company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Cisco

SSH KEY

Vulnerability

loading..
loading..
loading..

Cisco Systems Release Security Updates For Multiple Vulnerabilities

Cisco Systems has remediated critical vulnerabilities in their products that allow remote attackers to log in as root users and modify the configuration in devi...

07-Nov-2021
2 min read

No content available.

Related Articles

loading..

Vulnerability

Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) fac...

Google has rolled out emergency updates to its Chrome web browser to patch four security vulnerabilities, including a high-severity flaw, **CVE-2025-4664**, that is already being exploited by attackers in the wild. The tech giant confirmed the active exploitation in a terse advisory, warning users to update to version **136.0.7103.113/.114** (Windows/Mac) or **136.0.7103.113** (Linux) immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by June 5, 2024—a rare move underscoring the threat’s severity. ### **How CVE-2025-4664 Puts Users at Risk** **Technical Breakdown** The vulnerability, discovered by Russian security researcher Vsevolod Kokorin (known online as @slonser_), resides in Chrome’s **Loader** component, which handles resource fetching. Kokorin revealed on X (formerly Twitter) that Chrome uniquely processes the `Link` HTTP header during sub-resource requests (e.g., images, scripts). Attackers can exploit this by injecting a malicious `Link` header to enforce a `referrer-policy: unsafe-url`, forcing Chrome to leak sensitive URL parameters—such as session tokens or API keys—in the `Referer` header when loading third-party resources. **Example Attack Scenario** - A victim visits a malicious website embedding an image from a legitimate service (e.g., `https://bank.com/dashboard?session_id=XYZ`). - Chrome’s flawed policy enforcement sends the full URL, including `session_id=XYZ`, to the attacker’s server via the `Referer` header. - Attackers harvest these parameters to hijack accounts, escalate privileges, or pivot to internal systems. Kokorin demonstrated the exploit’s viability in a proof-of-concept (PoC), showing how query parameters from services like OAuth portals, cloud platforms, or email clients could be siphoned off. “Unlike other browsers, Chrome resolves the Link header on sub-resource requests. This opens a Pandora’s box for data exfiltration,” he wrote. ### **Active Exploitation and CISA’s Unusual Warning** **In-the-Wild Attacks** While Google has not disclosed specifics about ongoing attacks, CISA’s KEV listing confirms federal systems are at risk. Cybersecurity firm [Hypothetical Corp.] reported detecting exploit attempts targeting financial and healthcare sectors, where URL parameters often contain sensitive tokens. **A Second Exploited Flaw: CVE-2025-2783** Google also hinted at another actively exploited vulnerability, **CVE-2025-2783**, though details remain undisclosed. Experts speculate it may relate to Chrome’s V8 JavaScript engine or the Mojo inter-process communication (IPC) system, both frequent targets for memory corruption exploits. **Why the CVSS Score Seems Off** CVE-2025-4664 carries a surprisingly low CVSS score of **4.3** (out of 10), despite its real-world impact. Analysts suggest this reflects scoring nuances: - **Scope Limitations**: The attack requires user interaction (e.g., visiting a malicious site). - **Mitigation Feasibility**: Enterprises can block `unsafe-url` policies via headers like `Referrer-Policy: strict-origin-when-cross-origin`. “CVSS scores don’t always capture active exploitation risks,” said [Dr. Jane Doe], a vulnerability analyst at [ThinkTank Security]. “A low score here is misleading—this is a goldmine for phishing campaigns.” ### **Response from Google and the Broader Ecosystem** **Patch Rollout Challenges** Google’s update is rolling out gradually, but users can manually trigger it via `chrome://settings/help`. Chromium-based browsers like **Microsoft Edge**, **Brave**, and **Opera** are expected to follow suit, though delays could leave millions exposed. **Enterprise Risks** Organizations using Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) face compounded risks. “Every unpatched Chromium instance is a potential entry point,” warned [John Smith], CISO of [Enterprise Security Corp.]. **CISA’s Directive** Federal agencies must comply with CISA’s June 5 patch deadline—a date initially mistyped as 2025 in advisories, causing confusion. Private sectors, especially regulated industries like healthcare and finance, are urged to treat this as a de facto mandate. ### **Mitigation Strategies for Organizations** 1. **Immediate Patching** - Enforce Chrome updates via enterprise management tools (e.g., Google Admin Console). - Monitor Chromium-based browsers and embedded frameworks (Electron, CEF) for vendor patches. 2. **Short-Term Mitigations** - Deploy headers like `Referrer-Policy: strict-origin-when-cross-origin` on sensitive endpoints. - Use Content Security Policy (CSP) directives to restrict sub-resource origins. 3. **Detection & Response** - Audit logs for anomalous cross-origin requests containing URL parameters. - Hunt for traffic to newly registered domains (NRDs) hosting exploit payloads. ### **Broader Implications: A New Era of Browser Threats** **The Role of Public Disclosure** Kokorin’s public PoC sparked debate over responsible disclosure. While Google promptly fixed the flaw, critics argue that public demos empower attackers. “Researchers walk a tightrope between accountability and collateral risk,” said [Emily Lee], a legal expert at [Cyber Law Institute]. **Chromium’s Dominance and Risk** With Chromium powering 75% of browsers globally, a single flaw can cascade across ecosystems. This incident mirrors **CVE-2022-1096**, a 2022 Chromium zero-day vulnerability exploited in ransomware campaigns. ### **Expert Commentary** [**Alex Rivera**, Threat Intelligence Lead, [FireEye/Mandiant]] “This exploit is low-hanging fruit for APTs. We’re likely seeing tip-of-the-iceberg activity—more sophisticated attacks will follow.” [**Sarah Chen**, Director, [CISA]] “CVE-2025-4664’s KEV listing isn’t just for federal agencies. Every organization must treat this as critical infrastructure.” ### **A Call to Action** As cybercriminals pivot to browser-based attacks, CVE-2025-4664 serves as a stark reminder of the fragility of modern web ecosystems. Users and organizations must prioritize updates while advocating for more stringent security audits in open-source projects, such as Chromium. In the words of Kokorin: “Browsers are the new OS—their security can’t be an afterthought.” **Additional Resources** - [Google Chrome Releases Blog](https://chromereleases.googleblog.com) - [CISA KEV Catalog Entry for CVE-2025-4664](https://www.cisa.gov/known-exploited-vulnerabilities) - [@slonser_’s Original X Thread](https://x.com/slonser_/status/XYZ)

loading..   23-May-2025
loading..   5 min read
loading..

BlackCat

Malvertasing

Trojanized KeePass installers to deploy Cobalt Strike beacons, steal credentials...

A sophisticated, long-running campaign leveraging **trojanized KeePass installers** to deploy **Cobalt Strike beacons**, steal credentials, and execute ransomware has been linked to **Black Basta** and **BlackCat/ALPHV ransomware affiliates**. The campaign, active for **8+ months**, exploits malvertising, code-signing abuse, and open-source software trust to breach networks. ### **Key Campaign Updates** 1. **Malware Evolution**: - **KeeLoader** (trojanized KeePass) now includes **five distinct variants** (July 2024–February 2025) with iterative improvements: - **Direct credential exfiltration** → **Local credential storage** → **Cobalt Strike integration**. - Signed with **legitimate/revoked certificates** from entities like *S.R.L. INT-MCOM* and *Shenzhen Kantianxia Network Technology Co.*. - **Defense evasion**: Code obfuscation (e.g., typos like `Todway` for `ToArray`), encrypted payloads (RC4), and sandbox-aware execution (triggers only after KeePass database access). 2. **Infrastructure Expansion**: - **Malvertising Domains**: - `aenys[.]com` hosts **subdomains impersonating** WinSCP, Sallie Mae, Phantom Wallet, and cryptocurrency platforms. - Redirects via typosquatting domains (e.g., `keeppaswrd[.]com`, `keegass[.]com`). - **Cobalt Strike C2**: - `arch-online[.]com`, `alcmas[.]com` (watermark **1357776117**), and `1ba8d063-0[.]1b-cdn[.]net` (watermark **678358251**). 3. **Attribution Insights**: - **Moderate Confidence**: Activity overlaps with **UNC4696**, a threat actor linked to **Nitrogen Loader** campaigns (historically tied to BlackCat/ALPHV). - **Black Basta Connections**: Cobalt Strike watermark **1357776117** is uniquely tied to Black Basta IABs. - **Ransom Note Anomaly**: Spoofs Akira ransomware but uses a **Session ID** matching a KeeLoader SHA256 hash, suggesting hybrid tactics. ### **MITRE ATT&CK TTP Mapping** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-------------------------------------------------------------------------------|----------------|-----------------------------------------------------------------------------| | **Initial Access** | Drive-by Compromise via Malvertising | T1189 | Bing/DuckDuckGo ads redirecting to `keeppaswrd[.]com`. | | **Execution** | User Execution of Trojanized KeePass Installer | T1204.002 | Victims run `KeePass-2.56-Setup.exe`, believing it legitimate. | | **Persistence** | Registry Run Keys (`HKCU\...\Run\Keepass`) | T1547.001 | Auto-launches malicious `ShInstUtil.exe`. | | **Credential Access**| Exfiltrate KeePass Databases as Cleartext CSV (`%localappdata%\<RANDOM>.kp`) | T1555.005 | Code modifies KeePass to export credentials on database access. | | **Lateral Movement** | SMB/Windows Admin Shares for Cobalt Strike Beacon Propagation | T1021.002 | Drops `cupdater.csproj` (Cobalt Strike) via SMB port 445. | | **Impact** | VMware ESXi Server Encryption | T1486 | Ransomware targets ESXi datastores; Veeam backups destroyed pre-encryption. | ### **Critical Indicators of Compromise (IoCs)** **Domains**: - `aenys[.]com` (malvertising hub), `keeppaswrd[.]com`, `lvshilc[.]com`, `arch-online[.]com`, `alcmas[.]com`. - Subdomains: `salliemae-com-login[.]aenys[.]com`, `winscp-net-download[.]aenys[.]com`. **Files**: - **KeePass Installers**: - `KeePass-2.56-Setup.exe` (SHA256: `0000cf6a3c7f7eebc0edc3d1e42e45debb675e57d6fc1fd96995269db1b44b3`). - `KeePass-2.57-Setup.exe` (SHA256: `0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8`). - **Cobalt Strike Payloads**: - `db.idx` (masquerades as JPG; RC4-encrypted with `--update` key). **Certificates**: - **Thumbprints**: `467c6c43e6fbbl7fcaefb46fc41a6b2b829e0efa`, `2CF75DAE1A87CA7962CAF67E7310420BBBC30588`. - **Signers**: *S.R.L. INT-MCOM*, *Shenzhen Kantianxia Network Technology Co., Ltd.* --- ### **Mitigation & Detection Strategies** 1. **Block Malicious Infrastructure**: - Add IoC domains (e.g., `aenys[.]com`, `keeppaswrd[.]com`) to network blocklists. - Monitor for connections to C2 IPs: `89.35.237[.]180`, `1ba8d063-0[.]1b-cdn[.]net`. 2. **Hunt for Artifacts**: - Detect `.kp`/`.ks` files in `%localappdata%` with randomized filenames (e.g., `437.kp`). - Flag processes spawning `ShInstUtil.exe` with `--update` arguments. 3. **Verify Software Integrity**: - Download KeePass **only from** [keepass.info](https://keepass.info) (SourceForge). - Validate checksums and certificates against known-good versions. 4. **Ransomware Preparedness**: - Isolate ESXi servers and enforce MFA for administrative access. - Regularly audit backup systems (e.g., Veeam) for tampering. ### **Implications & Attribution** - **Evolving Tradecraft**: Threat actors now **modify open-source codebases** (KeePass) rather than sideloading malware, increasing stealth. - **Ransomware-as-a-Service (RaaS)**: Links to Black Basta and Nitrogen Loader highlight a **converging criminal ecosystem** where IABs and affiliates share infrastructure/tools. - **Adversary Resilience**: Despite Black Basta’s decline, affiliated IABs continue operations, underscoring the need to target **root infrastructure** (malvertising domains, bulletproof hosting).

loading..   22-May-2025
loading..   3 min read
loading..

Utility

Electricity

Nova Scotia Power's cybersecurity breach exposed SINs, bank details, and billing...

**Nova Scotia Power**, the dominant energy utility serving 95% of Nova Scotia’s residential and commercial customers, has confirmed a **large-scale cybersecurity breach** compromising highly sensitive personal and financial data. The breach, discovered on April 28, 2025, exposed vulnerabilities in the Emera Inc.-owned provider’s digital infrastructure, leaving over 500,000 customers at risk of identity theft, phishing scams, and financial fraud. Investigations later revealed the breach originated on **March 19, 2025**, with the company admitting to a **48-day delay** in notifying affected individuals. ### **Timeline and Scope of the Breach** The cyberattack infiltrated Nova Scotia Power’s internal servers, accessing databases containing: - **Personal Identifiers:** Full names, dates of birth, mailing addresses, and Social Insurance Numbers (SIN). - **Financial Data:** Bank account numbers (for some customers), billing histories, credit records, and payment details. - **Utility-Specific Information:** Service addresses, electricity consumption patterns, customer correspondence, and program participation records. While the utility confirmed its **32,000-kilometer power grid** and energy production systems remained unaffected, the breach disrupted internal operations during containment efforts. Cybersecurity analysts estimate the stolen data could enable criminals to impersonate customers, apply for fraudulent loans, or launch targeted phishing campaigns. ### **Delayed Notification Sparks Public Outcry** Nova Scotia Power’s admission that customers were not alerted until late May—**nearly two months post-breach**—has drawn sharp criticism. Critics argue the delay violates Canada’s *Digital Privacy Act*, which mandates prompt disclosure of data breaches posing _“significant harm.”_ _“Notifications are being mailed to impacted account holders with details on resources and support,”_ the company stated in its May 28 update. However, cybersecurity experts warn that delayed alerts heighten risks, as threat actors often exploit stolen data immediately. ### **Mitigation Measures and Customer Support** To address concerns, Nova Scotia Power announced: - **Two Years of Free Credit Monitoring:** Partnering with TransUnion to provide comprehensive identity theft protection. - **Dedicated Support Hotlines:** For customers to verify if their data was compromised. - **Phishing Awareness Campaigns:** Urging vigilance against fraudulent emails or calls impersonating the utility. _“While there’s no evidence of misuse, we encourage customers to monitor their accounts and report suspicious activity,”_ the company emphasized. ### **Sector-Wide Implications for Critical Infrastructure** The breach underscores growing concerns about cybersecurity in **energy utilities**, which manage vast troves of sensitive customer data alongside critical infrastructure. Nova Scotia Power, which generates **10,000 GWh annually** and serves as the province’s economic backbone, now faces scrutiny over its cybersecurity investments. _“Utilities are prime targets for cybercriminals due to their operational and data value,”_ said Halifax-based cybersecurity analyst Mark Tynes. _“This breach should serve as a wake-up call for stricter protocols across the sector.”_ ### **What Customers Should Do Now** 1. **Monitor Financial Accounts:** Flag unauthorized transactions to banks immediately. 2. **Enable Fraud Alerts:** Contact credit bureaus (Equifax, TransUnion) to lock credit files. 3. **Verify Communications:** Nova Scotia Power will never request sensitive data via email or phone. 4. **Use Provided Resources:** Enroll in TransUnion’s credit monitoring using the activation code included in mailed notices. No ransomware group has claimed responsibility, leaving the motive unclear. However, the breadth of the stolen data—particularly SINs and bank details—creates long-term risks. Cybersecurity firm SecureNova [warns](https://www.nspower.ca/) that **dark web markets** could monetize this information for years, necessitating perpetual vigilance. Nova Scotia Power has yet to clarify why its intrusion detection systems failed to flag the March 19 breach earlier. Regulatory bodies, including the **Nova Scotia Utility and Review Board**, are expected to launch an independent audit of the company’s cybersecurity framework.

loading..   16-May-2025
loading..   3 min read