The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8355-xj3p-hv6q: Apache Ignite: Possible RCE when deserializing incoming messages by the server node

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the United Kingdom, and key sectors since 2021.

A hacking group with links to Russian intelligence has been silently compromising computer networks worldwide, including those in the United States and the United Kingdom, by taking advantage of known security vulnerabilities in widely used software.

This was revealed by Microsoft’s Threat Intelligence team on Wednesday, which has been tracking the activities of a subgroup within “Sandworm,” (aka Seashell Blizzard, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.), a hacking group tied to Russia’s GRU military intelligence unit. This subgroup, which Microsoft calls the “BadPilot campaign,” has been breaching networks since at least 2021 by exploiting vulnerabilities in internet-facing systems.

The hackers have been targeting a variety of sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and even government organizations. Initially, their focus was on Ukraine, Europe, and parts of Asia and the Middle East. However, since early 2024, they have expanded their operations to include the U.S. and the U.K.

Their methods involve exploiting publicly known vulnerabilities in software like ConnectWise ScreenConnect, used for remote IT management, and Fortinet FortiClient EMS, a security software. By gaining an initial foothold through these weaknesses, the hackers can then move deeper into the network, steal credentials, and ultimately gain control of valuable systems. Here are the security vulnerabilities that Microsoft found being exploited by the group:

*   OpenFire (CVE-2023-32315)
*   JBOSS (exact CVE is unknown)
*   Microsoft Outlook (CVE-2023-23397)
*   Microsoft Exchange (CVE-2021-34473)
*   Zimbra Collaboration (CVE-2022-41352)
*   JetBrains TeamCity (CVE-2023-42793)
*   Fortinet FortiClient EMS (CVE-2023-48788)
*   Connectwise ScreenConnect (CVE-2024-1709)

Microsoft believes that while some of the targets seem random, these widespread breaches give Russia options to respond to changing strategic goals. Since the start of the war in Ukraine, Russian-aligned hackers have been increasingly targeting international organizations that provide support to Ukraine or are of geopolitical importance. The subgroup is also thought to be connected to destructive cyberattacks in Ukraine since 2023.

Microsoft’s research reveals that this subgroup is not just about gaining access; it’s about maintaining it. Once inside a network, they deploy tools such as remote management software (RMM) and web shells to ensure long-term control.

For instance, by installing legitimate RMM agents like Atera Agent and Splashtop Remote Services, they can mimic authorized activity, making detection more challenging. The group is also known for web shell deployment, credential harvesting and DNS manipulation

Additionally, the use of custom utilities like ShadowLink, a tool that configures compromised systems as hidden services on the Tor network, further complicates efforts to trace their activities.

Seashell Blizzard’s attack chart (Via Microsoft)

****Who Is Sandworm?****

Linked to Russia’s military intelligence agency GRU, specifically Unit 74455, Sandworm is notorious for conducting disruptive cyberattacks. Their history includes incidents like the NotPetya attack in 2017, which caused billions in damages worldwide, and the FoxBlade operation in 2022, targeting Ukraine’s infrastructure.

Industry experts are raising alarms about the implications of these findings. “This discovery is alarming for UK organisations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks,” warns Simon Phillips, CTO of SecureAck.

Even though the subgroup exploits publicly known vulnerabilities, their post-compromise tactics are becoming more advanced. The emergence of BadPilot only makes it harder to detect the activities of these already well-equipped and highly skilled Russian hackers.

That’s why organizations of all sizes must stay alert and aware of this and other cybersecurity threats. Employee training and additional security measures can help prevent breaches, even if they can’t completely stop Seashell Blizzard.

Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK

Scammers are once again using AI to take over Gmail accounts.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

> “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

**How to avoid AI Gmail phishing**

*   Never click on links or download files from unexpected emails or messages.
*   Don’t enter personal information on a website unless you are certain it is legitimate.
*   Use a password manager to autofill credentials only on trusted sites.
*   Monitor your accounts for signs of unauthorized access or data leaks.
*   Verify security alerts by visiting your Google Account page directly instead of using links in emails.
*   Use multi-factor authentication (MFA) for all accounts
*   Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 How AI was used in an advanced phishing campaign targeting Gmail users 

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companies. Shortly after that investigation was published, Mozilla said it would stop bundling Onerep with the Firefox browser and wind down its partnership. But nearly a year later, Mozilla is still promoting it to Firefox users.

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service **Onerep** also founded dozens of people-search companies. Shortly after that investigation was published, **Mozilla** said it would stop bundling Onerep with the **Firefox** browser and wind down its partnership with the company. But nearly a year later, Mozilla is still promoting it to Firefox users.

Mozilla offers Onerep to Firefox users on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

The ink on that partnership agreement had barely dried before KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder **Dimitiri Shelest** launched dozens of people-search services since 2010, including a still-active data broker called **Nuwber** that sells background reports on people. This seemed to contradict Onerep’s stated motto, “We believe that no one should compromise personal online security and get a profit from it.”

Shelest released a lengthy statement (PDF) wherein he acknowledged maintaining an ownership stake in **Nuwber**, a consumer data broker he founded in 2015 — around the same time he started Onerep.

Onerep.com CEO and founder Dimitri Shelest, as pictured on the “about” page of onerep.com.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.”

When asked to comment on the findings, Mozilla said then that although customer data was never at risk, the outside financial interests and activities of Onerep’s CEO did not align with their values.

“We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first,” Mozilla said.

In October 2024, Mozilla published a statement saying the search for a different provider was taking longer than anticipated.

“While we continue to evaluate vendors, finding a technically excellent and values-aligned partner takes time,” Mozilla wrote. “While we continue this search, Onerep will remain the backend provider, ensuring that we can maintain uninterrupted services while we continue evaluating new potential partners that align more closely with Mozilla’s values and user expectations. We are conducting thorough diligence to find the right vendor.”

Asked for an update, Mozilla said the search for a replacement partner continues.

“The work’s ongoing but we haven’t found the right alternative yet,” Mozilla said in an emailed statement. “Our customers’ data remains safe, and since the product provides a lot of value to our subscribers, we’ll continue to offer it during this process.”

It’s a win-win for Mozilla that they’ve received accolades for their principled response while continuing to partner with Onerep almost a year later. But if it takes so long to find a suitable replacement, what does that say about the personal data removal industry itself?

Onerep appears to be working in partnership with another problematic people-search service: **Radaris**, which has a history of ignoring opt-out requests or failing to honor them. A week before breaking the story about Onerep, KrebsOnSecurity published research showing the co-founders of Radaris were two native Russian brothers who’d built a vast network of affiliate marketing programs and consumer data broker services.

Lawyers for the Radaris co-founders threatened to sue KrebsOnSecurity unless that story was retracted in full, claiming the founders were in fact Ukrainian and that our reporting had defamed the brothers by associating them with the actions of Radaris. Instead, we published a follow-up investigation which showed that not only did the brothers from Russia create Radaris, for many years they issued press releases quoting a fictitious CEO seeking money from investors.

Several readers have shared emails they received from Radaris after attempting to remove their personal data, and those messages show Radaris has been promoting Onerep.

An email from Radaris promoting Onerep.

Nearly a Year Later, Mozilla is Still Promoting OneRep

Doxbin Data Breach: Hackers leak 136,000+ user records, emails, and a ‘blacklist’ file, exposing those who paid to…

Doxbin Data Breach: Hackers leak 136,000+ user records, emails, and a ‘blacklist’ file, exposing those who paid to keep their info off the doxxing platform.

Doxbin, a notorious platform associated with doxxing and the exposure of personal information, has been compromised by a hacker group known as Tooda. The attack, which appears a long-time rivalry between different groups, has resulted in the deletion of user accounts, a loss of administrative control, and a leak of a massive user database.

****What Happened?****

As seen by Hackread.com, according to claims made by the group on its official website and now deleted Telegram channel, they breached Doxbin’s infrastructure, wiped out user accounts, locked out administrators, and exposed the personal details of individuals involved in running the platform. The attackers state that the move was in response to accusations against one of their members.

As part of their attack, Tooda has also released a database containing 136,814 IDs, usernames and email addresses belonging to Doxbin users. While Tooda claims full control over Doxbin’s backend they also leaked a file called “Doxbin Blacklist” which is a collection of people who have allegedly paid to not have their information posted on Doxbin.

Another list on the Tooda group’s website is titled “DoxBin Admin River aka Paula’s Dox,” which contains personal information allegedly belonging to a Doxbin administrator known as River, whose real name is apparently Paula. The file includes detailed personal data about this individual, along with a warning message instructing Paula to stay away from Doxbin.

The website where Doxbin data breach info has been published (left) – Doxbin admin email address in the leak (right) Credit: Hackread.com

    "Paula and Operator you were both warned by us to stay away from the DoxBin community, even after you were extended an olive branch you decided to power trip and crash out for no reason.
    
    Paula you could have just continued living your sad, worthless life collecting
    your money from selling blacklists and gambling it away, all while you hang around 
    other worthless losers on Discord. If you have purchased a blacklist in the past 
    consider that money wasted, you will need to blame Paula for it being leaked, she 
    alone created this situation.
    
    Your entire ego is built up by edating your ransomware affiliated boyfriend 
    Operator/Clark/ArkaT (Scattered Spider Member), and you're on a power trip because 
    he spent a third of his net re-purchasing doxbin under a new alias just to get 
    exposed and get your dox leaked in front of everyone. Sadly mass my reporting Telegram.
    
    channels and slaving EDRs with hardline won't help you out of this situation.
    You were given many opportunities to either leave or at the least not attempt (and 
    fail) to dox every person you had a slight disagreement with.
    
    Take this as a warning, stop trying to dox innocent people, leave the DoxBin community or this will get worse."
    
    -Todda

****What Does This Mean for Doxbin Users?****

For individuals who have used Doxbin, this breach can turn out to be a risky one. Even if usernames and email addresses are the only exposed information, they can still be cross-referenced with other leaks, allowing security researchers, rival hackers, or even law enforcement agencies to trace identities and uncover real-world connections.

At the time of writing, Doxbin was offline. The Doxbin breach goes on to show how even malicious platforms are exposed to rival attacks. For now, Doxbin users might find themselves in the same position they once put others, at risk of being exposed.

Doxbin Data Breach: Hackers Leak 136K User Records and Blacklist File

Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

Thursday, February 13, 2025 14:05

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

_"The term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,"_

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

_"Words matter. We've seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud," INTERPOL Acting Executive Director of Police Services Cyril Gout said._

_"It's time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes."_

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

**The one big thing**

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

**Why do I care?**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY\_SOURCE, saved the day.

**So now what?**

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

**Top security headlines of the week**

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

**Can't get enough Talos?**

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025) San Francisco, CA

TIPS 2025 (May 14-15, 2025) Arlington, VA

**Most prevalent malware files from Talos telemetry over the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A 

Detection Name: Trojan.GenericKD.33515991

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Changing the narrative on pig butchering scams

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-0426

**Node Denial of Service via kubelet Checkpoint API**

Moderate severity GitHub Reviewed Published Feb 13, 2025 to the GitHub Advisory Database • Updated Feb 13, 2025

**Package**

gomod k8s.io/kubernetes (Go)

**Affected versions**

\>= 1.32.0, < 1.32.2

\>= 1.31.0, < 1.31.6

\>= 1.30.0, < 1.30.10

< 1.29.14

**Patched versions**

1.32.2

1.31.6

1.30.10

1.29.14

**Description**

Published to the GitHub Advisory Database

Feb 13, 2025

Last updated

Feb 13, 2025

**EPSS score**

GHSA-jgfp-53c3-624w: Node Denial of Service via kubelet Checkpoint API

A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) with an aim to steal credit card information and commit financial fraud.
"The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to

Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

Title: ABB Cylon FLXeon 9.3.4 (app.js) Insecure CORS Configuration  
Advisory ID: ZSL-2025-5921  
Type: Local/Remote  
Impact: Cross-Site Scripting, Security Bypass  
Risk: (3/5)  
Release Date: 13.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller suffers from insecure CORS configuration. Allowing all origins (app.options('\*', cors()); can expose the API to data leaks, resource abuse, and potential XSS attacks.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[13.02.2025\] Public security advisory released.

**PoC**

abb\_flxeon\_cors1.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://packetstorm.news/files/id/189232/

**Changelog**

\[13.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#web