Relative Path Traversal vulnerability in Apache Solr.

Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API.  Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.  
This issue affects Apache Solr: from 6.6 through 9.7.0.

Users are recommended to upgrade to version 9.8.0, which fixes the issue.  Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4p5m-gvpf-f3x5: Apache Solr Relative Path Traversal vulnerability

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

January 27, 2025 - UnitedHealth now estimates that 190 million people were affected by the massive Change Healthcare data breach nearly a year ago.

January 24, 2025 - The Texas Attorney General has requested information of four more car manufacturers about their data handling.

January 23, 2025 - iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

January 22, 2025 - A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

January 21, 2025 - Forget OSINT, AI-supported tool GeoSpy can determine a person's location based on their surroundings in a picture.

 A week in security (January 20 &#8211; January 26) 

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

Source: LJSphotography via Alamy Stock Photo

Dozens of organizations have been infected with router malware that uses a packet-sniffing technique to minimize its footprint.

Rather than their far more popular Cisco counterparts, the campaign, which Black Lotus Labs named "J-magic," hones in on Juniper-brand routers at the edge of high-value networks. Exposed enterprise routers are tapped with a variant of a quarter-century-old backdoor, "cd00r," which stays dormant until it receives an activation phrase — a "magic packet." Only then does it grant access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices.

"There's been a lot of emphasis on small office/home office (SOHO) devices, but attackers are just as active in the enterprise space," warns Danny Adamitis, principal information security engineer with Black Lotus Labs. "It's just that they're living on these devices that don't really have endpoint detection and response (EDR), that are in front of a firewall, and don't really run things like Sysmon, so it's a little bit harder for people to detect these attacks."

**Backdoor Malware Infests Juniper Routers**

Exactly how the hackers obtained initial access to affected routers is unknown, but the openings they exploited are clear. Around half the Juniper routers victimized by J-magic were configured as virtual private network (VPN) gateways, and the other half possessed exposed Network Configuration Protocol (NETCONF) ports, which allow administrators to remotely manage and configure network settings, but also allow attackers to sneak through and do the same. These routers served as points of entry and control for much larger networks, affording attackers a wide canvas for their malicious deeds.

Related:Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

To exploit these prized devices, the attackers install their malware, cd00r, in a position where it can observe all TCP traffic coming into the edge device. Then it waits for one of five predefined packets meeting highly specific conditions, which act like an activation phrase. When a packet meeting one of these presets is received, the program will spawn a reverse shell connected to the attacker's IP address, through the port specified in the magic packet.

The technique works because it circumvents the already limited methods defenders have for picking up on edge malware. In a typical infection, Adamitis says, "If you're able to monitor traffic from a firewall or router, you can see that there is a beacon that occurs at a set interval. And if you perform a time series analysis, you can see activity continuously occurring with that interval, and it kind of stands out. With something like this, you don't have that consistent call out. This will evade that form of detection."

Related:Automox Releases Endpoint Management With FastAgent

A J-magic attack isn't entirely complete upon reception of the magic packet, though. To confirm that the handler is the intended attacker — not just some passerby trying to piggyback on their work — cd00r sends out a "challenge" string encrypted with a hardcoded public key. Only if the attacker passes this test — by returning the string back using their associated private key — do they obtain control over the reverse shell, and with it the power to control the infected device, steal enterprise data, and deploy further malware.

Evidence of these J-magic infections dates back to September 2023, but the majority of cases appear to have popped up in the spring and summer of 2024. In that year or so, cd00r spread to the US, the UK, Russia, Norway, India, and more countries in between, affecting organizations in construction, bioengineering, insurance, and IT services, among others.

**Blind Spot in Edge Network Cybersecurity**

Easily overlooked is the fact that cd00r, though updated with new features, is a 25-year-old program. It was originally developed and released in 2000, as a proof-of-concept (PoC) for an "invisible" backdoor, on the information security website Packet Storm.

Related:15K Fortinet Device Configs Leaked to the Dark Web

That such an old, and in some ways atavistic, malware would still suffice in 2025 speaks to just how much attackers can get away with in edge networks.

"On your corporate laptop, you probably have Windows Defender and something from your favorite EDR vendor. There tend to be a lot of vendors for end-user workstations, but edge devices don't really seem to have anything on them. So by living in those blind spots, attackers are able to get away with using this 20-year-old malware, because there's no one and nothing on that particular device to actually capture that sort of user interaction," Adamitis says.

"The reporting around these kinds of enterprise-grade routers tends to be a lot more sparse," he adds. "What we're trying to say is: We think there might be this low visibility spot in the perimeter."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Black 'Magic' Targets Enterprise Juniper Routers With Backdoor

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability. The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document. What […]

**About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability.** The vulnerability is from the January Microsoft Patch Tuesday. OLE (Object Linking and Embedding) is a technology for linking and embedding objects into other documents and objects, developed by Microsoft. A common use of this technology is embedding an Excel table in a Word document.

What is this vulnerability about? The attacker’s code executes when a specially crafted RTF document is opened or when **a malicious email is opened or previewed in Microsoft Outlook**. In the second case, no action is required from the victim other than clicking on the message. 🤷‍♂️ Microsoft recommends viewing messages in Outlook only in plain text.

On January 20, an exploit PoC appeared on GitHub that demonstrates Memory Corruption when opening an RTF document. Now we are waiting for an RCE exploit for Outlook. 😉

There have been no reports of attacks yet.

Fix this vulnerability ASAP!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Windows OLE (CVE-2025-21298) vulnerability

Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.

Source: BeeBright via Shutterstock

A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations "by redirecting traffic to attacker-controlled servers," according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. "Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers," he wrote.

However, the researchers also discovered the group in May 2024 planting malicious code in an NSIS installer for the Windows version of the VPN software of South Korean company IPany, representing a departure from its typical operations, they said. ESET notified IPany and the malicious installer was removed from the company's website.

PlushDaemon has been active since at least 2019, engaging in cyberespionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is the exclusive user of several types of malware in its malicious activities, mostly notably a custom, modular backdoor for collecting various data from infected machines, called SlowStepper for Windows, according to ESET.

**Atypical Supply-Chain Attack**

The first sign of the supply-chain attack came in May 2024, when ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the IPany website.

"The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany\[.\]kr/download/IPanyVPNsetup.zip," Muñoz wrote. However, the researchers didn't find suspicious code on the download page "to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges." This led them to believe that "anyone using the IPany VPN might have been a valid target."

Several users attempted to install the Trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. Further research found even older cases of infection via the campaign, with the two oldest coming from a victim in Japan in November 2023 and a victim in China in December 2023, the researchers said.

**SlowStepper Backdoor**

The payload in the supply chain attack is PlushDaemon's own SlowStepper backdoor, which has more than 30 modules. However, the group used a "lite" version of the backdoor in the IPany attack, which contains fewer features than other previous and newer versions, the researchers said.

The backdoor features a multistage command-and-control (C2) protocol using DNS, and is known for its ability to download and execute dozens of additional Python modules with espionage capabilities.

"Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos," Muñoz wrote.

The researchers found PlushDaemon's tools stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account. At the time of writing, the profile was private.

**Another Chinese APT Emerges**

China already has a raft of known and active APTs that regularly and persistently engage in cyberespionage activities against the US and its allies. One of the most notable operations of late was the infiltration of US broadband provider networks by Chinese APT Salt Typhoon; however, the investigation into that incident was dealt a significant blow on Jan. 21, when President Trump, on his second day back in office, fired the cyber safety board looking into it.

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said.

"The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," he wrote.

To that end, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chinese Cyberspies Target South Korean VPN in Supply Chain Attack

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

The payment card giant **MasterCard** just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider **Akamai** \[DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage\].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “**akam.ne**.”

This tiny but potentially critical typo was discovered recently by **Philippe Caturegli**, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.

Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”

Meanwhile, Caturegli received a request submitted through **Bugcrowd**, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.

Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like **Cloudflare** and **Google**.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.

The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”

Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.

As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain **az.mastercard.com**. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s **Azure** cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “**awsdns-06.ne**” instead of “**awsdns-06.net**.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).

MasterCard DNS Error Went Unnoticed for Years

A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows.

The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. The MotW is what triggers warnings that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. 7-Zip added support for MotW in June 2022.

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them.

MotW security warning in file properties

For years, attackers were able to bypass the MotW by putting their malicious files in archives. This worked because the MotW is in fact another file that is attached to the main file as an Alternate Data Stream (ADS), and over the years we have seen many vulnerabilities in archivers where the ADS didn’t pass on the individual files when the archive was decompressed.

The same is true this time. Only the attacker will have to prepare an especially crafted nested archive. A nested archive means there is an open archive inside another open archive. Exploitation of the vulnerability also requires user interaction, meaning the target will have to visit a malicious page or open a malicious file.

If you’re a Windows user, check whether you are using version 7-Zip 24.09 or later. If you’re not, then they’ll need to update.

7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page.

**Other security measures**

There are some general safety tips to keep in mind when you’re handling archived files on a regular basis:

*   Keep track of how and where you obtained the archive.
*   Always be careful when opening archived files that you downloaded from the internet.
*   Make sure you are using an updated anti-malware solution that is capable of scanning inside archives, and you have that setting enabled.

Malwarebytes scan within archives option enabled

*   Keep track of who accesses archived files and when. This can help identify unauthorized access attempts and help monitor unwanted changes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 7-Zip bug could allow a bypass of a Windows security feature. Update now 

The advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country's intelligence community.

Source: SROOLOVE via Shutterstock

Advanced persistent threat group "DONOT Team" is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

The "Tanzeem" and "Tanzeem Update" apps purport to be chat apps but do not work as advertised. Instead, once installed on a system they prompt the user to turn on the device's accessibility feature and grant access to several easily misused permissions. The apps then shut down and proceed to stealthily harvest information from the compromised device, according to researchers at Cyfirma, who recently spotted the new DONOT campaign.

**Intelligence Gathering and Beyond**

"The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia," Cyfirma noted in a blog post on Jan. 17. The goal appears to be to collect intelligence of strategic importance to India, the security vendor said.

Cyfirma's analysis of Tanzeem and Tanzeem Update showed the apps using OneSignal, a popular customer engagement platform, to send push notifications to users who install either app on their devices. OneSignal basically allows developers and businesses to send in-app messages, emails, and SMS messages to users across mobile devices, Web browsers, desktop apps, and other platforms.

When a user installs Tanzeem or Tanzeem Update on their device, they receive a push notification via OneSignal that prompts them to start a fake chat. Users tricked into clicking on the "Start Chat" prompt receive a subsequent prompt asking them to enable Android accessibility services to use the app. The victim is then directed to the accessibility settings page from which the app accesses several dangerous permissions. These include permissions that allow the two malicious Android apps to read and fetch call logs from the compromised device; to read and fetch contact information; and to search for and fetch data from the file manager.

Researchers at Cyfirma also found the apps to access several other permissions such as those that allow the threat actor to delete and read both incoming and outgoing text messages. They also can access the Android device's internal storage to extract its exact location and monitor its movement on a real-time basis.

Significantly, Cyfirma found the malicious apps using push notifications to try and get victims to install additional malicious payloads on compromised devices to ensure persistence. "This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma noted.

**A Persistent South Asian Threat**

DONOT Team, which some vendors track as APT-C-35, SectorE02, and Viceroy Tiger, is a threat group with a likely nexus to India that has been operational since at least 2016. Several vendors have associated the group with attacks and data theft campaigns targeting entities in South Asia. In November 2024, Cyble linked DONOT Team to a campaign targeting manufacturing companies in Pakistan associated with the country's defense and maritime industries.

Others, such as ESET have reported on DONOT Team using sophisticated Windows and Android malware in espionage campaigns targeting organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported finding three malicious Android apps on Google's Play store that the threat actor used against targeted individuals in Kashmir and Pakistan.

DONOT Team is one of several APT groups believed to be operating out of India that is engaged in a range of malicious activities, including online extortion scams, hacktivism, and increasingly, cyber espionage and surveillance. Security experts believe that at least some of the activity is tied to geopolitical tensions in the region and to a broader growth in all kinds of cybercrime in South Asia in recent years.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#windows