Live from ZTW – PSW #862

Microsoft's Patch Tuesday for February 11, 2025, includes fixes for 63 CVEs, including four rated critical severity and four zero-day flaws. Two of the zero-days are currently being actively exploited, and involve low-complexity attacks requiring no user interaction: CVE-2025-21418, CVSS score 7.8, is a "Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability," which could allow an attacker to gain SYSTEM privileges; If I'm tracking, this is the ninth elevation of privilege vulnerability (CVE-2025-21418) in Winsock since 2022, a prior vairant CVE-2024-38193 was leveraged by the Lazarus group last year to implant the FudModule rootkit. To be honest, with the breadth and number of fixes in the updates these days, you should have your systems categorized such that the majority you can deploy the update without analysis, saving that for higher impact systems.

vanti has published a security update announcing patches for 11 vulnerabilities in their products, four of which are rated critical and involve a remote unauthenticated attacker. CVE-2025-22467, CVSS score 9.9, is a stack-based buffer overflow in Ivanti Connect Secure (ICS) that allows remote code execution; CVE-2024-38657, CVSS score 9.1, allows an attacker with admin privileges to write arbitrary files via external control of a file name in ICS and Ivanti Policy Secure (IPS); CVE-2024-10644, CVSS score 9.1, is a code injection vulnerability in ICS and IPS allowing remote code execution; and CVE-2024-47908, CVSS score 9.1, allows remote code execution via "OS command injection in the admin web console" of Ivanti Cloud Services Application (CSA).

Ivanti seems to not only be getting their arms around the updates for their increased product lines as well as incorporating input from their vulnerability discovery program. There are no workarounds for these flaws, you need to push out the updates. Make sure that your web console is available only to verified/trusted hosts. Note the Ivanti Neurons (N-MDM) service is cloud hosted and was updated January 17th.

An Arizona woman has pleaded guilty to multiple charges related to her running a laptop farm that allowed North Korean nationals to pose as US citizens and obtain remote IT jobs at US companies. In all, the scheme funneled $17 million in fraudulently acquired funds through the woman’s bank accounts. Some of the illegally-obtained income was reported to the US Social Security Administration and Internal Revenue Service under identities stolen from US citizens. Christina Marie Chapman pleaded guilty to conspiracy to commit wire fraud, aggravated identity theft and conspiracy to launder monetary instruments; she faces between eight and nine months in prison.

The scam involves getting workers stolen identities, so they appear to be legitimate citizens which are hired through third-pary staffing agencies or temporary contracting agencies.  The employers sent laptops to her house, which were then used remotely from China, Laos, Russia, etc. She then funneled their paychecks through her company, effectively laundering them. While this worked in private sector, a few attempted government agency hires failed due to their identity verification processs. As easy as it is to hire remote staff, never meeting them in-person, you need to leverage both strong background checks as well as modern identity validation systems which not only include aliveness checks but also validation of government ID against authoritative services.

This large tribe has 44,000+ members and pays for many of its services through their ownership of the five Kewadin Casinos, which have halted gaming operations. The communication from the Tribe not only explains their current state but also lists not only contacts for each of their affected services, but also general numbers when all else fails. They hope to resolve the outage, which started February 9th, within a week but are preparred to take longer. Many businesses are operating on a cash-only basis, gas is not available, their hotels are open for current guests, but new guests cannot check-in, while other services are operating on an in-person only basis.

collaborative operation by law enforcement from 14 countries has led to Thai authorities arresting four Russian nationals alleged to lead an extortion gang known as 8Base, who are known to employ double-extortion (both data encryption and threat of publication) using a variant of Phobos ransomware-as-a-service (RaaS). The group's laptops, phones, and cryptocurrency wallets were also confiscated, and the 8Base dark web leak site has been replaced with a banner announcing its seizure by Bavarian authorities. 8Base is suspected of extorting over 1,000 global victims, accumulating about $16 million in ransoms.

Back in November 2023, an analysis of the 8base ransomware found that it shared nearly 90% of it's code with a Phobos sample from 2019, which indicates a connection, but it's now clear how much this takedown affects Phobos operations. According to Europol, another result of this investigation and takedown was 400 companies worldwide were identified and notified of ongoing or imminent ransomware attacks who might not otherwise have been aware of it.

Intel, AMD, and Nvidia each released security advisories on Tuesday, February 11, notifying customers of flaws and fixes in their products. Intel's only critical flaw, INTEL-SA-00990, comprises five CVEs that allow privilege escalation, information disclosure, or denial of service through vulnerabilities in Server Board BMC Firmware. AMD published 11 advisories, some of which are high severity and may result in arbitrary code execution, and in one case denial of service. Nvidia released four advisories, and two are high severity: CVE-2024-0112 is a flaw in NVIDIA Jetson AGX Orin and NVIDIA IGX Orin software that could lead to "code execution, denial of service, data corruption, information disclosure, or escalation of privilege" through improper input validation and privilege escalation; and CVE-2025-23359 is a flaw in NVIDIA Container Toolkit for Linux that could lead to "code execution, denial of service, escalation of privileges, information disclosure, and data tampering" via a crafted container image gaining access to the host file system due to a Time-of-Check Time-of-Use (TOCTOU) vulnerability. 

How is your firmware update capability? With increased security capabilities in firmware such as UEFI and flaws which not only include allowing boots of malicious OS components but also deployment of falsified firmware, we all need to be able to reliably update.

According to a report from the US Government Accountability Office (GAO), the Maritime Transportation System (MTS) is facing cyberthreats from international threat actors and IT vulnerabilities; these threats pose risks to port operations.

The Coast Guard did create a strategy to address MTS issues in 2021, but neglected to include the risks, vulnerabilities and key milestones to measure progress against. The problem was further exacerbated by open staffing positions needed for improvements to be implemented. Make sure that your strategy includes these components, to include the hard conversation about resources truly needed to be successful, which may lead you conversations at a very high level for either resolution or risk acceptance.

CISA and the FBI has published a Secure by Design fact sheet offering guidance for preventing the introduction of buffer overflow vulnerabilities into products. CISA and the FBI have “designate[d] buffer overflow vulnerabilities as unforgivable defects.”

This is one in the series of publications that will be released to help mitigate "unforgivable defects." Mitigations for buffer overflows inclujde using memory safe languages, where feasible, (they acknowledge this is significant and not always achievable,) use compiler flags which implement protections against buffer overflows, running both instrumented unit tests and adversarial product testing, provide guidance to developers for best practices and conduct root cause analysis of past vulnerabilities, incorporating findings into those practices.

“Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers.” The attacks appear to be the work the cyberthreat actors with ties to China’s government, RedMike, also known as Salt Typhoon. This recent round of attacks exploited a pair of vulnerabilities in Cisco network devices to gain elevated privileges and alter configuration settings. The threat actors may also have targeted university systems.

The targets were unpatched devices, in this case Cisco network devices. Internet facing appliances are at the top of the list for threat actors. A takeaway should be active updates to your network devices, particularly any which are internet facing, or connected.

Police in the Netherlands seized 127 servers affiliated with the Zservers bulletproof hosting service. The action follows the announcement of sanctions against Zservers and two of its Russian operators brought by Australia, the UK, and the US. Zservers, like other so-called bulletproof hosting services, offered services that criminals find appealing, including shielded identities and anonymous payment with virtual currency. Zserver customers included the LockBit and Conti cybercrime groups. The seized servers have been taken offline and are being analyzed by Dutch authorities.

The Russian hosting service Zservers is being sanctioned for “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, LockBit ransomware.” In short, they enabled the attack providing IP addresses, launch platforms and storage. Continued takedowns like this help the fight against ransomware, and you still need to remain diligent, continuing your cyber hygiene and user education efforts, working the problem from both sides. Read more in:

Researchers from Arctic Wolf have observed active attempts to exploit a high-severity authentication bypass vulnerability in SonicOS SSLVPN authentication mechanism; SonicOS is the SonicWall firewall operating system. The vulnerability (CVE-2024-53704) was disclosed in January, at which time SonicWall released updates to address the issue. The exploitation attempts follow the disclosure of technical details and proof-of-concept (PoC) code for CVE-2024-53704 published by Bishop Fox earlier this month. SonicWall has updated their advisory to note the public availability of the PoC and to add indicators of compromise for CVE-2024-53704.

Researchers from Microsoft Threat Intelligence have discovered a new variant of the XCSSET macOS malware being used in limited attacks. The researchers say the variant has “enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies.” The malware spreads through Xcode projects. XCSSET was first documented in August 2020 by researchers at Trend Micro. Microsoft writes that “users must always inspect and verify any Xcode projects downloaded or cloned from repositories, as the malware usually spreads through infected projects.” The new variant of XCSSET has enhanced obfuscation techniques and creates a fake version of launchpad and replaces the dock entry point causing the malware and legitimate launchpad to execute every time it’s accessed from the dock. The best mitigation is to verify your Xcode projects.

Attempts to exploit a high-severity vulnerability in Palo Alto Networks’ PAN-OS management interface are on the rise just hours after the authentication bypass issue (CVE-2025-0108) was disclosed. Palo Alto Networks disclosed the vulnerability and released the updates on Wednesday, February 12; active exploitation of the flaw was detected the next day. CVE-2025-0108 was detected by researchers at AssetNote while they were looking into patches for older PAN-OS vulnerabilities.

Verify you’re no longer running PAN-OS 11, which may mean some lifecycle upgrades are in order, then cross check the update process. If you are leveraging HA make sure you’ve tested the failover to know how it behaves.

Training a model on a small set of high-quality data saves a lot of compute time. Also, giving the model more time to "think" before producing an answer improves its results.

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms. They targeted the internet-exposed web interfaces of Cisco's IOS software, exploiting two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via GRE tunnels.

BADBOX is a newly discovered botnet targeting both off-brand and well-known Android devices—often with malware that potentially came pre-installed from the factory or further down in the supply chain.

Decentralized money lender zkLend suffered a breach where threat actors exploited a smart contract flaw to steal 3,600 Ethereum, worth $9.5 million at the time. Threat actors exploited a rounding error bug in zkLend's smart contract mint() function.

"The attacker manipulated the "lending_accumulator" to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei."

Hash tables are among the oldest data structures we have. And they’re still one of the most efficient ways to store data. But when the table gets full, it slows down. For 40 years, computer scientists accepted Andrew Yao's conjecture that access to the last open spot in a hash table scales as O(n).

But Andrew Krapivin, a student, found a method that scales as (log n)^2 -- a vast improvement.

Gerneral-use humanoid robots are being used to install wires in EV cars in China. There were over 160 humanoid-robot manufacturers worldwide as of June 2024, of which more than 60 were in China, more than 30 in the United States, and about 40 in Europe.

China has emerged as the world's largest EV market and manufacturer. China is now committed to becoming a global leader in robotics and automation, just as it did with EVs. Robotics is where EVs were a decade ago—a trillion-yuan battlefield waiting to be claimed.

These are the dancing robots mentioned in the previous article.

The doge.gov website is insecure and pulls from a database that can be edited by anyone.

The site published data about the National Reconnaissance Office, the federal intelligence agency that builds and launches U.S. surveillance satellites. The data is classified but there is debate in the intelligence community about whether it needs to be.

Bruce Schneier writes: The U.S. government has experienced what may be the most consequential security breach in its history. The DOGE team, with limited experience and minimal oversight, are gaining the highest levels of administrative access and making changes to the United States’ most sensitive networks, potentially introducing new security vulnerabilities in the process.

But the most alarming aspect isn’t just the access being granted. It’s the systematic dismantling of security measures that would detect and prevent misuse—including standard incident response protocols, auditing, and change-tracking mechanisms--by removing the career officials in charge of those security measures and replacing them with inexperienced operators.