The post 50,000 Users Hacked via WhatsApp! appeared first on Information Security Newspaper | Hacking News.

GhostGPT is not the only AI being used for illegal activities. Similar tools like WormGPT are also on the rise, offering criminals ways to bypass security controls that are present in ethical AI models like ChatGPT, Google Gemini, Claude, and Microsoft Copilot. These unethical AI models are designed to assist in writing malicious code and carrying out cyberattacks, posing a major risk to businesses and individuals.The rise of cracked AI models—which are modified versions of legitimate AI tools—has made it easier for hackers to gain access to powerful AI systems without restrictions. Security experts have been tracking the rise of these tools since late 2024 and report an increase in their usage for cybercrime. This development is alarming for the tech industry and security professionals because AI was meant to help people and businesses, not be used as a weapon. If these malicious AI models continue to grow, companies and individuals could face more sophisticated cyberattacks, making cybersecurity more challenging. The need for stronger regulations and better security measures to prevent AI abuse is now more critical than ever.

The post GhostGPT is out – Write your own Malicious Code appeared first on Information Security Newspaper | Hacking News.

This vulnerability allows remote attackers to gain unauthorized access, modify patient data, and disrupt device functionality—posing a severe cybersecurity threat to hospitals and medical institutions. If exploited, the flaw could enable an attacker to manipulate real-time vital sign monitoring, potentially leading to fatal medical errors or ransomware-style device takeovers.

Technical Analysis of the Vulnerability

The vulnerabilities, tracked under CVE-2025-0626,CVE-2025-0626 and CVE-2025-0683, enable attackers to execute arbitrary commands on the device.

Breakdown of the Exploit Path

The Contec CMS8000 patient monitor firmware contains hardcoded credentials and an undocumented remote access protocol, which serve as a backdoor into the system. This backdoor allows an attacker to:

1. Authenticate remotely without proper credentials, using a weak or publicly known factory-set username and password.
2. Access a command-line interface (CLI) over an open network port, allowing direct system manipulation.
3. Overwrite system files, modify patient telemetry data, and even disable alarms and notifications.

Key Technical Issues Enabling Exploitation

1. Hardcoded Administrative Credentials
   • The firmware contains static, factory-set credentials that cannot be changed by hospital IT staff.
   • Attackers can easily retrieve these credentials from firmware dumps or leaked documentation.
   • Once obtained, these credentials allow full device control over Telnet or SSH.
2. Exposed Network Services
   • The CMS8000 runs multiple unnecessary services on open ports:
     • Telnet (Port 23) – Legacy unencrypted command-line access.
     • HTTP (Port 80) – Web interface without proper authentication mechanisms.
     • TFTP (Port 69) – Allows remote firmware updates without validation.
   • These services lack proper access control, enabling remote manipulation.
3. Arbitrary Code Execution
   • Due to a lack of input validation, an attacker can inject malicious commands via network-based API calls.
   • This can be leveraged to deploy malware, install a persistent backdoor, or modify the firmware.
4. File System Modification and Log Manipulation
   • Attackers can overwrite core system files and alter log data, making it difficult for administrators to detect malicious activity.

Potential Exploitation Scenarios

Given the vulnerability’s severity, several exploitation scenarios exist:

1. Remote Device Takeover

• An attacker scans the network for vulnerable CMS8000 monitors using Shodan or Nmap.
• They identify an active device running the affected firmware version.
• Using leaked hardcoded credentials, they gain remote CLI access over Telnet or SSH.
• The attacker executes commands to disable monitoring functions, shut down alerts, or falsify patient readings.

2. Ransomware Attack Targeting Medical Devices

• A threat actor deploys a custom script via the backdoor, encrypting all patient records stored on the device.
• The monitor’s display is replaced with a ransom note, demanding payment in cryptocurrency to restore normal functionality.
• Because the device is integral to patient care, hospitals may feel pressured to pay the ransom to restore operations quickly.

3. Man-in-the-Middle (MitM) Attack on Patient Data

• An attacker positions themselves on the same network segment as the medical monitors.
• Using ARP spoofing, they intercept real-time telemetry data sent from the CMS8000 to hospital monitoring stations.
• They modify patient data in transit, causing medical professionals to make incorrect treatment decisions.

4. Attack on Healthcare IoT Infrastructure

• Since many hospitals run unsegmented internal networks, compromising the CMS8000 can act as a pivot point for lateral movement.
• Attackers could escalate privileges to access hospital record systems, imaging devices, and even electronic health records (EHRs).

Mitigation Strategies

1. Immediate Steps for Healthcare Organizations

CISA and the FDA strongly urge hospitals and IT administrators to take the following actions immediately to protect against potential exploits:

Apply the Latest Firmware Updates

• If a security patch is available from Contec, it must be applied immediately.
• Devices that cannot be updated should be segmented from the network.

Disable Unused Network Services

• Telnet and TFTP should be disabled where possible.
• Restrict SSH access to only trusted internal IP addresses.

Implement Network Segmentation

• Healthcare institutions should place patient monitoring devices on a dedicated VLAN with strict firewall rules.
• Blocking public access to CMS8000 monitors is essential to prevent remote exploitation.

Change Default Credentials (If Possible)

• If the firmware allows it, administrators should change factory-set usernames and passwords.
• Deploy multi-factor authentication (MFA) for remote access.

Continuous Monitoring & Threat Detection

• IT teams should deploy intrusion detection systems (IDS) to monitor for suspicious activity on medical device networks.
• Regular penetration testing should be conducted to assess security posture.

The Larger Cybersecurity Challenge in Healthcare

The CMS8000 vulnerability is just one example of a larger systemic issue within the healthcare industry:
Many legacy medical devices were not designed with cybersecurity in mind.

Broader Industry Risks Include:

• Medical IoT (IoMT) Devices Lacking Updates
  • Many medical devices are still running outdated operating systems (e.g., Windows XP, Windows 7).
• High-Value Targets for Cybercriminals
  • Hospitals store highly sensitive patient data, making them attractive targets for ransomware and espionage.
• Regulatory Compliance Challenges
  • Many institutions struggle to balance HIPAA compliance with modern cybersecurity best practices.

The cybersecurity of medical devices must become a higher priority for manufacturers, regulators, and healthcare providers. Moving forward, medical device manufacturers must adopt “Security by Design” principles, ensuring that future devices:

• Require firmware authentication
• Disallow hardcoded credentials
• Enforce encrypted communications by default

Until these security issues are addressed at the design level, hospitals must take proactive steps to secure vulnerable devices and prevent catastrophic cyberattacks.

Final Thoughts

The discovery of a critical backdoor in the Contec CMS8000 is a wake-up call for the healthcare industry. This incident highlights the inherent risks in unpatched, insecure medical devices and the potential life-threatening consequences of cyber vulnerabilities in healthcare infrastructure.

Key Takeaways for Cybersecurity Experts & Healthcare IT Teams:

Assess and patch all network-connected medical devices.
Implement strict access controls and disable unnecessary network services.
Enforce continuous monitoring of hospital IoT networks.
Pressure vendors to release security updates and adopt stronger cybersecurity measures.

Cyberattacks on medical devices are no longer hypothetical—they are happening now. As healthcare increasingly relies on digital technology, securing these critical systems is a matter of life and death.

The post Hackers Can Manipulate Your Heart Rate Monitor – Unbelievable Security Flaw! appeared first on Information Security Newspaper | Hacking News.

AI technologies have exploded across industries, but APIs that power AI models often lack robust security. Over 57% of AI-enabled APIs are publicly exposed, while only 11% employ strong authentication and access controls. Attackers exploit these weak points to inject malicious code, siphon training data, or even manipulate machine learning pipelines. Wallarm’s researchers see these tactics succeeding in major breaches, such as those targeting Twilio and Tech in Asia, where attackers bypassed insufficient API protections to gain unauthorized access.

A standout finding is the new “Memory Corruption & Overflows” category in the Top-10 threat list. AI workloads push hardware boundaries, triggering buffer overflows and integer overflows that let attackers execute arbitrary code or crash systems. This kind of flaw used to be rare in web applications but has surged as binary APIs become standard in high-performance AI contexts. Malicious actors quickly seize these opportunities, using them to exfiltrate data or take over critical infrastructure.

API issues are now the number one attack vector, eclipsing older exploit types like kernel or supply-chain vulnerabilities. More than half of CISA’s known exploited flaws involve APIs, underscoring the shift to attacks that aim for direct entry points. Legacy endpoints—like .php files or AJAX calls—add another layer of exposure, because they often remain unpatched in production environments, from healthcare providers to government agencies.

Wallarm’s analysis covers 99% of 2024’s API-related CVEs and bug bounty disclosures, classifying them by CWE categories to produce actionable insights. Security teams can use these findings to prioritize fixes, especially for APIs supporting AI services. Strong memory-safety checks, real-time threat monitoring, and tightened authentication should become the norm.

Organizations that embrace AI must address API security head-on. Failure to do so risks data theft, operational chaos, and damaged reputations. As AI reshapes core business operations—from predictive modeling to customer engagement—protecting the APIs behind these systems is no longer optional.

Download the report:
https://www.wallarm.com/resources/2025-api-threatstats-report-ai-security-at-raise

The post 2025 API ThreatStats Report: AI Vulnerabilities Surge 1,025%, 99% Connected to APIs appeared first on Information Security Newspaper | Hacking News.

The post “Enter0” is selling access appeared first on Information Security Newspaper | Hacking News.

How it works

• Attackers created fake links that look like they are from YouTube. For example, the link might start with something like “hxxp[://]youtube” (instead of the usual “https://youtube”), making it seem real but hiding its true purpose.
  
• When someone clicks these fake links, they are secretly redirected through multiple websites before reaching the final fake page. This makes it harder for security systems to detect the phishing attempt.
  
• The final page looks like a legitimate login page, but when users enter their credentials, the attackers steal them.
• According to researchers, this specific campaign was likely conducted by a hacking group called Storm1747. They used a tool called “Tycoon 2FA phishing kit,” which is designed for large-scale attacks and can even bypass two-factor authentication.
  
  

How to protect

• Verify Links Before Clicking: Always check if a link is legitimate by hovering over it to see the full URL. Avoid clicking on suspicious or shortened links.
• Enable 2FA: Use two-factor authentication for all accounts, but be cautious of phishing attempts designed to bypass it.
• Use Antivirus and Anti-Phishing Tools: Install security software that can detect and block phishing sites.
• Educate Yourself and Others: Stay informed about the latest phishing tactics and share this knowledge with family and colleagues.
• Report Suspicious Activity: If you encounter a fake link or phishing attempt, report it to the website or service it claims to represent.

The post Phishing youtube channels and links are stealing credentials appeared first on Information Security Newspaper | Hacking News.

This regulatory intervention underscores the critical need for transparency and consumer protection in the rapidly evolving landscape of connected automotive technologies.

Key Findings

1. Unauthorized Data Collection:
   • GM and OnStar collected geolocation data at three-second intervals, along with detailed driving behaviors such as acceleration, braking, and speeding. This was done without obtaining prior consumer consent, violating privacy expectations.
2. Misleading Practices:
   • OnStar’s “Smart Driver” feature was marketed as a tool to help drivers assess and improve their habits. However, the FTC revealed it was primarily a mechanism to collect and monetize driver data.
   • GM’s privacy disclosures failed to adequately inform consumers about how their data was being collected, shared, or sold, creating a false sense of security among vehicle owners.
3. Data Monetization:
   • The data collected was sold to consumer reporting agencies, including Verisk, Lexis Nexis, and Jacobs Engineering. These entities used the data to adjust insurance rates or deny coverage outright, impacting consumers financially and undermining trust in GM’s services.

FTC’s Proposed Settlement

To address these violations, the FTC has proposed a settlement that includes the following key provisions:

1. Data Sharing Ban:
   • GM and OnStar are prohibited from sharing geolocation and driving behavior data with consumer reporting agencies for five years.
2. Mandatory Consumer Consent:
   • The settlement requires GM to obtain explicit consumer consent before collecting or selling their data.
3. Data Deletion Requirements:
   • Previously retained consumer data must be deleted unless consumers explicitly opt in to its retention and use.
4. Enhanced Consumer Controls:
   • Drivers must be provided with clear and accessible tools to view, manage, and delete their personal data, as well as options to disable data collection entirely.
5. Transparency and Disclosure Improvements:
   • GM must provide comprehensive and plain-language disclosures about the types of data collected, its purpose, and how it will be used.
6. Civil Penalties:
   • Although no immediate fines were levied, the FTC has set a potential penalty of $51,744 per violation. GM and OnStar have been given 180 days to comply with the settlement.

Broader Implications for the Automotive and Cybersecurity Communities

This enforcement action highlights growing concerns over data privacy and security within the automotive sector. The increasing integration of connected technologies in vehicles has created new avenues for data collection, often outpacing regulatory frameworks and consumer awareness.

1. Regulatory Shift in Data Practices:
   • The FTC’s intervention signals a more aggressive stance on holding companies accountable for mishandling consumer data. It also sets a precedent for stricter oversight in the automotive industry, where privacy considerations are becoming as critical as physical safety features.
2. Implications for Cybersecurity:
   • The sale of sensitive driver data to third parties increases the risk of cyberattacks and misuse. Data brokers and other entities handling such information could become targets for hackers, potentially compromising personal and financial information on a massive scale.
3. Corporate Accountability:
   • This case serves as a reminder for corporations to prioritize consumer trust by implementing robust cybersecurity measures and transparent data governance policies. Non-compliance with emerging regulations could result in hefty fines and reputational damage.

Similar Cases and Industry Context

The GM case is not isolated. Similar concerns have arisen across the automotive and technology sectors:

• Allstate Lawsuit: The Texas Attorney General recently sued Allstate and its subsidiary Arity for collecting and selling driving data from over 45 million Americans without consent.
• Global Scrutiny: Automotive giants such as Toyota, Chrysler, and Mazda have faced allegations of engaging in unauthorized data collection practices, intensifying calls for uniform privacy standards across industries.

These developments highlight the pressing need for cohesive data privacy legislation that holds corporations accountable for protecting consumer information.

Looking Ahead

The FTC’s action against GM and OnStar may serve as a watershed moment, prompting automakers and tech companies to reevaluate their data collection practices. For cybersecurity professionals, it emphasizes the importance of implementing systems that not only secure data but also respect consumer rights.

As the automotive industry continues to innovate, the balance between technological advancement and privacy protection will remain a central challenge. Governments, corporations, and cybersecurity experts must collaborate to ensure that consumer trust is not eroded in the pursuit of profit.

The post Are Your Driving Habits and Location for Sale? GM Says Yes, FTC Says No appeared first on Information Security Newspaper | Hacking News.

Introduction:

In recent cyber incidents, attackers have been targeting Microsoft 365 accounts using a sophisticated and fast-paced method. On January 6, 2025, cybercriminals began exploiting a tool called “FastHTTP” to carry out large-scale automated password-guessing attacks. This method leverages the tool’s capability for high-speed login attempts, making it a serious threat to organizations relying on Microsoft 365 for email and collaboration. Let us break this down in simple terms.

The Attack:

It’s critical for organizations to enhance their defenses, educate users on MFA fatigue, and adopt measures like conditional access policies to protect against such threats.

The post How Microsoft 365 account are getting hacked appeared first on Information Security Newspaper | Hacking News.

The Breaches That Shook the Foundation

The alarm bells started ringing as early as 2018, but the crescendo reached its peak between 2019 and 2022. During this period, GoDaddy suffered multiple security breaches, each exposing critical vulnerabilities in its infrastructure and causing irreparable damage to customer trust.

• February 2023: A chilling revelation surfaced: attackers had infiltrated GoDaddy’s cPanel shared hosting environment. What followed was nothing short of a nightmare. The hackers not only exfiltrated source code but also embedded malware in a multi-year campaign first detected in December 2022.
• November 2021: Over 1.2 million Managed WordPress customers had their sensitive information compromised. Email addresses, WordPress admin passwords, sFTP and database credentials, and even SSL private keys were exposed. The scope of the breach left customers scrambling to rebuild their digital fortresses.
• March 2020: A brazen attacker exploited compromised web hosting credentials to connect via SSH, affecting 28,000 customers. It was a breach that underscored GoDaddy’s systemic vulnerabilities.
• 2018 Hack: Even before these incidents, GoDaddy was targeted in an attack that compromised its domain name system (DNS) services, redirecting traffic to malicious websites. Although the breach was contained, it exposed weaknesses in GoDaddy’s network infrastructure and response capabilities.
• 2017 Customer Phishing Incident: In 2017, GoDaddy’s internal email system was exploited in a phishing campaign targeting its customers. Attackers used spoofed emails to steal credentials, further tarnishing the company’s reputation for security.
• 2015 SSL Incident: In a separate yet related event, GoDaddy inadvertently issued thousands of incorrect SSL certificates, undermining the trust in its ability to manage secure communications. Although this was not an external attack, the fallout from this internal error highlighted significant lapses in quality control.

The FTC’s Litany of Complaints

As the breaches mounted, so did the scrutiny. The FTC’s complaint painted a damning picture of GoDaddy’s approach to cybersecurity, highlighting a series of glaring deficiencies:

1. Absence of Multi-Factor Authentication (MFA): Despite being a cornerstone of modern cybersecurity, GoDaddy failed to implement MFA, leaving accounts vulnerable to unauthorized access.
2. Poor Software Update Management: By neglecting to consistently apply software updates, GoDaddy allowed known vulnerabilities to fester, providing attackers with an open door.
3. Lack of Security Event Logging: Without comprehensive logging, GoDaddy was flying blind, unable to detect and respond to incidents effectively.
4. Inadequate Network Segmentation: The company’s failure to compartmentalize its network meant that once attackers gained a foothold, they could easily spread across systems.
5. No File Integrity Monitoring: Critical system files were left unchecked, making it impossible to detect unauthorized changes in real time.
6. Deficient Asset Management and Risk Assessment: Without an accurate inventory of assets or thorough risk assessments, GoDaddy’s security posture was, at best, rudimentary.

The Fallout: A Reckoning from the FTC

The FTC’s intervention marks a pivotal moment in the saga. Under the proposed settlement, GoDaddy is required to undertake a comprehensive overhaul of its security practices. The measures include:

• Establishing a Robust Information Security Program: GoDaddy must implement cutting-edge security protocols, including mandatory multi-factor authentication and HTTPS APIs, to safeguard its hosting services.
• Regular Independent Assessments: Biennial reviews by a third-party assessor will ensure that GoDaddy’s information security program remains up to par.
• Prohibiting Misleading Claims: The company can no longer make deceptive statements about its security practices to customers, a move aimed at rebuilding trust.

The Cost of Neglect

The story of GoDaddy serves as a cautionary tale for all businesses operating in the digital age. The company’s lax security measures did not just expose customer data; they eroded the trust that forms the bedrock of its relationship with millions of small businesses.

For years, GoDaddy stood as a beacon for entrepreneurs venturing online, promising reliability and security. But beneath the surface lay a house of cards, vulnerable to even the slightest gust of malicious intent.

A New Chapter?

The FTC’s mandate offers GoDaddy a chance at redemption—a chance to rebuild its systems, its reputation, and most importantly, its customers’ trust. But the road ahead is fraught with challenges. The company must not only comply with the settlement’s demands but also go above and beyond to demonstrate that it has learned from its mistakes.

Will GoDaddy rise from the ashes of its security failures, or will it remain a cautionary tale of corporate complacency in the face of evolving cyber threats? Only time will tell. For now, one thing is clear: the digital age demands vigilance, and those who fail to adapt risk being left behind—or worse, torn apart by the very ecosystem they helped create.

The post GoDaddy Claimed to Be the Safest, but the U.S. Government Just Crowned It the Most Insecure Hosting Provider appeared first on Information Security Newspaper | Hacking News.

Imagine trying to guard your home without knowing how many doors and windows it has, let alone which ones are unlocked. That’s the challenge many organizations face with their digital environments. As businesses expand their online presence, they inadvertently increase their exposure to cyber risks. External Attack Surface Management (EASM) acts as the vigilant guardian, identifying and securing these “entry points” before cybercriminals can exploit them. 

But what makes EASM so vital, and how does it work in practice? Let’s explore in this article in detail.

Understanding External Attack Surface Management

External Attack Surface Management or EASM refers to the process of identifying, monitoring, and managing an organization’s digital assets that are exposed to the internet and could potentially be exploited by threat actors. These assets can include websites, cloud services, APIs, IP addresses, third-party software, and other components that make up an organization’s external digital presence.

Unlike traditional Attack Surface Management (ASM), which focuses on internal and external assets, EASM narrows its focus to the external-facing components. It aims to provide visibility into all digital assets that attackers could target, enabling organizations to proactively address vulnerabilities and reduce risks.

Why EASM is Essential

The external attack surface is constantly changing. New assets are created, existing ones are modified, and shadow IT (unauthorized IT resources) can further complicate the landscape. Without a strong attack surface management solution, organizations risk leaving critical vulnerabilities unaddressed, making them easy targets for cybercriminals. 

EASM ensures continuous monitoring, helping organizations stay one step ahead of potential threats.

Key Benefits of External Attack Surface Management

1. Comprehensive Visibility: EASM tools provide a detailed inventory of an organization’s external-facing digital assets, ensuring that nothing is overlooked.
2. Proactive Vulnerability Management: By identifying weak points in the external attack surface, organizations can address vulnerabilities before they are exploited.
3. Improved Incident Response: With better awareness of the external attack surface, incident response teams can act swiftly to mitigate breaches.
4. Enhanced Third-Party Risk Management: Modern businesses rely heavily on third-party vendors and partners. EASM aids in monitoring the external attack surface of these entities, strengthening the overall supply chain risk management strategy.
5. Cost-Effective Security: Preventing breaches through proactive monitoring and remediation is far less expensive than dealing with the aftermath of a cyberattack.

Difference Between EASM and ASM

Although Attack Surface Management (ASM) and EASM share similarities, they cater to different aspects of an organization’s security needs:

How to Implement External Attack Surface Management

1. Asset Discovery: Start by identifying all external-facing assets, including websites, IP addresses, cloud environments, and third-party integrations. An attack surface management tool can automate this process for efficiency.
2. Prioritize Risks: Not all assets pose the same level of risk. Use an attack surface management platform to classify and prioritize vulnerabilities based on their potential impact.
3. Continuous Monitoring: Cybersecurity threats evolve rapidly. Continuous monitoring ensures that new vulnerabilities or changes in the attack surface are promptly detected.
4. Integrate with Existing Tools: Leverage integrations with vulnerability management, incident response, and third-party risk management solutions for a unified security strategy.
5. Engage a Trusted Partner: Partnering with an attack surface management company or subscribing to an attack surface management service can provide additional expertise and resources.

EASM Best Practices

• Automate Discovery: Use advanced External Attack Surface Management tools like Cyble Vision to automate the identification of external assets, reducing manual effort.
• Regularly Update Inventory: Keep an up-to-date inventory of all external-facing assets to ensure no blind spots.
• Implement Zero Trust Principles: Adopt a zero-trust approach to reduce reliance on perimeter defenses and focus on verifying every interaction.
• Monitor Third-Party Risks: Extend EASM practices to include vendors and partners to mitigate risks from the supply chain.
• Integrate with Security Ecosystem: Ensure that your attack surface management product integrates seamlessly with existing tools for streamlined operations.

External Attack Surface Management Tools

Several tools are available to simplify EASM implementation. These tools use automation, artificial intelligence, and machine learning to provide actionable insights. Leading EASM tools often include features like:

• Automated discovery of digital assets.
• Risk prioritization and remediation recommendations.
• Integration with broader cybersecurity ecosystems.
• Continuous monitoring and alerting.

Popular tools and platforms include, Cyble Microsoft Defender External Attack Surface Management, Palo Alto Networks Cortex Xpanse etc. 

Choosing the Right EASM Solution

When selecting an attack surface management solution, consider the following:

• Ease of Use: Choose a tool that simplifies the process of asset discovery and monitoring.
• Scalability: Ensure the solution can grow with your organization’s needs.
• Integration: The solution should work well with existing security tools, such as those for vulnerability management and incident response.
• Customization: Look for tools that allow you to tailor dashboards, reports, and alerts to your requirements.

The Role of EASM in Supply Chain Risk Management

Supply chains introduce unique cybersecurity challenges. Vendors, contractors, and other third parties can inadvertently expand your attack surface. By leveraging EASM, organizations can:

• Monitor third-party digital assets for vulnerabilities.
• Ensure compliance with cybersecurity standards.
• Reduce risks associated with shadow IT and unauthorized access.

Conclusion

Your organization’s cybersecurity future hinges on its ability to adapt to an ever-changing digital environment. Embracing External Attack Surface Management is not just a security measure—it’s a competitive advantage. By leveraging the right tools, adopting EASM best practices, and partnering with experts, you can turn your digital vulnerabilities into opportunities for protection.

The journey starts now—how prepared are you?

The post What is External Attack Surface Management appeared first on Information Security Newspaper | Hacking News.

Campaign Analysis

The attack unfolded in four distinct phases:

1. Vulnerability Scanning (November 16–23, 2024): Threat actors initiated widespread scans to identify vulnerable devices. They used spoofed IP addresses, including loopback addresses and public DNS resolvers, to access administrative functionalities via the jsconsole interface.
2. Reconnaissance (November 22–27, 2024): After identifying vulnerable devices, the attackers made minor system console changes to validate their access. These modifications, such as toggling the system output settings between “more” and “standard,” indicated attempts to test their control over the CLI interface.
3. SSL VPN Configuration (December 4–7, 2024): Threat actors established persistence by creating super admin accounts and configuring SSL VPN portals. In many cases, they hijacked existing user accounts, including the default “guest” account, to maintain access. New VPN portals were assigned non-standard ports such as 4433, 59449, and others to evade detection.
4. Lateral Movement (December 16–27, 2024): Using domain admin credentials obtained via DCSync, the attackers performed credential dumping and began lateral movement within compromised environments. Evidence pointed to the use of tools such as workstations with kali identifiers to facilitate these activities.

Technical Observations

Anomalous jsconsole Activity:

• Administrative logins were observed from spoofed IP addresses, such as:
  • 127.0.0.1 (loopback)
  • 8.8.8.8 and 8.8.4.4 (Google DNS)
  • 1.1.1.1 and 2.2.2.2 (Cloudflare DNS)

Web Management HTTPS Traffic:

• Unusual HTTPS sessions originated from IPs associated with VPS providers. Key indicators included:
  • Data transfers exceeding 1MB.
  • Session durations of over 100 seconds.
  • Connections terminated by RST packets initiated from the client side.

SSL VPN Modifications:

• New super admin accounts were created, often using random alphanumeric names.
• Existing accounts were hijacked and repurposed for VPN access.
• Custom VPN portals with non-standard ports were configured, ensuring persistent access.

Timeline of Activity:

• Firmware versions 7.0.14 to 7.0.16 were exploited.
• Initial activity began in November 2024, with significant malicious configuration changes observed in December 2024.

Tactics, Techniques, and Procedures (TTPs)

Initial Access:

• Exploitation of public-facing management interfaces (T1190), potentially involving a zero-day vulnerability.

Persistence:

• Creation of local admin accounts (T1136.001).
• Modification of SSL VPN configurations (T1133).
• Hijacking of default accounts (T1078.001).

Credential Access:

• Credential dumping via DCSync (T1003.006).

Defense Evasion:

• Modification of system console configurations to obscure activity (T1562).

Lateral Movement:

• Exploitation of remote services using compromised credentials (T1210).

Detection Opportunities

To mitigate risks, organizations should monitor for the following indicators:

• jsconsole Activity:
  • Administrative logins originating from unusual IP addresses, such as loopback or public DNS resolvers.
• Web Management Traffic:
  • HTTPS sessions exceeding 1MB originating from VPS provider IPs.
  • Sessions with durations over 100 seconds.
• SSL VPN Modifications:
  • New VPN portals configured on non-standard ports (e.g., 4433).
  • Suspicious logins from unfamiliar IP addresses.
• Credential Dumping and Lateral Movement:
  • Detection of DCSync activities and unauthorized Active Directory replication events.

Remediation Recommendations

Secure Management Interfaces:

• Restrict access to management interfaces using IP allowlists or VPN-only access.
• Disable web-based CLI access unless absolutely necessary.
• Enforce multi-factor authentication (MFA) for administrative logins.

Patch and Update Firmware:

• Apply the latest firmware updates to FortiGate devices.
• Monitor vendor advisories for emerging vulnerabilities and patches.

Enhance Monitoring and Logging:

• Implement intrusion detection/prevention systems (IDS/IPS).
• Set up logging and alerts for unusual jsconsole and VPN activity.

Incident Response Preparedness:

• Remove unauthorized accounts and reset credentials on compromised systems.
• Conduct thorough log reviews to identify additional indicators of compromise.

Educate and Train Personnel:

• Train IT staff on the secure configuration of FortiGate firewalls.
• Maintain awareness of emerging threats and vulnerability disclosures.

Conclusion

This campaign underscores the persistent risk posed by public-facing management interfaces and the importance of proactive cybersecurity measures. Organizations using Fortinet FortiGate firewalls are strongly advised to implement the recommended remediation steps and continuously monitor their systems for anomalous activity. Arctic Wolf Labs remains committed to providing timely updates and insights as more information becomes available.

For further technical details and IoCs, refer to the comprehensive indicators outlined by Arctic Wolf Labs.

The post FortiGate Firewalls Zero-Day Chaos: How Hackers Are Gaining Control of Firewalls Worldwide – Is Your Network at Risk? appeared first on Information Security Newspaper | Hacking News.

Addressing IoT Security Risks

Smart devices, from home security cameras to fitness trackers and smart appliances, have become staples of modern life. While offering unprecedented convenience, these devices also present significant cybersecurity risks, making them vulnerable to hacking and other attacks.

The Cyber Trust Mark program aims to mitigate these risks by providing a label that indicates a product’s compliance with robust cybersecurity standards. FCC Chairwoman Jessica Rosenworcel highlighted the initiative’s importance, stating, “This program not only helps protect consumers but also creates incentives for manufacturers to prioritize cybersecurity.”

How the U.S. Cyber Trust Mark Works

The U.S. Cyber Trust Mark will function similarly to the ENERGY STAR label for energy efficiency, providing consumers with a clear indicator of a product’s security credentials. Key features of the program include:

1. Labeling and Transparency:
   • Products bearing the Cyber Trust Mark will display a logo and a QR code.
   • The QR code will link to detailed security information, such as:
     • Instructions for changing default passwords.
     • Steps for secure device configuration.
     • Information on automatic software updates and patching.
     • The product’s minimum support period.
2. Voluntary Participation:
   • Manufacturers are not required to participate but must meet rigorous standards to use the label.
   • Accredited CyberLABs will test and verify compliance with cybersecurity requirements.
3. Consumer Benefits:
   • The label empowers consumers to make informed choices about the devices they bring into their homes.
   • It promotes safer smart home environments by encouraging the use of secure devices.
4. Public-Private Collaboration:
   • The program relies on partnerships between the FCC and private entities, with third-party administrators managing day-to-day operations, such as evaluating applications and approving label use.

Restrictions on Foreign Manufacturers, Including Chinese Companies

While the Cyber Trust Mark program is open to manufacturers globally, certain restrictions apply, particularly to entities linked to national security concerns. This includes some Chinese companies, as well as others on federal security risk lists.

Specific Restrictions:

• Companies on the FCC’s Covered List, such as Huawei and ZTE, are excluded due to their potential ties to the Chinese government and military.
• Manufacturers on the Department of Commerce’s Entity List or the Department of Defense’s List of Chinese Military Companies are also prohibited.
• Entities banned from federal procurement or identified as national security risks are ineligible to participate.

Why Are Chinese Products Restricted?

The U.S. government has raised concerns over the potential misuse of IoT devices by certain Chinese companies for espionage or other malicious purposes. These restrictions ensure that devices bearing the Cyber Trust Mark come from trusted manufacturers, safeguarding consumer privacy and national security.

Eligible Chinese Manufacturers

Not all Chinese manufacturers are excluded. Companies that operate independently of the aforementioned restrictions can still apply for the Cyber Trust Mark. They must meet the same rigorous cybersecurity requirements as U.S.-based manufacturers, ensuring their devices are secure and trustworthy.

Eligible and Excluded Products

The Cyber Trust Mark program focuses on consumer wireless IoT devices, including:

• Smart home security cameras.
• Voice-activated shopping devices.
• Fitness trackers and baby monitors.
• Smart home appliances.

Excluded categories include:

• Medical devices regulated by the FDA.
• Motor vehicles under the National Highway Traffic Safety Administration’s jurisdiction.
• Wired devices and enterprise-grade IoT products.
• Devices produced by entities on federal security risk lists.

Benefits for Consumers and Manufacturers

The Cyber Trust Mark program offers significant advantages:

• For Consumers: Transparency in IoT device security, empowering safer purchasing decisions.
• For Manufacturers: A competitive edge in a market increasingly concerned with privacy and cybersecurity.

“Just as ENERGY STAR reshaped the appliance market by educating the public about energy efficiency, the Cyber Trust Mark will pave the way for safer, smarter products,” an FCC spokesperson explained.

Next Steps and International Potential

The FCC is finalizing program details, including standards, testing procedures, and label designs. Public input continues to shape the initiative, with announcements expected as the program approaches its 2025 rollout.

The FCC also aims to achieve international recognition for the Cyber Trust Mark, fostering global cybersecurity standards. As the program evolves, additional product categories and updates may be introduced to address emerging challenges.

Conclusion

The U.S. Cyber Trust Mark represents a significant step toward securing the IoT ecosystem. By combining transparency, education, and stringent standards, the FCC’s initiative empowers consumers while promoting a more secure digital landscape.

Although some foreign manufacturers, particularly certain Chinese companies, are restricted from participation, the program remains open to global players willing to meet its high standards. This balance between security and inclusivity ensures that consumers can trust the devices they bring into their homes.

For more details on eligibility or to stay updated on the program’s rollout, visit the FCC’s official Cyber Trust Mark webpage or contact CyberTrustMark@fcc.gov.

The post U.S. Cyber Trust Mark: The Label That Guarantees IoT Device Security: Everything You Need to Know appeared first on Information Security Newspaper | Hacking News.