Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.

Google has issued updates to fix 43 vulnerabilities in Android, including two zero-days that are being actively exploited in targeted attacks.

The updates are available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-03-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs assigned to the two zero-days are:

CVE-2024-43093: A possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege (EoP) with no additional execution privileges needed. Exploitation of this vulnerability requires user interaction. Google confirms that CVE-2024-43093 has been under limited, targeted exploitation.

A file path filter is supposed to prevent access to sensitive directories on a device. In this case the ‘shouldHideDocument’ function. However, due to incorrect Unicode normalization, an attacker might be able to bypass this filter. Unicode normalization refers to the process of standardizing Unicode characters to ensure that equivalent characters are treated as the same. Flaws in this process can lead to security issues, such as bypassing the filter, allowing an attacker access to normally off-limits files, such as system configuration files or sensitive data.

The specific nature of the required user interaction is not detailed in the available information. Typically, user interaction might involve opening a malicious app or file, clicking on a link, or performing another action that triggers the exploit.

CVE-2024-50302: An issue in the Linux Kernel which allowed unauthorized access to kernel memory reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

This flaw lies in the Linux kernel’s driver used by Android for Human Interface Devices and allows an attacker to unlock devices that they have physical access to. The flaw was used in a chain of vulnerabilities which Amnesty International’s Security Lab found on a device unlocked by Serbian authorities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android zero-day vulnerabilities actively abused. Update as soon as you can 

Malicious Google ads are redirecting PayPal users looking for assistance to fraudulent pay links embedding scammers' phone numbers.

We recently identified a new scam targeting PayPal customers with very convincing ads and pages. Crooks are abusing both Google and PayPal’s infrastructure in order to trick victims calling for assistance to speak with fraudsters instead.

Combining official-looking Google search ads with specially-crafted PayPal pay links, makes this scheme particularly dangerous on mobile devices due to their screen size limitation and likelihood of not having security software.

**Overview**

Scammers are creating ads impersonating PayPal from various advertiser accounts that may have been hacked. The ad displays the official website for PayPal, yet is completely fraudulent.

A weakness within Google’s policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain.

The page victims are directed to has the following format:

paypal.com/ncp/payment/\[unique ID\]

This is PayPal’s “no-code checkout”, a feature for merchants to have a simple and yet secure option to take payments:

> Small businesses that want to accept payments online or in person can set up pay links, buttons, and QR codes to accept payments on the website. You don’t need a developer, coding knowledge, or a website to accept payments

Essentially, crooks are abusing this feature to create a bogus pay link. They can customize the page by creating various fields with text designed to trick users, such as promoting a fraudulent phone number as “PayPal Assistance”.

**Mobile experience**

Phones are the best medium for this type of scams due to the device’s constraints, but more than anything because that’s how victims will get in touch with bogus tech support agents.

In the screenshot below taken on an iPhone, we can see the top sponsored result from a Google search is impersonating PayPal. During our investigation, we often encountered more than one malicious ad, although they redirected to different kinds of pages, not abusing the same scheme.

Due to the reduced screen size, it would require scrolling past the ads and the AI Overview to see organic search results. This is not a coincidence of course, and is why search advertising is worth billions of dollars.

Screen size plays a factor again when users click on the ad and look at the browser’s address bar correctly identifying that the site is “**paypal.com**“. As we saw above, pay links are on the same domain as _paypal.com_, from which they inherit trust.

We did not follow-up with the provided phone number; however we believe it likely ends with victims handing over their personal information to scammers and getting fleeced.

**Conclusion**

Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service.

We saw how easy it is to get an ad that mimics an official brand as long as the destination URL is on the same domain as the ad URL. The rest is just a matter of creativity on the part of scammers to forcefully inject their lure as spam, search queries, shopping lists, and more…

Whenever looking up an official phone number or website, it is safer to scroll past the ads and choose a more trusted organic link. There are also security solutions that can block ads and malicious links, such as Malwarebytes for mobile devices.

We have reported this campaign to Google and PayPal, but urge caution as new ads using the same trick are still appearing.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Indicators of Compromise**

Archived example:

https://urlscan.io/result/3ea0654e-b446-4947-b926-b549624aa8b0

Malicious pay links:

hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/8X7JHDGLK9Z46  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/7QUEXNXR84X3L  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/BHR4AMJAPWNZW  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/FTJBPVUQFEJM6  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/2X92RZVSG8MUJ  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/D8X74WYAM3NJJ

Scammers’ phone numbers:

1-802\[-\]309-1950  
1-855\[-\]659-2102  
1-844\[-\]439-5160  
1-800\[-\]782-3849

 PayPal&#8217;s &#8220;no-code checkout&#8221; abused by scammers 

Strong eCommerce customer service builds trust, boosts loyalty, and drives sales. Learn key strategies, best practices, and tools to enhance online support.

Great online customer support starts with the fundamentals that make shoppers feel valued and understood when they can’t see your face or walk into your store. The basics include responding quickly across multiple channels, writing in a friendly human tone (not corporate-speak), and making it super easy for customers to find help when they need it.

Mastering these foundational elements builds trust with online shoppers and sets the stage for turning one-time buyers into loyal repeat customers. According to WOW24-7, an e-commerce customer service outsourcing provider, recent studies highlight the impact of customer service quality on online shopping behaviour. In April 2024, reports indicated that 79% of consumers may choose not to buy from a brand again after a poor post-purchase experience.

****What is eCommerce Customer Service?****

Generally speaking, e-commerce customer service is a special department that helps and supports online businesses as you are shopping online. Think of it as the digital version of that helpful store employee, but instead of being face-to-face, they’re helping you through chat, email, or phone when you have questions about products, shipping issues, returns, or just need advice before buying something.

****Advantages of a Good eCommerce Customer Service****

Good online customer service is a total game-changer! It builds trust (super important when you can’t see products in person), turns angry customers into happy ones (like when your headphones arrived broken and they shipped new ones overnight), and makes people spend more money.

Plus, happy customers tell their friends – “one of our customer’s customers switched to a new skincare brand just because her friend raved about how they helped her find the right products for her skin type.”

****How To Provide a Stellar Customer Service: Tips For Online Support********1\. Prioritize Multiple Communication Channels****

To provide excellent customer service, be available wherever your customers want to reach you. That means providing various channels of support, including social media support. 

Some people hate phone calls but love texting, while others want to shoot a quick email or DM you on Instagram. The best online stores let me choose – like that clothing shop that lets me track my order through text, ask sizing questions on chat, or call them about complicated returns. It shows they respect how you prefer to communicate instead of forcing you to use their one preferred channel.

So, good customer service plays a key role in customer satisfaction, and it should be multichannel customer support. And what about you, how many channels does your brand offer to contact your team?

****2\. Empower Your Team with Knowledge****

Make sure your support team knows your products inside and out – they can’t help customers if they’re clueless themselves. Indeed, the product knowledge is essential. Create a searchable knowledge base where your team can quickly find answers instead of saying “Let me check on that” for every question.

Our customer, a tea company, has weekly “sip and learn” sessions where staff try new products and discuss common questions, which has cut their average response time in half. The ability to deliver almost instant answers to the customers’ questions. That’s what we call a start for the exceptional customer service. 

****3\. Implement a Full Self-Service System****

Give customers ways to help themselves with detailed FAQs, video tutorials, and searchable help centers available 24/7. That is super important for customer retention.

One of our customers, an electronics ecommerce business has this amazing interactive troubleshooting tool that walks you through fixing common issues before the customers even need to contact them. Just make sure to keep these resources updated – nothing’s more frustrating than outdated information that wastes customers’ time.  

****4\. Track Key Metrics and Analyze Performance****

You can’t improve what you don’t measure, so keep tabs on response times, customer satisfaction scores, and first-contact resolution rates. Look for patterns in customer complaints to fix underlying issues – like when that clothing store noticed a spike in size questions and added better measurement guides. Set goals for your customer service team based on these metrics, but don’t obsess over speed at the expense of actually solving problems properly.

Moreover, track and analyze your customer reviews and work with both positive customer reviews and negative ones. Here’s a tip for you: the leading ecommerce platforms also work with the so-called ‘middle customers’ (the ones that are neither positive nor negative. They are the easiest ones to become your true brand enthusiasts. 

****5\. Personalize the Customer Experience****

Use customer purchase history and preferences to make interactions feel special and relevant. One ecommerce brand, a book subscription service, remembers what genres you love and what you have already read, making their recommendations useful.

Simple touches made by your customer service representative like addressing customers by name and referencing their previous orders make people feel valued instead of just another ticket number in the queue. That is crucial if you want to be the brand that comes with the best customer service for ecommerce. 

****6\. Proactively Address Customer Issues****

A great customer service company does not wait for complaints, it reaches out when its support agents know there might be a problem. For instance, a clothing store emails you before you even notice that your package was delayed due to weather, offering options and a small discount or a free trial. 

Therefore, your customer service agent must watch social media mentions of your brand to catch issues before they escalate into full-blown problems. This customer service strategy builds trust and loyalty. 

****7\. Embrace Technology and Automation****

If you want to offer good customer service experiences, use chatbots to handle simple questions and AI to route complex issues to the right specialist. Add the frequently asked questions section to let your customers find all the answers to their questions without waiting for your reply and the personalization to help them if they contact you. 

A simple example: there’s a tech shop that uses automation to send perfectly timed setup guides after purchase, preventing tons of support calls. Just make sure there’s always an easy escape hatch to reach your ecommerce customer service team when the bot can’t help. That’s crucial if you want to deliver an excellent customer service. 

****8\. Offer Easy Returns and Exchanges****

Make returns painless with prepaid labels, clear instructions, and quick processing. Yes, in the world of e-commerce, you have to provide the customer with the possibility to return in a fast, easy and free manner.

Here’s an example. There’s a shoe company that includes a return label right in the box and lets you start the return process with a single text message. And here comes an interesting fact: Good return policies increase sales because people feel safer trying new products. 

****9\. Solicit and Respond to Feedback****

Actively ask customers how they’re doing through quick surveys after purchases or support interactions. Every ecommerce business will benefit from customer service tools or special support software that collects data about the quality of service and customer communications. 

Just a simple case from our experience. There’s a coffee subscription that sends a three-question survey after each delivery, and when somebody mentioned their packaging was excessive in the comments, they changed it within a month. Show customers that the feedback matters by implementing changes and letting them know. There’s a necessity to adapt to the changing world of customer satisfaction. 

****10\. Invest in Ongoing Training and Development****

Keep your ecommerce customer support team sharp with regular product training and customer service skill development. My cousin works at an online beauty store where they spend Friday afternoons practising tough customer scenarios and learning about new product ingredients. Well-trained agents solve problems faster and make customers happier.

****11\. Foster a Culture of Customer-Centricity****

Make customer happiness everyone’s job, not just the support team’s. One of our customers, a small electronics brand, believes that excellent service is critical and so it invites its engineers to join support calls monthly to hear customer struggles firsthand. Then their support system analyses the available customer needs and the online shopping experience and thinks of ways to improve service to customers.

Celebrate team members who go above and beyond for customers, and use customer stories in company meetings to keep their needs front and center.

****An Effective eCommerce Customer Service: Key Takeaways****

Great online customer service is crucial as it talks to your customers directly. It’s all about being focused on customer wants, needs, and expectations. Plus, since great service is important for brand success, multi-channel customer support has become the new normal for companies who want to boost the customer’s lifetime value. Response speed matters hugely, but the quality and personal touch of those responses turn one-time buyers into loyal fans who spread the word.

The best online stores use the right software like Intercom and technology to handle routine stuff while freeing up humans to solve complex problems with empathy and creativity to improve their customer experience. Track what’s working (and what isn’t) through customer feedback and solid metrics, then actually use that info to keep improving. Remember that in the digital world where competitors are just a click away, exceptional service isn’t just nice to have – it’s often your biggest competitive advantage. 

Therefore, these are the eCommerce Customer Service Best Practices that help you improve customer service and provide an amazing customer service experience. Just remember that true customer service means the real care of your customers, not just words.

****Customer Service Channels FAQ********Why is customer service important for e-Commerce businesses?****

It’s your digital storefront’s personality! Without face-to-face interaction, it’s hard to make your customers happy. When one of our customers launched her handmade jewellery store, her amazing response time and personalized packaging notes turned first-time buyers into repeat customers who shared her store all over social media. Plus, in a world where switching to a competitor takes one click, great service is often the only thing keeping customers loyal.

****What are the key challenges of providing online customer support?****

The biggest headache is managing customer expectations for instant 24/7 help when you’re a small team (or solo entrepreneur). Then there’s the challenge of explaining products people can’t touch or try on, handling shipping issues you don’t directly control, and building trust without in-person connections. For instance, a hot sauce company can struggle with international customers who fail to understand the cause of shipping delays until they create a visual tracking system that shows exactly where packages are stuck.

****How can I improve response times for customer inquiries?****

*   Create templates for common questions so you’re not typing the same shipping policy explanation fifty times a day.
*   Set up auto-responses that acknowledge messages immediately even if you’ll answer fully later.
*   Use a smartphone app connected to your help desk so you can quickly answer simple questions while on the go.
*   You can dramatically cut response times by creating a shared Google Doc where all staff will document weird questions and answers for everyone to reference.

****What are the best tools for managing eCommerce customer service?****

For small shops, Zendesk or Freshdesk are solid starting points that won’t break the bank. Gorgias is amazing if you’re on Shopify since it shows order history right alongside customer conversations. Help Scout has a super clean interface that’s easy for non-tech folks. The gaming stores often Intercom so they can chat with the customers right on their website while they are browsing, which saves from abandoning the cart multiple times.

****How can I handle difficult customers effectively?****

First, take a deep breath and remember it’s rarely personal. Listen fully before responding – sometimes people just want to be heard. Offer concrete solutions instead of excuses. Know when to give a little (like a small discount) to solve a bigger problem.

One more tip to keep in mind: if you have a super angry customer about shipping damage, remember that customer service is important and it’s imperative to react instantly. So, immediately send a replacement with a small bonus. That can help you turn your angry customer into the biggest Instagram advocate.

****What role does automation play in e-Commerce customer support?****

Automation handles the repetitive stuff so humans can focus on complex problems. Think automatic order confirmations, shipping updates, and chatbots that answer basic questions like “What’s your return policy?” The smart plant shop I order from automatically emails care instructions based on what I purchased and sends reminders when it’s time to report – this prevents tons of support questions while making me feel taken care of.

****How can live chat improve customer satisfaction?****

Live chat catches customers right when they’re considering a purchase but have questions – like when I was about to abandon a pricey camera purchase until their chat agent explained why it was worth the investment. It feels more immediate than email but less intrusive than phone calls. 

****What are the best practices for handling returns and refunds?****

Make your policy crystal clear and easy to find. Don’t make customers jump through hoops – include return labels in the original package if possible. Process refunds quickly once items are received. Be flexible when it makes sense – that clothing store that gave me store credit past their return window earned way more of my money long-term. The best companies view returns as opportunities to learn product issues and improve, not as losses to minimize.

****How can I measure the success of my ecommerce customer service?****

Track obvious stuff like response time and resolution time, but also watch customer satisfaction scores (quick post-interaction surveys) and Net Promoter Score (would they recommend you?). Look at repeat purchase rates after service interactions – my favourite coffee subscription saw that customers who had a resolved issue spent 20% more in the following six months than those who never had problems. Also, track how many support tickets you get per 100 orders – this should decrease as you improve product descriptions and FAQs.

****What are some common mistakes to avoid in online customer support?****

The biggest fails include: making customers repeat their problem to multiple agents, hiding contact information so people can’t easily reach you, using robotic templated responses without personalizing them, promising unrealistic shipping/delivery times, and not following up after resolving issues. My worst experience was with that electronics store that transferred me three times, made me re-explain my issue each time, then promised to call back and disappeared forever – I’ll never shop there again!

Featured Image via Pixabay

1.  The Basics of Ecommerce Cybersecurity
2.  Enhance customer experiences with Generative AI
3.  How Payment Orchestration Enhances Business Efficiency
4.  Software Support: 7 Essential Reasons You Can’t Overlook
5.  Future of eCommerce: Emerging Tech Shaping Online Retail in 2024

eCommerce Customer Service Tips For Online Support: The Basics

FortiGuard Labs discovers Winos 4.0 malware targeting Taiwan via phishing. Learn how this advanced threat steals data and…

FortiGuard Labs discovers Winos 4.0 malware targeting Taiwan via phishing. Learn how this advanced threat steals data and how to protect your Windows system.

Fortinet’s FortiGuard Labs has disclosed details of a new malware campaign targeting Taiwanese businesses. Reaching out to Hackread.com on this discovery, prior to its publishing on Thursday, researchers revealed that this campaign was discovered in January 2025 and deployed a highly advanced malware framework, known as Winos 4.0. This attack exhibited a high severity level, and utilized a multi-stage infection process, ultimately aiming to steal sensitive information for future malicious activities.

Further probing revealed that this malware specifically targeted Microsoft Windows platforms. A phishing email, carefully crafted to impersonate Taiwan’s National Taxation Bureau, served as the initial attack vector. This deceptive email claimed to contain a list of companies scheduled for tax inspections, urging recipients to forward the information to their financial departments. The attached file, disguised as an official document from the Ministry of Finance, contained a malicious DLL for the next attack stage.

The Deceptive PDF (Source: Fortinet)

The attack unfolded through a series of executable and dynamic link library (DLL) files. The ZIP file contained files that executed in a sequence: 20250109.exe, ApowerREC.exe, and lastbld2Base.dll.

“20250109.exe is a launcher originally used to execute the actual APowerREC.exe in ./app/ProgramFiles. The attacker created the same folder structure in the ZIP file and used a loader to replace ApowerREC.exe. The fake ApowerREC.exe does nothing but call a function imported from lastbld2Base.dll,” researchers explained in the blog post.

This DLL decrypts and executes shellcode, which contains configuration data including the command-and-control (C2) server address. The shellcode further implements optional features, such as permission escalation, anti-sandbox techniques (e.g. taking multiple screenshots to detect user activity, delaying execution if no user interaction was detected), and process window hiding. The malware downloads encrypted shellcode and the core Winos 4.0 module from the C2 server. This data was stored within the system’s registry for later decryption and execution.

The Attack Flow (Source: Fortinet)

The module initiates several malicious tasks, such as establishing persistence, bypassing UAC (User Account Control), collecting system information (including computer name, operating system version, and installing antivirus software), and disabling screen savers and power-saving features on the infected system.

In addition, the malware actively monitors and manipulates user activity. This includes capturing screenshots, logging keystrokes and clipboard contents (even connected USB devices with their insertion and removal logs), and modifying clipboard data based on predefined rules. It can also disable network connections for security software. Alternative attack chains were also observed, involving Python scripts and further shellcode injection techniques. These variations demonstrate the flexibility and adaptability of the Winos 4.0 framework.

Protecting yourself from sophisticated malware like Winos 4.0 requires being highly suspicious of unsolicited emails, especially those with attachments or links, avoiding opening compressed files (ZIP, RAR) attached to emails, as they are often used to deliver malware, and enabling real-time scanning to detect and block threats before they can infect your system.

“This attack follows a classic phishing pattern but with a fun twist around the trusted authority to invoke a reaction,” explains J. Stephen Kowski, Field CTO at SlashNext. “The threat actors cleverly exploit human psychology by creating urgency and curiosity, making recipients more likely to download malicious content.”

Beyond email security, Kowski highlights the importance of a multi-layered approach to defence. “Most organizations are now using managed file transfer systems that require registration and internal approval while simultaneously blocking zip attachments altogether. Combining user education with advanced threat detection technologies is key to stopping sophisticated social engineering attempts before they reach inboxes.”

Hackers Impersonate Taiwan’s Tax Authority to Deploy Winos 4.0 Malware

The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency.

Sometimes the updates we install to keep our devices safe do a little bit more than we might suspect at first glance. Take the October 2024 Android Security Bulletin.

It included a new service called Android System SafetyCore. If you can find a mention of that in the security bulletin, you’re a better reader then I am. It wasn’t until a few weeks later, when a Google security blog titled 5 new protections on Google Messages to help keep you safe revealed that one of the new protections was designed to introduce Sensitive Content Warnings for Google Messages.

Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and when an image that may contain nudity is about to be sent or forwarded, it will remind users of the risks of sending nude imagery and preventing accidental shares.

**Wait! What?**

Yes, there is now a service on my phone that checks whether your pictures are “decent enough” to send or share? I’m not oblivious to the many users that would be better off with such a service, but I’m not so sure they’d appreciate it.

However, what really concerned me is the fact that Google is looking at my incoming and outgoing pictures. I use end-to-end-encrypted (E2EE) messaging for a reason. The content is for me and the receiver, and no-one else, and that definitely includes Google.

But, again, no mention of SafetyCore in that blog or what will provide the Sensitive Content Warnings feature with the necessary data.

So, you can imagine the surprise and outrage when users found this service which doesn’t show up on the regular list of running applications that has permissions to do almost anything on the device.

And by looking up what this app called SafetyCore was all about, all of the above starts to make sense.

Google PlayStore says:

> “SafetyCore is a Google system service for Android 9+ devices. It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages that helps users protect themselves when receiving potentially unwanted content. While SafetyCore started rolling out last year, the Sensitive Content Warnings feature in Google Messages is a separate, optional feature and will begin its gradual rollout in 2025. The processing for the Sensitive Content Warnings feature is done on-device and all of the images or specific results and warnings are private to the user.”

Google goes on to reassure:

*   The developer says that this app doesn’t collect or share any user data. 
*   The developer says that this app doesn’t share user data with other companies or organizations. 
*   The developer says that this app doesn’t collect user data.
*   The developer has committed to follow the Play Families policy for this app. 

Google promises that it only rates our pictures and does not collect or share them, but this feature has almost Artificial Intelligence (AI) written all over it. As we all know, an AI needs to be trained, and training an AI locally on your phone is hardly an option. I wish it had the necessary power, but it doesn’t.

I for one don’t see how the secretly installed service measures up to what the feature has to offer. But obviously everyone is entitled to their own opinion and the device is yours to do with as you please.

**How to uninstall or disable SafetyCore**

The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.

So, if you wish to uninstall or disable SafetyCore, take these steps:

1.  **Open Settings**: Go to your device’s Settings app
2.  **Access Apps**: Tap on ‘Apps’ or ‘Apps & Notifications’
3.  **Show System Apps**: Select ‘See all apps’ and then tap on the three-dot menu in the top-right corner to choose ‘Show system apps’
4.  **Locate SafetyCore**: Scroll through the list or search for ‘SafetyCore’ to find the app
5.  **Uninstall or Disable**: Tap on Android System SafetyCore, then select ‘Uninstall’ if available. If the uninstall option is grayed out, you may only be able to disable it
6.  **Manage Permissions**: If you choose not to uninstall the service, you can also check and try to revoke any SafetyCore permissions, especially internet access

Note: depending on the software version and manufacturer of your device, these instructions may be slightly off. I personally couldn’t test them because my Samsung has not received the October patch yet due to the patch gaps.

If you’d like to learn more about AI and encrypted messaging, we recommend listening to our podcast The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01)

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android happy to check your nudes before you forward them 

Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to…

Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to protect your assets with secure wallets and best practices.

Cryptocurrency has revolutionized finance forever, but it has also exposed users to cybercriminals and scams. From large-scale exchange breaches to malicious wallets sneaking into app stores, the risks are growing. If you’re in crypto, securing your assets is no longer optional; it’s a necessity.

****The Bybit Hack: A Wake-Up Call****

Just recently, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a massive security breach. Hackers from the North Korean Lazarus Group managed to steal $1.4 billion in assets, once again proving that even well-established platforms are vulnerable. While Bybit has since taken action to reinforce security, this incident clearly shows why leaving funds on exchanges is a risk.

But, it’s not just ByBit. No exchange is “unhackable”. Even giants like Binance, KuCoin, and Mt. Gox have suffered devastating hacks in the past. These breaches highlight the importance of self-custody; if you don’t control your private keys, you don’t fully own your crypto.

****Malicious Wallets: A Silent but Growing Threat****

While exchange hacks grab headlines, a more stealthy and growing problem is the rise of fake and malicious crypto wallets on iOS and Google Play Store. These malicious apps pose as legitimate wallets but are designed to steal funds the moment users deposit their assets.

Researchers have found a surge in these fraudulent wallets, often disguised as clones of popular apps. They look identical to trusted wallets like MetaMask, Trust Wallet, or Coinbase Wallet, tricking unsuspecting users into transferring their funds straight to hackers.

This issue isn’t just limited to scam wallets, even some browser extensions and fake dApps have been caught injecting malicious scripts to drain wallets. The takeaway? Never download a crypto wallet without verifying its authenticity through the official website or developer page.

****A Booming Crypto Market Means More Targets for Hackers****

According to researchers at Best Wallet, a popular crypto wallet, as of January 2025, approximately 562 million people worldwide own cryptocurrencies, with 28% of adults in the United States, equating to 65 million people, holding crypto.

With such rapid adoption, hackers have more targets than ever. From phishing scams to SIM swap attacks, crypto theft is at an all-time high. If you own crypto, taking cybersecurity seriously is no longer an option, it’s a must.

****How to Protect Your Crypto From Hacks & Scams****

Securing your cryptocurrency is essential in an era of increasing cyber threats. Here are some must-follow security tips to protect your digital assets from hacks and scams.

****1\. Use a Reliable Crypto Wallet****

One of the safest ways to store your crypto is by using a self-custodial wallet. Avoid keeping funds on exchanges, as they are frequent targets for hackers. Instead, opt for hardware wallets like Ledger, Trezor, or Coldcard, which provide offline storage and enhanced security.

If you prefer a mobile or desktop wallet, stick to reputable providers such as MetaMask, Trust Wallet, or Exodus. However, before downloading any wallet, always verify the source; ensure it’s from the official website or developer page to avoid fake apps.

****2\. Enable Multi-Factor Authentication (MFA)****

Adding an extra layer of security with Multi-Factor Authentication (MFA) can protect your exchange and wallet accounts. Use Google Authenticator, YubiKey, or similar tools to prevent unauthorized access.

Avoid using SMS-based 2FA, as it’s vulnerable to SIM swap attacks, where hackers hijack your phone number to gain control of your accounts.

****3\. Beware of Phishing Attacks****

Phishing remains one of the most common tactics used by cybercriminals. Hackers often impersonate wallet providers or exchanges, tricking users into entering their credentials on fake websites or downloading malware-infected software.

To stay safe, always type the official website URL yourself instead of clicking on links sent via email or messages. If an offer or security alert seems suspicious, double-check with the official source before taking any action.

****4\. Keep Private Keys & Seed Phrases Offline****

Your private keys and seed phrases are the most critical elements of your crypto security. Never store them digitally or on cloud storage, as they can be easily compromised. Instead, write them down on paper and keep them in a secure location.

For even greater security, consider using metal backup storage instead of paper. This protects your seed phrase from damage due to fire, water, or physical deterioration.

****5\. Regularly Update Your Security Software****

Keeping your wallet software, antivirus, and operating system updated is crucial for patching security vulnerabilities. Cybercriminals exploit outdated software to gain access to systems, so regular updates help keep your assets safe.

Additionally, consider using privacy tools like VPNs and hardware firewalls to enhance your online security. These tools help protect against tracking, phishing attempts, and potential malware attacks targeting crypto users.

The Bybit hack and the rise of malicious crypto wallets show that crypto security is more critical than ever. If you own crypto, you’re a target, but with the right precautions, you can keep your funds safe.

Remember: Not your keys, not your crypto. Invest in a secure, reliable wallet, stay cautious with online downloads, and always double-check security measures before making transactions.

_**Editor’s Note:** This article is for informational purposes only and does not constitute investment or financial advice. Always do your own research before making financial decisions._

Crypto and Cybersecurity: The Rising Threats and Why Reliable Wallets Matter

The stolen information included listed contacts, call logs, text messages, photos, and the device’s location.

A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.

Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.

So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.

While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.

In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.

Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.

The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.

Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.

Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.

The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.

The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.

Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:

*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail 

Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the standards agency as part of the ongoing DOGE purge, sources tell WIRED.

Sweeping layoffs architected by the Trump administration and the so-called Department of Government Efficiency may be coming as soon as this week at the National Institute of Standards and Technology (NIST), a non-regulatory agency responsible for establishing benchmarks that ensure everything from beauty products to quantum computers are safe and reliable.

According to several current and former employees at NIST, the agency has been bracing for cuts since President Donald Trump took office last month and ordered billionaire Elon Musk and DOGE to slash spending across the federal government. The fears were heightened last week when some NIST workers witnessed a handful of people they believed to be associated with DOGE inside Building 225, which houses the NIST Information Technology Laboratory at the agency’s Gaithersburg, Maryland campus, according to multiple people briefed on the sightings. The DOGE staff were seeking access to NIST’s IT systems, one of the people said.

Soon after the purported visit, NIST leadership told employees that DOGE staffers were not currently on campus, but that office space and technology were being provisioned for them, according to the same people.

On Wednesday, Axios and Bloomberg reported that NIST had begun informing some employees that they could soon be laid off. About 500 recent hires who are still in probationary status and can be let go more easily were among those expected to be affected, according to the reports. Three sources tell WIRED that the cuts likely impact lauded technical experts in leadership positions, including three lab directors who were promoted within the last year. One person familiar with the agency tells WIRED that the official layoff notices may come Friday.

The White House and a spokesperson for NIST, which is part of the Department of Commerce, did not yet return requests for comment.

One NIST team that has been fearing cuts because of its number of probationary employees is the US AI Safety Institute (AISI), which was created after former President Joe Biden’s sweeping executive order on AI issued in October 2023. Trump rescinded the order shortly after taking office last month, describing it as a “barrier to American leadership in artificial intelligence.”

The AI Safety Institute and its roughly two dozen staffers has been working closely with AI companies, including rivals to Musk’s startup xAI like OpenAI and Anthropic, to understand and test the capabilities of their most powerful models. Musk was an early investor in OpenAI and is currently suing the startup over its decision to transition from a non-profit to a for-profit corporation.

AISI’s inaugural director, Elizabeth Kelly, announced she was leaving her role earlier this month. Several other high-profile NIST leaders working on AI have also departed in recent weeks, including Reva Schwartz, who led NIST’s Assessing Risks and Impacts of AI program, and Elham Tabassi, NIST’s chief AI advisor. Kelly and Schwartz declined to comment. Tabassi did not respond to a request for comment.

US Vice President JD Vance recently signaled the new administration’s intent to deprioritize AI safety at the AI Action Summit, a major international meeting held in Paris last week that AISI and other government staffers were not invited to attend, according to three familiar with the matter. “I'm not here this morning to talk about AI safety,” Vance said in his first major speech as VP. “I'm here to talk about AI opportunity.”

Though they receive bipartisan support, the AI Safety Institute and other parts of NIST had been preparing for the Trump administration to set new priorities for their work. In anticipation, some NIST teams began moving to deprioritize efforts such as fighting misinformation and racial bias in AI systems, according to two people familiar with the projects. Two other people say that putting even more public emphasis on national security was welcomed among some staffers, since the institute has already engaged in related research efforts.

Overall, the AI Safety Institute has been pressing ahead with working groups and other efforts focused on developing guidelines for studying AI systems. Last week, the startup Scale AI announced it had been selected by the institute as its “first approved third-party evaluator authorized to conduct AI model assessments.” Michael Kratsios, Trump’s pick to direct the White House Office of Science and Technology Policy, was until recently Scale’s managing director.

The feared layoffs at NIST have drawn strong rebuke from civil society groups, such as the Center for AI Policy, and congressional Democrats. NIST’s 2024 budget was about $1.5 billion, approximately .02 percent of federal spending overall, making it perhaps an unlikely target for Musk’s DOGE project. DOGE staffers have dropped into several government agencies this month, gaining access to sensitive systems, promoting the use of AI to boost productivity, and seeding a trail of resignations among long-time government workers. DOGE’s specific goals at NIST couldn’t be immediately learned.

US Representative Jake Auchincloss, a Democrat who serves on the House energy and commerce committee, says any efforts by DOGE to trim NIST rather than focusing instead on parts of government that account for far more spending, such as Department of Defense contracts, amounts to “scrounging for pennies in front of a bank vault.” He called NIST an agency with high returns on investment and warned that hobbling it would be self-defeating for the US. “Imparing NIST’s function is going to harm business productivity and increase costs,” Auchincloss says.

Staff for Democrats on the US House of Representatives Committee on Science, Space, and Technology say they are concerned about the potential for significant economic harm from any cuts to NIST. The agency’s timekeeping is used by stock markets and its research on buildings and pipelines help keep infrastructure intact. DOGE “might throw out things that are crucial to the functioning of the economy,” says one of the Democratic staffers, who all spoke on the condition of anonymity.

Budget cuts at other agencies could also have ripple effects at NIST because they help fund some of its projects, including studies on the accuracy of facial recognition systems and a database of cybersecurity vulnerabilities. “We’re worried about staffing, funding at every research agency in the federal government,” says the science committee staffer.

Earlier this month, California representative Zoe Lofgren, the top Democrat on the Republican-controlled House science committee, and her colleagues sent letters to the heads of several agencies including NIST and National Aeronautics and Space Administration demanding transparency about DOGE activities.

“While NIST does not conduct classified research, its cutting edge work in topics such as AI, quantum sensors and clocks, and semiconductors are world-class, and improper exfiltration to non-secure servers would be a boon for our adversaries,” stated the letter last week to NIST Acting Director Craig Burkhardt. It demanded a response from him by February 18; as of February 19, there had been none, according to Lofgren’s office.

The letter also raised concern about Musk’s potential conflicts of interest at NIST, given the intimate dealings between the AI Safety Institute and his competitors. Representative Auchincloss, who has studied NIST’s biology projects, expressed concern about Musk potentially gaining an unfair advantage and compromising safety by influencing standards that affect his Neuralink brain implant venture.

NIST was originally created in 1901 to help the US science and engineering industries establish scientific norms in areas like measurement. In coordination with the US Naval Observatory, the agency is also responsible for building and maintaining the country’s most accurate atomic clocks. Overall, NIST currently employs about 3,400 scientists, engineers, and technicians, according to its website.

Project 2025, an informal plan for the Trump administration crafted by the Heritage Foundation, an influential right-leaning think tank, called for consolidating the research work currently spread across NIST and other agencies and ensuring that it “serves the national interest in a concrete way in line with conservative principles.”

_Additional reporting by Andrew Couts, Kate Knibbs, and Louise Matsakis._

The National Institute of Standards and Technology Braces for Mass Firings

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.

Thursday, February 20, 2025 08:00

**Summary**

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.

Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.

No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.

Therefore, our recommendation — which is consistent with our standard guidance independent of this particular case—is always to follow best practices to secure network infrastructure.

*   CVE-2018-0171 - Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (Last Updated: 15-Dec-2022)
*   CVE-2023-20198, CVE-2023-20273 - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (Last Updated: 1-Nov-2023)
*   CVE-2024-20399 - Cisco NX-OS Software CLI Command Injection Vulnerability (Last Updated: 17-Sep-2024)

**Activities observed****Credential use and expansion**

The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.

**Configuration exfiltration**

In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.

**Infrastructure pivoting**

A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.

The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.

**Configuration modification**

We observed that the threat actor had modified devices’ running configurations as well as the subsystems associated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities, including Bash.)

**_Running configuration modifications_**

*   AAA/TACACS+ server modification (server IP address change)
*   Loopback interface IP address modifications
*   GRE tunnel creation and use
*   Creation of unexpected local accounts
*   ACL modifications
*   SNMP community string modifications
*   HTTP/HTTPS server modifications on both standard and non-standard ports

**_Shell access modifications_**

*   Guest Shell enable and disable commands
*   Started SSH alternate servers on high ports for persistent access, such as sshd\_operns (on port 57722) on underlying Linux Shell or Guest Shell
    *   /usr/bin/sshd -p X
*   Created Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)
*   Added SSH “authorized\_keys” under root or other users at Linux level

**_Packet capture_**

The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign, listed below:

*   Tcpdump – Portable command-line utility used to capture packet data at the underlying operating system level.
    *   Tcpdump –i
*   Tpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given interface via netio at the underlying operating system level.
    *   Tpacap –i
*   Embedded Packet Capture (EPC) - Cisco IOS feature that allows the capture and export of packet capture data.
    *   Monitor capture CAP export ftp://<ftp\_server>
    *   Monitor capture CAP start
    *   Monitor capture CAP clear

**_Operational utility (JumbledPath)_**

The threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair logging along the jump-path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.

This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus devices.

**_Defense evasion_**

The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices (see "Infrastructure pivoting" section).

The threat actor routinely cleared relevant logs, including .bash\_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the “guestshell disable” command.

The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.

**Detection**

We recommend taking the following steps to identify suspicious activity that may be related to this campaign:

*   Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
*   Conduct comprehensive authentication/authorization/command issuance monitoring.
*   Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
*   Monitor your environment for unusual changes in behavior or configuration.
*   Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
*   Where possible, develop NetFlow visibility to identify unusual volumetric changes.
*   Look for non-empty or unusually large .bash\_history files.
*   Additional identification and detection can be performed using the Cisco forensic guides.

**Preventative measures**

The following guidance applies to entities in all sectors.

*   **Cisco-specific measures**
    *   Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server" commands.
    *   Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    *   If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
    *   Disable Cisco’s Smart Install service using “no vstack”.
    *   Utilize type 8 passwords for local account credential configuration.
    *   Use type 6 for TACACS+ key configuration.
*   **General measures**
    *   Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
    *   Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
    *   Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
        *   Select complex passwords and community strings and avoid default credentials.
    *   Use multi-factor authentication (MFA).
    *   Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    *   Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    *   Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    *   Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
    *   Disable all non-encrypted web management capabilities.
    *   Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    *   Enhance overall credential and password management practices with stronger keys and/or encryption.
        *   Use type 8 passwords for local account credential configuration.
        *   Use type 6 for TACACS+ key configuration.
    *   Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.

During this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart Install (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity.

Legacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or decommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used as an entry door for the threat actor to pivot to other more critical devices.

The findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and its impact are still being researched, and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.

**Indicators of Compromise (IOCs)****IP Addresses:**

185\[.\]141\[.\]24\[.\]28

185\[.\]82\[.\]200\[.\]181

Weathering the storm: In the midst of a Typhoon

FBI and CISA warn of Ghost ransomware, a China-based cyber threat targeting businesses, schools, and healthcare worldwide by exploiting software vulnerabilities.

A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reveals the ongoing threat of Ghost ransomware, also known as Cring.

Active since early 2021, this group, operating out of China, has targeted organizations in over 70 countries, impacting critical infrastructure, schools, healthcare, government networks, and businesses of all sizes. Their motive is purely financial gain.

****How Ghost Operates:****

Ghost actors exploit known vulnerabilities in internet-facing services running outdated software and firmware. Their modus operandi involves using publicly available code to exploit known vulnerabilities, such as those in Fortinet FortiOS appliances, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. Once inside, they deploy ransomware payloads, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which encrypt files and demand hefty ransoms in cryptocurrency.

While Ghost’s ransom notes often threaten to sell stolen data, they typically exfiltrate limited amounts of information, focusing on encrypting systems for ransom.

****Identifying Ghost Activity:****

The advisory provides a list of indicators of compromise (IOCs), including file hashes, ransom email addresses, and tools used by Ghost actors. Organizations should investigate any presence of these IOCs on their networks. Unusual network traffic, such as scans for vulnerable devices, manipulation of administrator accounts, and execution of unfamiliar PowerShell scripts, can also indicate Ghost activity.

****Protecting Your Organization:****

The advisory also stresses the importance of basic security measures to defend against Ghost ransomware. One key measure is maintaining regular backups, preferably offline or segmented, to enable system restoration without succumbing to ransom demands. Timely patching software and firmware is also vital in addressing known vulnerabilities before they can be exploited.

Organizations should implement network segmentation by isolating compromised systems to limit the spread of infections. Strengthening authentication methods is another vital step, with phishing-resistant multi-factor authentication (MFA) recommended for all privileged and email accounts.

Cybersecurity training for employees also helps overcome the risks of phishing attacks. Additionally, monitoring PowerShell usage can help detect malicious activity early.

Organizations should also implement allowlisting to restrict the execution of unauthorized applications and scripts, reducing the risk of malware infiltration. Network monitoring is essential for identifying and investigating any abnormal behaviour that could indicate a security breach.

Furthermore, minimizing service exposure by disabling unnecessary ports and restricting access to essential services can significantly reduce vulnerabilities. Lastly, enhancing email security through advanced filtering and anti-spoofing measures helps prevent phishing attempts and other email-based threats.

As Juliette Hudson, CTO of CybaVerse, notes, _“_Ghost is a serious nation-state threat, exploiting known CVEs in widely used tech. Organizations must prioritize patching and remediation to prevent attacks. Unlike many ransomware groups relying on social engineering, Ghost exploits vulnerabilities for initial access. This highlights the urgency of timely security updates, as exploitation windows are shrinking. Strong cybersecurity hygiene, vulnerability testing, and security awareness training, especially against AI-driven phishing and deepfakes, are essential to defence._“_

1.  RansomHub: The New King of Ransomware?
2.  Lessons from the Holy Ghost Ransomware Attacks
3.  Fake GitHub Accounts Drop Malware in Stargazers Ghost Scheme
4.  New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets
5.  US Sanctions Chinese Cybersecurity Firm for Ransomware Attacks

Tag

#ios