Stu Sjouwerman@blog.knowbe4.com
//
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.
Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies. The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.
Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level. Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236. Recommended read:
References :
@The DefendOps Diaries
//
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.
The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security. Recommended read:
References :
Matt Kapko@CyberScoop
//
References:
Threats | CyberScoop
, SiliconANGLE
,
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.
This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments. Recommended read:
References :
@cyberalerts.io
//
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.
UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Cisco has addressed a critical denial-of-service (DoS) vulnerability, CVE-2025-20115, found in the Border Gateway Protocol (BGP) confederation implementation of its IOS XR Software. The vulnerability arises from a memory corruption flaw, specifically the improper handling of the AS_CONFED_SEQUENCE attribute within BGP update messages. An attacker can exploit this by injecting a crafted message containing 255 or more autonomous system numbers, leading to process instability and a potential BGP process restart.
Successful exploitation of this flaw allows unauthenticated attackers to crash the BGP process, disrupting network routing and potentially causing significant service outages. This is particularly concerning for large-scale networks using BGP confederation. The affected software versions include Cisco IOS XR Release 7.11 and earlier, Release 24.1 and earlier, Release 24.2 until version 24.2.21, and Release 24.3, which has been patched in version 24.3.1. The primary mitigation strategy is to apply the latest software update provided by Cisco. Recommended read:
References :
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News
//
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.
Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions. Recommended read:
References :
@cyberscoop.com
//
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering. Recommended read:
References :
Ameer Owda@socradar.io
//
Cisco has released patches to address two critical remote code execution vulnerabilities in its Identity Services Engine (ISE). The flaws, tracked as CVE-2025-20124 (CVSS score 9.9) and CVE-2025-20125 (CVSS score 9.1), could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices. The vulnerabilities could prevent privilege escalation and system configuration changes.
The first vulnerability, CVE-2025-20124, is due to insecure deserialization of user-supplied Java byte streams, allowing attackers to execute arbitrary commands and elevate privileges by sending a crafted serialized Java object to an affected API. The second, CVE-2025-20125, is an authorization bypass issue that could allow attackers to obtain sensitive information, modify system configurations, and restart the node by sending a crafted HTTP request to a specific API. Cisco warns that there are no workarounds, advising customers to migrate to a fixed software release as soon as possible. Recommended read:
References :
@gbhackers.com
//
Cisco has released a critical patch for a high-severity vulnerability in its Meeting Management tool, which has been given a rating of 9.9. The vulnerability, identified as CVE-2025-20156, could allow a remote attacker with low privileges to gain admin-level access to affected devices. This exploit is achieved by sending specific API requests to a designated endpoint, thus bypassing access control protocols on the system. This flaw primarily affects edge nodes, which are critical components of Cisco's video conferencing infrastructure managed by the tool. Cisco has acknowledged the vulnerability and issued an alert, urging customers to apply the patch immediately.
The vulnerability impacts most versions of Cisco Meeting Management, with the exception of version 3.10. Users with earlier releases, 3.8 and below, will need to migrate to a supported version. Specifically, release 3.9 should be upgraded to version 3.9.1. Although there have been no confirmed reports of the exploit being used in the wild yet, Cisco encourages all users to update as soon as possible, as a Proof-of-Concept (PoC) exploit could surface at any time. The discovery of this flaw was credited to Modux bug hunter Ben Leonard-Lagarde. Recommended read:
References :
@gbhackers.com
//
Cisco has issued critical security patches to address vulnerabilities in its ClamAV software and Meeting Management platform. A denial-of-service flaw, identified as CVE-2025-20128, affects ClamAV and can be exploited by submitting a crafted file that terminates the scanning process. Proof-of-concept exploit code is available, although there's no indication it has been used in the wild. This ClamAV vulnerability is due to a heap-based buffer overflow bug within the OLE2 file parser, impacting Cisco Secure Endpoint Connectors for Windows, Linux, and macOS. Cisco advises users to immediately update to ClamAV versions 1.4.2 or 1.0.8 to remediate this threat, since a successful attack could disrupt security workflows by stopping the malware scanning function.
Additionally, a critical privilege escalation vulnerability, CVE-2025-20156, has been discovered in the Cisco Meeting Management REST API. This flaw allows remote authenticated attackers with low privileges to elevate their access to administrator level on affected devices. It stems from improper authorization enforcement within the REST API, enabling attackers to gain control of edge nodes managed by Cisco Meeting Management. The vulnerability impacts versions 3.9 and earlier, but not 3.10. Upgrading to version 3.9.1 or 3.10 is essential as there are no workarounds available. Cisco has released software updates to address this vulnerability, also impacting the Broadworks platform. Recommended read:
References :
|