Weathering the storm: In the midst of a Typhoon
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.
Source: CISCO Talos intelligence group / Infosecurity magazine / The hacker news / Bleeping computer
Link: https://blog.talosintelligence.com/salt-typhoon-analysis/
Link: https://www.infosecurity-magazine.com/news/salt-typhoon-cisco-custom-tool/
Link: https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html
Apple Drops iCloud’s Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands
Apple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data. The development was first reported by Bloomberg.
ADP for iCloud is an optional setting that ensures that users‘ trusted devices retain sole access to the encryption keys used to unlock data stored in its cloud. This includes iCloud Backup, Photos, Notes, Reminders, Safari Bookmarks, voice memos, and data associated with its own apps.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/02/apple-drops-iclouds-advanced-data.html
Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics
Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
„Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,“ the Microsoft Threat Intelligence team said in a post shared on X.
„These enhanced features add to this malware family’s previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.“
XCSSET is a sophisticated modular macOS malware that’s known to target users by infecting Apple Xcode projects. It was first documented by Trend Micro in August 2020.
Subsequent iterations of the malware have been found to adapt to compromise newer versions of macOS as well as Apple’s own M1 chipsets. In mid-2021, the cybersecurity company noted that XCSSET had been updated to exfiltrate data from various apps like Google Chrome, Telegram, Evernote, Opera, Skype, WeChat, and Apple first-party apps such as Contacts and Notes.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/02/microsoft-uncovers-new-xcsset-macos.html
Link: https://www.securityweek.com/microsoft-warns-of-improvements-to-xcsset-macos-malware/
‚Darcula‘ Phishing Kit Can Now Impersonate Any Brand
A new version of the phishing-as-a-service (PhaaS) platform „Darcula“ is launching, with a feature that allows anyone to spoof any brand online, with no technical skill required.
The most recent Darcula version (V2) was already sleek and user-friendly, with hundreds of templates that allowed subscribers to create phishing content mimicking companies from around the world. But the new version goes much further. Now users can simply copy and paste any URL into Darcula’s interface — whether it belongs to Apple, Dark Reading, or their local coffee shop — and the platform will spit out a fully fledged phishing kit. Darcula V3 is currently undergoing user testing, but researchers from Netcraft expect it to launch this month.
Source: Dark reading / Bleeping computer / Helpnet security
Link: https://www.darkreading.com/threat-intelligence/darcula-phishing-kit-impersonate-brand
Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability
Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.
The vulnerability, tracked as CVE-2024-12284, has been given a CVSS v4 score of 8.8 out of a maximum of 10.0.
It has been described as a case of improper privilege management that could result in authenticated privilege escalation if the NetScaler Console Agent is deployed and allows an attacker to execute post-compromise actions.
„The issue arises due to inadequate privilege management and could be exploited by an authenticated malicious actor to execute commands without additional authorization,“ Netscaler noted.
„However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thereby limiting the threat surface to only authenticated users.“
Source: The hacker news
Link: https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html