1010.cx – Page 67

FreePBX Servers Hacked in 0-Day Attack – Admins are Urged to Disable Internet Access

8/28/2025

·

Cyber Attack News, cyber security, Cyber Security News, Vulnerability News
A critical zero-day exploit targeting exposed FreePBX 16 and 17 systems. Threat actors are abusing an unauthenticated privilege escalation vulnerability in the commercial Endpoint Manager module, allowing remote code execution (RCE) when the Administrator Control Panel is reachable from the public internet.

With active compromises detected since August 21, 2025, admins must act immediately to contain the threat.
```
Key Takeaways
1. Zero-day RCE in FreePBX Endpoint Manager targeting internet-exposed Admin UIs.
2. Immediately block external access and install EDGE/tagged endpoint updates.
3. Check for compromise indicators, isolate/rebuild systems, and restore from pre-August 21 backups.
```
Firewall Lockdown

FreePBX stated that organizations should first verify whether their FreePBX/PBXAct instance is accessible externally.

If the Administrator Control Panel (ACP) is reachable on ports 80 or 443, block all external traffic at the network perimeter.

Alternatively, employ the FreePBX Firewall module to restrict the Internet/External zone to known trusted hosts only.

After lockdown, confirm local-only access by testing ACP connectivity from an untrusted network (e.g., cellular data).

Next, update the Endpoint module to the provided EDGE builds for testing. FreePBX v16/v17 users can execute:

PBXAct v16 and v17 users should specify stable tags:

A full QA-tested release will follow within 12 hours; perform a standard module update once available via Admin → Module Admin.

Mitigations

To detect potential infection, administrators must perform the following checks:
- Ensure /etc/freepbx.conf still exists.
- Look for the malicious dropper script /var/www/html/.clean.sh
- Scan Apache logs for POST requests to modular.php since August 21.
- Inspect Asterisk logs for calls to extension 9998.
- Query MySQL for suspicious ampusers.
If any indicators are present, isolate the system and plan restoration. Preserve backups older than August 21, deploy a clean FreePBX install with hardened firewall settings, restore data, and rotate all credentials (system, SIP trunks, extensions, voicemail, UCP).

Forensic collection can be automated using the community’s collect_forensics_freepbx.sh script under AGPLv3 to snapshot logs, configuration files, and process states for analysis.

Users running FreePBX versions prior to v16 should remain vigilant; Sangoma continues to investigate the root cause and will publish a CVE once the vulnerability has been fully assessed.

Until then, disabling internet access to ACP and applying the Edge or Stable Endpoint module updates remain the most effective defenses.

Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!

The post FreePBX Servers Hacked in 0-Day Attack – Admins are Urged to Disable Internet Access appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New TamperedChef Attack With Weaponized PDF Editor Steals Sensitive Data and Login Credentials

8/28/2025

·

Best Cybersecurity News, cyber security, Cyber Security News, TamperedChef Attack

A sophisticated malware campaign that weaponizes a seemingly legitimate PDF editor to steal sensitive data and login credentials from unsuspecting users across Europe.

The attack uncovered by Truesec, dubbed “TamperedChef,” represents a new evolution in social engineering tactics that leverage trusted software categories to deploy information-stealing malware.

The malicious campaign centers around AppSuite PDF Editor, a free PDF editing tool promoted across multiple websites and distributed through Google advertising campaigns.

Malicious PDF Editor Setup

What makes this attack particularly insidious is its patient approach. The software initially appears harmless, functioning as advertised while secretly establishing persistence mechanisms and awaiting activation commands.

The campaign’s sophistication is evident in its execution timeline. Beginning on June 26, 2025, threat actors registered multiple domains and began promoting the PDF editor through at least five different Google advertising campaigns.

The malware remained dormant for 56 days strategically timed to coincide with typical Google advertising campaign durations—before activating its malicious capabilities on August 21, 2025.

Upon installation, the software establishes communication with command-and-control servers through specific URLs, including inst.productivity-tools.ai and vault.appsuites.ai.

The malware’s persistence mechanism involves creating registry entries that execute with various command-line arguments, including --install, --enableupdate, --fullupdate, and others.

When the --fullupdate argument is triggered, the software downloads and executes an obfuscated JavaScript file containing the core TamperedChef payload.

Data Theft Capabilities

Once activated, TamperedChef demonstrates sophisticated information-stealing capabilities. The malware queries web browser databases using Windows Data Protection API (DPAPI) to extract stored credentials and sensitive information.

It systematically terminates browser processes to access locked data files, ensuring comprehensive data harvesting from popular web browsers, Truesec said.

The malware also conducts system reconnaissance, identifying installed security products before proceeding with its data exfiltration operations. This behavior suggests the threat actors have invested significant effort in developing evasion techniques to bypass common security solutions.

The campaign’s legitimacy facade is reinforced through the abuse of digital certificates from multiple companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.

Code Signed Signature Check.

Investigation reveals these companies share suspicious characteristics, including generic websites with potentially AI-generated content and shared business addresses.

Particularly concerning is the discovery that certificates from these entities have been used to sign other malicious software, including the Epibrowser malware, indicating a broader certificate abuse operation supporting multiple malware families.

Campaign Scope and Impact

The threat actors behind TamperedChef have addressed long-term persistence in the threat landscape, with evidence suggesting activity dating back to August 2024.

For the company BYTE Media, there are also digital certificates used to sign malware, but another one called Epibrowser.

In several cases, we have observed a file called elevate.exe being installed together with the PDF Editor bundle.

Their operations extend beyond the PDF editor to include other potentially unwanted programs like OneStart browser, all sharing common command-and-control infrastructure.

European organizations have been significantly impacted, with multiple companies reporting employee infections after downloading the malicious PDF editor.

The campaign’s success highlights the effectiveness of disguising malware as legitimate productivity tools—a category users typically trust and readily install.

This campaign represents a concerning evolution in malware distribution tactics. By leveraging legitimate advertising platforms and maintaining extended dormancy periods, threat actors can achieve widespread distribution before revealing malicious intent.

The use of AI-generated code and generic business fronts further demonstrates the industrialization of cybercrime operations.

The TamperedChef campaign serves as a stark reminder that even seemingly innocuous productivity tools can pose significant security risks. Organizations must implement robust software vetting procedures and maintain heightened awareness of free utilities from unknown sources, as today’s helpful application could become tomorrow’s security nightmare.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post New TamperedChef Attack With Weaponized PDF Editor Steals Sensitive Data and Login Credentials appeared first on Cyber Security News.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Research Highlights Emulating Tactics of Scattered Spider in Realistic Scenarios

8/28/2025

·

Cyber Attack News, cyber security, Cyber Security News, Scattered Spider

New findings from Lares Labs underscore the importance of realistic threat emulation exercises that mirror the sophisticated tactics of the Scattered Spider APT group.

By integrating real-world incident data into controlled simulations, organizations can proactively assess defenses across networks, endpoints, and cloud environments, bolstering resilience against advanced persistent threats.

Lares’s research centers on recreating the full attack lifecycle employed by Scattered Spider from initial access via social engineering through lateral movement, privilege escalation, and eventual exfiltration.

Unlike traditional red teaming, which often focuses on isolated technical exploits, Lares combines ethical hacking, tailored social engineering, and threat emulation to replicate the subtle interplay of human manipulation and technical tradecraft observed in recent high-profile breaches.

Scattered Spider Attack Across Industries

Scattered Spider, active since May 2022, has targeted telecommunications, BPO, hospitality, retail, healthcare, and aviation sectors. The group’s young, English-speaking operatives leverage SIM swapping, phishing, and push-bombing to circumvent MFA, then install legitimate remote access tools for persistence.

Their operations also include bespoke cloud credential theft using utilities like AWS console or MicroBurst and Bring Your Own Vulnerable Driver (BYOVD) attacks, deploying Microsoft-signed vulnerable drivers such as POORTRY via a custom loader named STONESTOP to disable endpoint defenses.

Lares Lab simulations begin with open-source reconnaissance, harvesting corporate data from LinkedIn and breached credential repositories, then crafting realistic phishing lures through look-alike domains (e.g., targetsname-sso[.]com).

Participants experience the pressure of repeated MFA pushes and SIM swap scenarios, forcing defenders to react in real time. Subsequent stages emulate privilege escalation tactics, including ADCS abuse, DACL misconfiguration exploitation, and LSASS or NTDS.dit credential dumping via Mimikatz and Jetcretz.

Privilege escalation.

During lateral movement exercises, defenders confront genuine SSO session hijacking and Proxifier-linked traffic redirection, mirroring Scattered Spider’s use of cloud-based pivot points.

In cloud environments, simulations exploit IAM misconfigurations such as overly permissive assume-role policies to traverse EC2 instances and compromise additional user accounts. These exercises challenge teams to detect anomalous API calls and unusual credential usage patterns.

Exfiltration scenarios utilize encrypted messaging platforms like Telegram for small, high-value files and tools like Rclone or MEGAsync for bulk data transfer to attacker-controlled cloud storage.

Participants must identify stealthy data flows and intercept covert channels, refining both monitoring rules and incident response playbooks.

Lares’s approach delivers actionable intelligence: customized debriefs highlight detection blind spots, misaligned processes, and training gaps. Security teams leave with prioritized recommendations, ranging from tightening MFA policies and hardening AD configurations to refining cloud security posture and enhancing phishing resilience.

Other common tools, such as ManageEngine and Amazon Web Services inventory, always aim, whenever possible, to use legitimate tools native to the target environment to reduce detection by security solutions and maintain a low-profile attack.

Lateral movement.

As Scattered Spider’s tactics continue evolving, organizations face a dual challenge: bridging technology gaps and fortifying human defenses.

Lares’s research demonstrates that emulating real-world adversaries within a safe, controlled environment accelerates preparedness more effectively than theoretical exercises.

By testing controls against the actual TTPs of APT groups, such as Scattered Spider, enterprises shift from a reactive to a proactive stance, ultimately reducing dwell time and mitigating potential financial and reputational impacts.

Lares Labs recommends that organizations adopt regular threat emulation cycles, updating scenarios with the latest intelligence on groups such as Scattered Spider, UNC3944, Octo Tempest, and others. Through continuous adversarial collaboration and iterative testing, defenders can ensure their security posture evolves as rapidly as the threats they face.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post New Research Highlights Emulating Tactics of Scattered Spider in Realistic Scenarios appeared first on Cyber Security News.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Cloudflare Launches MCP Server Portals – A Unified Gateway to All MCP Servers

8/28/2025

·

cyber security, Cyber Security News
Cloudflare today launched MCP Server Portals in open beta, a groundbreaking capability designed to centralize, secure, and observe all Model Context Protocol (MCP) connections in an organization.

By routing every MCP request through a single portal endpoint, Cloudflare One customers can now enforce Zero Trust policies, gain comprehensive visibility, and dramatically reduce the attack surface exposed by AI-driven integrations.
```
Key Takeaways
1. Centralized MCP connections via a single portal with Zero Trust policies.
2. Enforced SASE controls and unified logging for real-time security and visibility.
3. Curated least-privilege access to eliminate unmanaged AI endpoints.
```
Model Context Protocol

The Model Context Protocol (MCP) is rapidly becoming the universal standard for connecting large language models (LLMs) such as ChatGPT, Claude, and Gemini to enterprise applications. MCP defines two core components:

MCP Client: The LLM front-end requesting context or invoking actions.

MCP Server: The application endpoint exposing Resources, Prompts, and Tools to the client.

Architecture Overview

A minimal MCP Server configuration in YAML illustrates the simplicity of integration:

This open-source protocol transforms isolated LLMs into collaborative teammates by allowing structured API calls, dynamic prompts, and secure context retrieval.

Enhancing Security

While MCP unlocks integration, it also creates a sprawling new attack surface prone to prompt injection, supply chain exploits (e.g., CVE-2025-6514 in npm authentication libraries), and “confused deputy” privilege escalations.

MCP Server Portals address these risks by acting as a single front door:

Integrate directly with Cloudflare One’s Secure Access Service Edge (SASE) to apply multi-factor authentication, device posture checks, and geofencing on MCP traffic mirroring controls used for human users.

MCP servers

Aggregate every MCP request, prompt invocation, and tool execution into a unified audit log. Security teams can now detect anomalous behaviors such as unusual data-exfiltration patterns or unauthorized tool usage in real time.

Administrators register MCP servers with the portal, approve them, and assign permissions. Users only see the resources and tools explicitly authorized for their role, eliminating shadow AI endpoints.

Rather than distributing multiple endpoint URLs, users configure a single Portal URL in their MCP client. New servers become instantly available through the portal without manual updates, according to Cloudflare’s advisory.

MCP Server Portals integrate with Cloudflare Access for seamless OAuth-based authorization, whether applications are hosted on Cloudflare or external domains.

Future enhancements will include AI-powered WAF rules to block prompt-injection attacks, managed MCP server hosting via Cloudflare’s AI Gateway, and built-in machine learning models for anomaly detection.

Get started today by visiting the Access > AI Controls page in your Zero Trust Dashboard. MCP Server Portals are now in open beta for all Cloudflare One customers, offering a secure path to empower AI innovation without compromising safety.

Tired of Filling Forms for security & Compliance questionnaires? Automate them in minutes with 1up! Start Your Free Trial Now!

The post Cloudflare Launches MCP Server Portals – A Unified Gateway to All MCP Servers appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
U.S. Treasury Sanctions North Korean IT Worker Network Funding Weapons Programs

8/28/2025

·

cyber security, Cyber Security News, Network Security, Threats

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Russian national Vitaliy Sergeyevich Andreyev, DPRK official Kim Ung Sun, Chinese entity Shenyang Geumpungri Network Technology Co., Ltd. DPRK-based Korea Sinjin Trading Corporation for their involvement in a sophisticated fraudulent scheme involving information technology workers orchestrated by the Democratic […]

The post U.S. Treasury Sanctions North Korean IT Worker Network Funding Weapons Programs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Webinar: Learn How to Unite Dev, Sec, and Ops Teams With One Shared Playbook

8/28/2025

·

Picture this: Your team rolls out some new code, thinking everything’s fine. But hidden in there is a tiny flaw that explodes into a huge problem once it hits the cloud. Next thing you know, hackers are in, and your company is dealing with a mess that costs millions. Scary, right? In 2025, the average data breach hits businesses with a whopping $4.44 million bill globally. And guess what? A big

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Cisco Nexus 3000 & 9000 Vulnerability Enables DoS Attacks

8/28/2025

·

Cisco, CVE/vulnerability, cyber security, Cyber Security News, vulnerability

Cisco has issued a high-severity security advisory warning of a dangerous vulnerability in its Nexus 3000 and 9000 Series switches that could allow attackers to trigger denial of service (DoS) attacks through crafted network packets. The vulnerability, tracked as CVE-2025-20241 and assigned a CVSS score of 7.4, affects the Intermediate System-to-Intermediate System (IS-IS) feature in Cisco NX-OS […]

The post Cisco Nexus 3000 & 9000 Vulnerability Enables DoS Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Hidden Vulnerabilities of Project Management Tools & How FluentPro Backup Secures Them

8/28/2025

·

Every day, businesses, teams, and project managers trust platforms like Trello, Asana, etc., to collaborate and manage tasks. But what happens when that trust is broken? According to a recent report by Statista, the average cost of a data breach worldwide was about $4.88 million. Also, in 2024, the private data of over 15 million Trello user profiles was shared on a popular hacker forum. Yet,

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
CrowdStrike Set to Acquire Onum in $290 Million Deal to Enhance Falcon Next-Gen SIEM

8/28/2025

·

Acquisition, Cyber Security News
Global cybersecurity leader CrowdStrike announced its intention to acquire Onum, a pioneer in real-time telemetry pipeline management, in a deal reportedly valued at $290 million.

The acquisition, unveiled Wednesday, aims to significantly enhance CrowdStrike’s Falcon Next-Gen SIEM platform, transforming it into a more powerful data foundation for modern, AI-driven security operations.

The integration of Onum’s technology is set to address a critical challenge in security operations: managing and processing vast amounts of data efficiently. Onum’s platform acts as both a high-speed data pipeline and an intelligent filter, streaming refined, high-quality data directly into the Falcon platform.

“Our Next-Gen SIEM is the engine that powers the modern SOC, and data is the fuel that makes the engine run,” said George Kurtz, CEO and founder of CrowdStrike.

“Onum is both a pipeline and a filter, which will stream high-quality, filtered data directly into the platform to drive autonomous cybersecurity at scale. This is how we stop breaches at the speed of AI while giving customers complete control over their entire data ecosystem.”

Built on a proprietary in-memory architecture, Onum’s technology offers significant performance advantages. The company claims it can deliver up to five times more events per second than its nearest competitor.

By enabling “in-pipeline analysis,” Onum allows for AI-powered detections to occur at the data source, even before the data enters the Falcon platform.

This innovative approach promises up to 70 percent faster incident response times with 40 percent less ingestion overhead. Furthermore, its smart filtering capabilities can reduce data storage costs by as much as 50 percent.

Historically, migrating data into a new SIEM has been a major bottleneck for security teams, often requiring complex third-party tools and significant effort.

This acquisition is designed to eliminate that friction by making data streaming and in-pipeline detection a native function within the Falcon platform, accelerating SOC transformation for customers.

“Onum was founded on the belief that pipelines should do more than transport data, they should transform data into real-time intelligence,” said Pedro Castillo, founder and CEO of Onum. “By joining CrowdStrike, we can deliver this vision at unprecedented scale to accelerate SOC transformation on a global scale.”

The acquisition positions CrowdStrike to further solidify its Falcon platform as the central operating system for cybersecurity, expanding its capabilities beyond core security into broader IT observability. The transaction is subject to customary closing conditions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post CrowdStrike Set to Acquire Onum in $290 Million Deal to Enhance Falcon Next-Gen SIEM appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Research Explores Emulating Scattered Spider Tactics in Real-World Scenarios

8/28/2025

·

APT, cyber security, Cyber Security News, Threats

Experts have described methods for mimicking the strategies of the advanced persistent threat (APT) group Scattered Spider in a recent in-depth analysis by cybersecurity company Lares, allowing enterprises to strengthen their defenses through adversarial cooperation. Lares specializes in threat emulation, replicating real-world tactics, techniques, and procedures (TTPs) observed in cybercriminal activities. By dissecting incidents like […]

The post New Research Explores Emulating Scattered Spider Tactics in Real-World Scenarios appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Firewall Lockdown

Mitigations

Data Theft Capabilities

Campaign Scope and Impact

Scattered Spider Attack Across Industries

Model Context Protocol

Enhancing Security