progress over the past few decades toward stronger national leadership on cybersecurity, the truth is that there's been a lot of added red tape with no clear responsible party.

Over the past 25 years, organizations like the FBI's Internet Crime Complaint Center (IC3), the National Cyber Investigative Joint Task Force (NCIJTF), and the Cybersecurity and Infrastructure Security Agency (CISA) have been created. They're producing valuable alerts and educational resources on growing cyber threats. That's all great, except for one thing. Despite decades of progress on building federal alignment around cybersecurity as a key priority, there's still no clear voice leading the charge. Meanwhile, cybercriminals are staying one step ahead, moving faster and more strategically than the agencies tasked with safeguarding citizens' cybersecurity.

That brings us to March 2024, when the Foundation for Defense of Democracies (FDD) released a report calling for the creation of a stand-alone military Cyber Force. This team would run Pentagon cyber-defense efforts from within the Department of the Army and help set the stage for a more unified defense strategy over the next five to 10 years. The report is rooted in feedback from over 70 active and retired military cyber experts who all seem to agree on one thing: Cybercrime poses a serious and growing threat to national security, and it's time to do something about it.

**Closing the Gap**

At the highest levels of government, the US has made a strong push to identify, address, and communicate emerging and critical cyber threats. And now, it's on both the public and private sectors to bridge the gap and work together. But the big question we've yet to fully address is whether there's sufficient collaboration between the public and private sectors and if our response times are suffering because of it.

Take March 2021, for example. Microsoft flagged that a hacking group exploited multiple zero-day vulnerabilities targeting Microsoft Exchange Server software. A month later, the Justice Department stepped in with a court-authorized effort to disrupt ongoing exploitation. And the patches? Those finally rolled out another month later, after cybercriminals had plenty of time to exploit the vulnerabilities and infiltrate organizations.

Fast forward to the ConnectWise ScreenConnect vulnerability that surfaced last year. This time, the private sector was ahead of the game, with guidance and fixes hitting the headlines quickly. But, when it came to government action, CISA issued its advisory days after the vulnerability was announced.

Progress has definitely been made over the past two decades — there's no denying that. But there's still room to tighten the partnership between public and private sectors regarding cybersecurity. So, how do we achieve that?

**Building Future Defenses That Command Respect**

To build stronger defenses for the future, we need to respond to these kinds of incidents in minutes and hours — not days, weeks, or months. There has to be a faster, simpler way for leaders from both the public and private sectors to connect, share insights, and issue clear instructions for vulnerabilities, patches, and more.

I've pinpointed five key areas that, in my opinion, need serious attention to improve collaboration between public and private sectors:

1.  Insights: If we unify data collection, analysis, and sharing, we can give policymakers and practitioners a clearer picture of cybercrime — its scope, its patterns, and where to hit back with precision.
    
2.  Data: Taking that one step further and sharing more data between agencies and the private sector would make a tangible difference in how prepared organizations and municipalities are for known and emerging vulnerabilities.
    
3.  Policy and legislation: Here's a practical one — streamline classification processes. Using a common language for cybercrimes would cut down on miscommunication and confusion.
    
4.  Collaboration: Create task forces between government and industry that scale to the highest levels of government and the gravest threats, responding in a coordinated, powerful way.
    
5.  Hacking back: There are pros and cons to this option, but I'd like to see the federal government explore how to build skills to hack the hackers, and somewhat importantly, what the rules of engagement would be for companies and local governments. The notion has been introduced to the government, but to date, no laws have been passed yet to push it forward.
    

The fight against cybercrime is constantly evolving, and keeping up will take all of us working together and thinking creatively. Recent initiatives prove that when we harness technology, coordinate effectively, and build stronger public-private partnerships, we can significantly bolster our defenses, reducing the impact of cybercrime on individuals and institutions. It's no easy task — staying ahead requires vigilance, adaptability, and a willingness to tackle uncharted challenges. But together, through collaboration and determination, we can tackle cybercrime challenges head-on, creating a safer and more secure future for everyone.

**About the Author**

Senior Director of Threat Operations, Huntress

Chris Henderson runs Threat Operations and Internal Security at Huntress. He has been securing MSPs and their clients for more than 10 years through various roles in software quality assurance, business intelligence, and information security.

How Public &amp; Private Sectors Can Better Align Cyber Defense

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the United Kingdom, and key sectors since 2021.

A hacking group with links to Russian intelligence has been silently compromising computer networks worldwide, including those in the United States and the United Kingdom, by taking advantage of known security vulnerabilities in widely used software.

This was revealed by Microsoft’s Threat Intelligence team on Wednesday, which has been tracking the activities of a subgroup within “Sandworm,” (aka Seashell Blizzard, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.), a hacking group tied to Russia’s GRU military intelligence unit. This subgroup, which Microsoft calls the “BadPilot campaign,” has been breaching networks since at least 2021 by exploiting vulnerabilities in internet-facing systems.

The hackers have been targeting a variety of sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and even government organizations. Initially, their focus was on Ukraine, Europe, and parts of Asia and the Middle East. However, since early 2024, they have expanded their operations to include the U.S. and the U.K.

Their methods involve exploiting publicly known vulnerabilities in software like ConnectWise ScreenConnect, used for remote IT management, and Fortinet FortiClient EMS, a security software. By gaining an initial foothold through these weaknesses, the hackers can then move deeper into the network, steal credentials, and ultimately gain control of valuable systems. Here are the security vulnerabilities that Microsoft found being exploited by the group:

*   OpenFire (CVE-2023-32315)
*   JBOSS (exact CVE is unknown)
*   Microsoft Outlook (CVE-2023-23397)
*   Microsoft Exchange (CVE-2021-34473)
*   Zimbra Collaboration (CVE-2022-41352)
*   JetBrains TeamCity (CVE-2023-42793)
*   Fortinet FortiClient EMS (CVE-2023-48788)
*   Connectwise ScreenConnect (CVE-2024-1709)

Microsoft believes that while some of the targets seem random, these widespread breaches give Russia options to respond to changing strategic goals. Since the start of the war in Ukraine, Russian-aligned hackers have been increasingly targeting international organizations that provide support to Ukraine or are of geopolitical importance. The subgroup is also thought to be connected to destructive cyberattacks in Ukraine since 2023.

Microsoft’s research reveals that this subgroup is not just about gaining access; it’s about maintaining it. Once inside a network, they deploy tools such as remote management software (RMM) and web shells to ensure long-term control.

For instance, by installing legitimate RMM agents like Atera Agent and Splashtop Remote Services, they can mimic authorized activity, making detection more challenging. The group is also known for web shell deployment, credential harvesting and DNS manipulation

Additionally, the use of custom utilities like ShadowLink, a tool that configures compromised systems as hidden services on the Tor network, further complicates efforts to trace their activities.

Seashell Blizzard’s attack chart (Via Microsoft)

****Who Is Sandworm?****

Linked to Russia’s military intelligence agency GRU, specifically Unit 74455, Sandworm is notorious for conducting disruptive cyberattacks. Their history includes incidents like the NotPetya attack in 2017, which caused billions in damages worldwide, and the FoxBlade operation in 2022, targeting Ukraine’s infrastructure.

Industry experts are raising alarms about the implications of these findings. “This discovery is alarming for UK organisations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks,” warns Simon Phillips, CTO of SecureAck.

Even though the subgroup exploits publicly known vulnerabilities, their post-compromise tactics are becoming more advanced. The emergence of BadPilot only makes it harder to detect the activities of these already well-equipped and highly skilled Russian hackers.

That’s why organizations of all sizes must stay alert and aware of this and other cybersecurity threats. Employee training and additional security measures can help prevent breaches, even if they can’t completely stop Seashell Blizzard.

Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK

Scammers are once again using AI to take over Gmail accounts.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

> “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

**How to avoid AI Gmail phishing**

*   Never click on links or download files from unexpected emails or messages.
*   Don’t enter personal information on a website unless you are certain it is legitimate.
*   Use a password manager to autofill credentials only on trusted sites.
*   Monitor your accounts for signs of unauthorized access or data leaks.
*   Verify security alerts by visiting your Google Account page directly instead of using links in emails.
*   Use multi-factor authentication (MFA) for all accounts
*   Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 How AI was used in an advanced phishing campaign targeting Gmail users 

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

Title: ABB Cylon FLXeon 9.3.4 Session Persistence Vulnerability  
Advisory ID: ZSL-2025-5922  
Type: Local/Remote  
Impact: Security Bypass  
Risk: (4/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

User sessions on ABB Cylon FLXeon controllers remain active for up to seven days, even after a client-side logout. Clicking "Log Out" does not properly revoke the session on the server, allowing attackers with access to stolen session tokens to maintain unauthorized access. This increases the risk of session hijacking and privilege abuse.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_sess1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189233/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 Session Persistence Vulnerability

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

Title: ABB Cylon FLXeon 9.3.4 Default Credentials  
Advisory ID: ZSL-2025-5919  
Type: Local/Remote  
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, DoS  
Risk: (5/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx)  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_default1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189230/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel