Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Anachronym Challenge’ appeared first on Security Boulevard.

Yesterday's headlines have sent ripples through the cybersecurity and software supply chain communities: MITRE announced that U.S. government funding for the CVE (Common Vulnerabilities and Exposures) database was set to expire today. Overnight, the CVE Foundation emerged with a plan to maintain the program before the Critical Infrastructure and Security Agency (CISA) announced it has extended support for the program this morning. As the backbone of the global vulnerability identification system, CVE has long served as the industry’s shared language for describing digital flaws.

The post What’s happening with MITRE and the CVE program uncertainty appeared first on Security Boulevard.

The 2025 PyPI supply chain attack is a stark reminder of just how vulnerable cloud ecosystems remain to sophisticated, stealthy, and evolving threats.

The post Why the 2025 PyPI Attack Signals a New Era in Cloud Risk appeared first on Security Boulevard.

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute.

This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from. Losing it will bring us back to a world where there’s no single way to talk about vulnerabilities. It’s kind of crazy to think that the US government might damage its own security in this way—but I suppose no crazier than any of the other ways the US is working against its own interests right now...

The post CVE Program Almost Unfunded appeared first on Security Boulevard.

This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. For details on ToneShell and StarProxy, go to Part 1.IntroductionIn addition to the new ToneShell variants and StarProxy, Zscaler ThreatLabz discovered two new keyloggers used by Mustang Panda that we have named PAKLOG and CorKLOG as well as an EDR evasion driver (SplatCloak) on Mustang Panda’s staging server. In Part 2 of this series, we will analyze these keyloggers and the EDR evasion driver.Key TakeawaysMustang Panda continues to create new tooling in targeted attacks.PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data.CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks.SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.Technical Analysis The technical analysis in this section focuses on the keyloggers, PAKLOG and CorKLOG, along with SplatCloak. Both PAKLOG and CorKLOG are straightforward keyloggers, but CorKLOG includes persistence mechanisms. Additionally, both keyloggers obfuscate log files to conceal their activity. SplatCloak, deployed by SplatDropper, is a Windows kernel driver designed to disable EDR-related routines implemented by Windows Defender and Kaspersky, enabling it to evade detection.PAKLOGPaklog is a keylogger that utilizes high-level Windows APIs to capture keystrokes and monitor clipboard activity. The keylogger then encodes this data and writes it to a local file. Paklog lacks built-in exfiltration capabilities, suggesting that Mustang Panda mainly uses it to collect data and leverages other methods for data exfiltration. Paklog is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious Paklog DLL (pa_lang2.dll). The PACLOUD.exe binary is used to sideload the Paklog DLL which starts the keylogger functionality. The sections below provide more information about Paklog.The Paklog DLL (pa_lang2.dll) includes a malicious export function named ASH_LANG2_add, which performs the following actions:Keylogging Setup: Utilizes the SetWindowsHookExW API, with idHook set to WH_KEYBOARD_LL, and a custom hook procedure.Data Logging: The custom hook procedure tracks keystrokes within the foreground window and logs the information in the following format:%26lt;timestamp%26gt; %26lt;window_text%26gt; %26lt;process_full_path%26gt; timestamp: The precise time the key was pressed, formatted as %Y-%m-%d %H:%M:%S.window_text: The text of the foreground window.process_full_path: The full path of the process active in the foreground. Key Mapping: Each key's virtual code is mapped to a specific string that represents the corresponding key pressed by the user.In addition to keylogging, Paklog can be used to monitor clipboard activity and extract its contents. Whenever the user presses the Ctrl + V key combination, the malware intercepts the request, retrieves the clipboard data, and copies it to a buffer. Both the keystrokes and clipboard data are encoded and saved to the file: C:\\Users\\Public\\Libraries\\record.txt.PAKLOG uses a simple encoding mechanism to encode the characters in the buffer.Uppercase charactersIf the ASCII code of the character is below 0x5a (the uppercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code - 0x3e % 0x1a) + 0x41Lowercase charactersIf the ASCII code of the character is above 0x5a (the lowercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code - 0x5e % 0x1a) + 0x61CorKLOGCorkLOG is another keylogger designed to capture keystrokes, storing the captured data in an encrypted file using a 48-character RC4 key. To ensure it runs continuously, the keylogger establishes persistence on the system by creating services or scheduled tasks. CorkLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). Mustang Panda likely intended on the executable being used to sideload the DLL to activate the keylogger. However, due to an error, the executable does not sideload the DLL, since the executable does not load a DLL with CorKLOG DLL’s filename.The CorKLOG DLL achieves persistence through one of two mechanisms, depending on its privilege level. If it detects that it is running with administrator privileges, the malware installs itself as a service. The second persistence mechanism creates a scheduled task called TabletlnputServices. The scheduled task is set to run every 10 minutes using the following command-line:schtasks /create /tn TabletlnputServices /tr %26lt;FILENAME%26gt; /sc minute /mo 10 /fCorKLOG then executes schtasks a second time to run the task immediately.The keylogging code records its output to a file, encrypting the contents with RC4 using the key fkpioefpoea$@^Tf0-0-gepwf09IJGEJ0IFAPKO456SG894E before writing them to disk.CorKLOG includes a configuration file stored in the .config section of the binary. While the configuration file for this sample is missing, our analysis suggests that it typically contains the following values:Service nameService display nameFolderThe code snippet below illustrates the multi-stage decryption process applied to the configuration values. This process uses the same XOR key, but begins at four different offsets within the key, performing a series of XOR operations on the encrypted string.void crypto_xor_decrypt(PCSTR buffer, int32_t size)
{
uint8_t index = 0;
if (size)
{
// First decryption pass, the xor key starting location is at the beginning of the xor key
do
{
// xor key length := 0x3f
buffer[index] ^= xorkey[index & 0x3f];
index += 1;
} while (index %26lt; size);
PVOID buffer_2 = buffer;
int32_t copy_of_size = size;
int32_t copy_of_size_1;
// Second decryption pass, the xor key starting location is 2 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_2 ^= xorkey[(2 - buffer + buffer_2) & 0x3f];
buffer_2 += 1;
temp_str_len_remaining = str_len_remaining;
str_len_remaining -= 1;
} while (temp_str_len_remaining != 1);
PVOID buffer_1 = buffer;
int32_t str_len_remaining_1 = size;
int32_t temp_str_len_remaining_1;
// Third decryption pass, the xor key starting location is 5 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_1 ^= xorkey[(5 - buffer + buffer_1) & 0x3f];
buffer_1 += 1;
temp_str_len_remaining_1 = str_len_remaining_1;
str_len_remaining_1 -= 1;
} while (temp_str_len_remaining_1 != 1);
uint32_t offset = 0xa - buffer;
int32_t temp_str_len_remaining_2;
// Forth decryption pass, the xor key starting location is 10 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer ^= xorkey[(offset + buffer) & 0x3f];
buffer = &buffer[1];
temp_str_len_remaining_2 = size;
size -= 1;
} while (temp_str_len_remaining_2 != 1);
}
}SplatDropperSplatCloak (discussed later) is deployed by SplatDropper, a small utility that drops the driver onto the system, executes it, and then removes itself to avoid leaving traces. SplatDropper is delivered inside a RAR archive (e.g., kb.rar), which contains two files: a legitimate executable (BugSplatHD64.exe) and the SplatDropper DLL (BugSplat64.dll).The legitimate executable sideloads the SplatDropper DLL, which performs the following actions:Resolves Windows APIs by hash.Decrypts the kernel driver (SplatCloak) using a single-byte XOR key (0x5a) and writes the result to disk.Creates a Windows service to execute SplatCloak.Waits 5 seconds to allow SplatCloak to run.Stops the Windows Service.Cleans up (removes the Windows service and deletes SplatCloak).SplatDropper resolves the required Windows API calls by hash. The hash algorithm is identical to the methods used in tonepipeshell and tonepipeshell_alt, but with a seed value of 131313 (instead of previously observed values that include 13131313 and 1313131313). The API hashing algorithm is shown in the code snippet below:char* apiname_1 = apiname;
int32_t api_hash = 0;
while ((int32_t)*(uint8_t*)apiname_1)
{
api_hash = api_hash * 131313 + (int32_t)*(uint8_t*)apiname_1;
apiname_1 = &apiname_1[1];
}
return (uint64_t)api_hash;SplatDropper generates three random strings, consisting of characters from A-Z, to create the filename, service name, and service display name. The algorithm is depicted in the code snippet below.// Generate a char buffer containing the ascii codes for A-Z
char alphabet[0x1a];
for (int32_t i = 0; i %26lt; 26; i += 1)
alphabet[(int64_t)i] = i + 0x41;
out_buffer[str_length] = 0;
// Construct a random string from the generated alphabet into
// the out_buffer
for (int32_t i_1 = 0; i_1 %26lt; str_length; i_1 += 1)
{
int32_t random_number = j_rand() + i_1;
if (random_number %26lt; 0)
random_number = -(random_number);
out_buffer[(int64_t)i_1] = alphabet[(int64_t)((int64_t)random_number % 26)];
}SplatCloakThe sole purpose of the SplatCloak driver is to identify and disable, or remove notification hooks and callbacks associated with Windows Defender and Kaspersky. SplatCloak makes use of a revoked certificate (certificate thumbprint: 09ededdcbdb0c03c850f1d29920e412348120c8d) issued to Xtreaming Technology Inc. with the start date of 2010-02-22 00:00:00 UTC and the end date of 2012-02-22 23:59:59 UTC. The threat actor is exploiting the fact that Windows allows drivers with revoked certificates to be loaded. ThreatLabz also confirmed that this driver will be successfully loaded on a fully patched Windows 10 system. Other interesting features implemented in SplatCloak are control flow flattening and mixed boolean arithmetic used to hinder reverse engineering efforts by malware analysts.The SplatCloak driver, similar to its dropper (SplatDropper), dynamically resolves Windows API functions; however, the code does not utilize API hashing. Instead, the driver resolves API calls by retrieving the SYSTEM_MODULE_INFORMATION structure via ZwQuerySystemInformation (with the SystemInformationClass parameter set to SystemModuleInformation) and traversing the returned SYSTEM_MODULE_ENTRY structure to locate the base address of ntoskrnl.exe. This process is shown in the figure below.Figure 1: Relationship between the system module information structure and the system module structure. Using the base address of ntoskrnl, the SplatCloak driver parses its Portable Executable (PE) structure to obtain the address of MmGetSystemRoutineAddress. This function is used to resolve various kernel-level Windows APIs, including the locations of PsProcessType and PsThreadType, which are also exported by ntoskrnl. Additionally, RtlGetVersion is resolved to retrieve the Windows build number.The SplatCloak driver retrieves the callback routine list pointers supplied by the system, which are shown in the table below:List NameList LengthDescriptionPspCreateProcessNotifyRoutine64List of function pointers that are executed when a process is created.PspCreateThreadNotifyRoutine64List of function pointers that are executed when a thread is created.PspLoadImageNotifyRoutine64List of function pointers that are executed when an image is loaded into memory.Table 1: List of kernel-level notification routines identified by the SplatCloak driver.This retrieval is accomplished by analyzing the bytes of the resolved functions to identify a specific pattern that points to their associated notification list of function pointers. The logic for each routine is illustrated in the figure below.Figure 2: SplatCloak logic for locating the routines: (left to right) PspCreateProcessNotifyRoutine, PspCreateProcessNotifyRoutine, and PspLoadImageNotifyRoutine.The CallbackListHead (registry related callbacks) location is also determined by inspecting the bytes in CmUnRegisterCallback, as shown in the figure below.Figure 3: Shows the process used by the SplatCloak driver to find the CallbackListHead location. If the Windows dwBuildNumber retrieved via RtlGetVersion is 19000 or higher (Windows 10 version 2004 or later), the driver proceeds to unregister and disable the identified callbacks. However, it’s worth noting that even in newer Windows versions with build numbers above 19000, the driver may not function correctly, as the opcodes for inspected functions have changed.To identify whether a callback or notification routine should be disabled, the SplatCloak driver retrieves the FullPathName from _SYSTEM_MODULE_ENTRY using ZwQuerySystemInformation as previously described. The malware then examines the filename to determine if it matches any of the Windows Defender-related drivers listed in the table below.Driver Description wdfilter.sys Responsible for monitoring and filtering file system activity to detect and prevent malicious behavior.wdboot.sysOperates during system boot to ensure protection against threats before the operating system fully loads.wddevflt.sysDesigned to monitor and filter device-level operations, providing an additional layer of security for hardware interactions.wdnisdrv.sysInspects and filters network streams to detect and block potential threats transmitted over the network.Table 2: List of Windows Defender-related files monitored by SplatCloak.The Kaspersky check involves enumerating each callback and notification routine within the system to pinpoint the binary associated with the function they reference. Once the corresponding binary is identified, the SplatCloak driver maps the binary into memory and analyzes its structure to locate the IMAGE_DIRECTORY_ENTRY_SECURITY. This entry provides a pointer to the code signing certificate embedded within the binary.Unlike other entries in the IMAGE_DATA_DIRECTORY array, which typically use relative virtual offsets, the IMAGE_DIRECTORY_ENTRY_SECURITY uses a physical file offset to indicate the location of the signed certificate. This physical offset points to where the certificate is stored, which is typically found in the file overlay — the data appended to the binary beyond the standard PE file structure. This process is shown in the figure below.Figure 4: SplatCloak process for determining the location and size of the code signing certificate. The SplatCloak driver uses this offset, if present, to locate the certificate and examine the associated bytes for the keyword kaspersky.With the exception of callbacks related to PsProcessType and PsThreadType, any callbacks or notifications that match either Kaspersky or drivers associated with Windows Defender are removed using the appropriate APIs.PsSetCreateProcessNotifyRoutineThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineExThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineEx2The remove parameter is set to True.PsRemoveCreateThreadNotifyRoutinePsRemoveLoadImageNotifyRoutineCmUnRegisterCallbackFor PsProcessType and PsThreadType, the OB_CALLBACK_ENTRY_t structure's Enabled value is set to FALSE, effectively disabling the callback. Both PsProcessType and PsThreadType are of type _OBJECT_TYPE. These structures and their relationships are depicted in the figure below.Figure 5: Shows path from _OBJECT_TYPE structure to the OB_CALLBACK_ENTRY_t structure. (Reference: https://github.com/wavestone-cdt/EDRSandblast) Threat AttributionFigure 6: Diamond model highlighting TTP overlap with past Mustang Panda activity.Zscaler ThreatLabz attributes this intrusion to Mustang Panda. Nearly all of the tools discussed in this analysis were hosted as RAR archives on the same server the threat actor used to deliver ToneShell (see Part 1). Tool overlap—particularly the inclusion of ToneShell—strongly links Mustang Panda to this activity. Additionally, technical overlaps in newly discovered tools align with prior Mustang Panda malware, including techniques such as control flow flattening, mixed boolean arithmetic, and RC4 encryption, which are hallmark features of Mustang Panda’s customized PlugX variant.The discovery of StarProxy (see Part 1) further strengthens the attribution, as it employs FakeTLS—similar to ToneShell. SplatDropper shares similarities in the API hashing techniques observed in the ToneShell variants covered in Part 1. From a victim’s perspective, aligning with the Diamond Model framework, Mustang Panda’s historical targeting of Myanmar and NGOs reinforces the connection, as these entities have been frequent targets of this threat actor over the years.ConclusionThe absence of a direct connection to a C2 server suggests that Mustang Panda likely relies on hands-on-keyboard access during their intrusions or employs additional tooling to facilitate the execution of their keyloggers (PAKLOG, CorKLOG) and EDR evasion driver (SplatCloak). This also implies that keylogger data must be exfiltrated through other methods. As highlighted in the first blog of this two-part series, the tools are designed with several techniques to mitigate detection. Specifically, the SplatCloak driver is tailored to evade Microsoft Defender and Kaspersky, and its dropper ensures the driver is removed from disk before execution.Overall, Mustang Panda demonstrates a calculated approach to achieving their objectives. Continuous updates, new tooling, and layered obfuscation prolongs the group’s operational security and improves the efficacy of attacks.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Mustang Panda at various levels with the following threat names:Win32.Backdoor.ToneshellWin32.Trojan.MustangPandaIndicators Of Compromise (IOCs)File indicatorsMD5 HashSHA1 HashSHA256 HashFilenameDescriptionf8e865c9ed99b1e4725f5ccdc3ef0ba7b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec46f3a2913a59309c6b4b38040cfb08a4e04404e6f93215fd72dbc52781d99ff29key.rarRAR archive file a4eb2d1252b90f4b1d77ed374092a1625747a2dd63c97f97ee439482dfd43890410439026c01b3d9f7929d8d18747cb6feba416e8702f853a303a63ae37af38e95af79cdpa_lang2.dllThis is PAKLOG which is a Windows keylogger. e0ee591b4a97a9876f4f9e75be3fdd087d1bd5191ed9c42ead2fc51400d3a398df0c3f7b d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.EXELegitimate and signed binaryade40faa90439abdac911ce1ac50e4b9361ad9f8d0b3f248a35e8d570ca58e8e152573cd3fa4e089bf7bf183d7e746b9eb02b852df5673d7ab39008252e3954fc70d2cbakb.rarRAR archive60138b3f2791742dd65bdf29376055e8f6ade6bbdd1828add500aa82505567cf9f21efaf1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeLegitimate and signed binarycbb7309092862f0999f7a442e17b1ba6ae896332d3b40b627f44e6dc038f8c2396ecaf4d86f6d29ef0532236ad180dcf9a4b0c1ac1f8f2ec9cec7a5b312f4e940df7edceBugSplat64.dllThis is SplatDropper which is responsible for dropping and executing SplatCloak.3385a945449774d71377d3a08e5d0d43 3e8cb0b1f93da475889dd065ee21261e1b6f6fffbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c This is SplatCloak which is a malicious driver dropped by BugSplat64.dll.6c4eb9be8ea20055b88c5b703d41d1d22696467025b0d1052d11d3f7bc68c6cb4cb635a59c61a53b787bb42b12a3a44151ce1348669b4c745d087fb602df2b28d0fd92b5src.rarRAR archivee7552a105efaadfa7fd3b7a5fc7d46bf5a7a1bfa0972a155928d9e0fb95c015fc00eb5103938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeLegitimate and signed binary91f1f4bd673807647126e65ab8fd15aef7cc59edd9fa8fd9b0d7d2316d86c348458b81013a59407db18f575adf956027c8e8af961e1e2ef01d097f6c0a934aeaad45de03mscorsvc.dllCorKLOG is a keylogger.Certificate details of the signed binariesSHA256 HashBinary NameName of the Signer1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeBugSplatd72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.exeConeXware, Inc.3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeInternational Business Machines Corporationbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c(the dropped driver)Xtreaming Technology Inc.Network indicatorsTypeIndicatorPayload hosting server103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/Host indicatorsTypeIndicatorKeylog file used by PAKLOGC:\\Users\\Public\\Libraries\\record.txtSplatCloakTemporarily drops a .sys into C:\Users\public\ MITRE ATT&CK FrameworkIDTacticDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingAll the DLLs in this new toolset are sideloaded by legitimate and signed Windows binaries.T1056.001Input Capture - KeyloggingPAKLOG is a Windows user mode keylogger that captures the user keystrokes. T1115Clipboard DataPAKLOG captures the clipboard’s content.T1027Obfuscated Files or InformationPAKLOG encodes the contents of the file capturing keystrokes. Windows driver uses control flow flattening.T1573.001Symmetric CryptographyXOR encryption and RC4 encryption algorithms used by various Mustang Panda tools are symmetric cryptography algorithms.T1562.001Impair Defenses: Disable or Modify ToolsSplatCloak contains capabilities to disable Windows Defender and Kaspersky kernel-level monitoring callbacks.TA0002ExecutionCorKLOG will create a Scheduled Task.T1569.002System Services: Service ExecutionCorKLOG and SplatCloak are registered as Windows services.

The post Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 appeared first on Security Boulevard.

IntroductionThe Zscaler ThreatLabz team discovered new activity associated with Mustang Panda, originating from two machines from a targeted organization in Myanmar. This research led to the discovery of new ToneShell variants and several previously undocumented tools. Mustang Panda, a China-sponsored espionage group, traditionally targets government-related entities, military entities, minority groups, and non-governmental organizations (NGOs) primarily in countries located in East Asia, but they have also been known to target entities in Europe.This blog post is the first in a two-part series that covers new variants of ToneShell and a new tool that we have named StarProxy, both found on Mustang Panda’s staging server. The second part of the blog explores two keyloggers and an EDR evasion driver, also hosted on the same staging server.Key TakeawaysToneShell, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers.ThreatLabz discovered a new lateral movement tool used by Mustang Panda that we have named StarProxy, which leverages the FakeTLS protocol to proxy traffic and facilitate attacker communications.Mustang Panda remains active in targeting organizations and individuals in Myanmar.Mustang Panda employs DLL sideloading techniques, typically bundling malicious tools inside RAR archives paired with legitimate, signed binaries.Technical AnalysisMustang Panda packs their tools in archive files hosted on a staging server. All the tools detected by ThreatLabz utilized DLL sideloading to execute malicious payloads to evade endpoint detection products.We will first examine new versions of a known Mustang Panda tool known as ToneShell. ToneShell is designed to download malicious payloads and execute attacker-specified commands on target machines.ToneShellToneShell is one of Mustang Panda's most frequently used malware tools. Since the core functionality has already been publicly documented, this analysis focuses solely on the recent changes worth highlighting. This section examines three variants of ToneShell: Variants 1 and 3 were discovered on Mustang Panda’s staging server, while Variant 2 was identified through a third-party malware repository bundled in a ZIP file instead of a RAR file. All three ToneShell variants were found in archive files, which include a legitimate executable (EXE) file and a DLL file (ToneShelll) which is sideloaded. ToneShell VariantArchive FilenameExecutable NameDLL Name1cf.rarmrender.exelibcef.dll2ru.zipFastVD.exeLogMeIn.dll3zz.rargpgconf.exelibgcrypt-20.dllTable 1: Example ToneShell variant filenames.Seed generationRandom number generators are utilized in multiple sections of ToneShell’s code for two primary purposes:As a fallback mechanism to generate a 16-byte GUID if CoCreateGuid() fails (as described in the following section).To generate a rolling XOR key, which encrypts and decrypts data exchanged between the victim’s machine and the C2 server.Each random number generator requires a seed, which ToneShell derives using various methods. These methods are listed in the table below.VariantDescriptionVariant 1Derives the seed by calling GetTickCount and adding a constant value to it.Variant 2Derives the seed by calling GetTickCount twice and multiplying the return values together.Variant 3Derives the Unix epoch timestamp from the Windows FILETIME format using the code shown below.Table 2: ToneShell random number seed generation.seed = (*(_QWORD *)&SystemTimeAsFileTime - 116444736000000000i64) / 10000000;Creation of GUID fileEach ToneShell variant observed in-the-wild generates a GUID, or a value derived from the GUID, and writes it to a file on the filesystem. This GUID is used to uniquely identify the infected machine. Recent variants display subtle changes in how this file is created. The table below shows how the three different ToneShell variants create the GUID file.VariantDescriptionVariant 1Calls CoCreateGuid to create a 16-byte GUID.If this fails, an array of 16 bytes is created, and populated with random bytes using a linear congruential generator (LCG).The generated 16-byte value is written to a file (C:\Users\public\description.ini).Variant 2Calls CoCreateGuid to create a 16-byte GUID.If this fails, an array of 16 bytes is created, and populated with random bytes using a linear congruential generator (LCG).Hashes the GUID to generate a 32-bit hash using a custom hash algorithm.The 32-bit hash value is then written to a file (C:\ProgramData\bcryptprimitive.appcore.tbi).Variant 3Calls CoCreateGuid to create a 16-byte GUID.If this fails, the malware creates an array of 16 random bytes, using the rand() function.Randomly generates a value up to 64KB that is used to determine the length of an array, using a custom LCG.Creates and populates the variable length array with randomly generated bytes, using the rand() function.Writes the length of the array, the GUID, and the randomly generated array to a file (%temp%\cryption_event.ini) using the structure shown below.Table 3: Shows how each ToneShell variant creates the GUID file. struct GUIDFILE
{
DWORD total_length;
BYTE guid[16];
DWORD length_of_random_byte_array; // 64KB max size
BYTE random_byte_array[];
}Rolling XOR keyToneShell employs a rolling XOR key to encrypt and decrypt network traffic exchanged with its C2 server. This XOR key is generated using an LCG, seeded by values derived through methods previously described. The XOR key size varies across ToneShell variants, with Team T5 documenting sizes ranging from 0x20 to 0x200. Variant 1 uses a 0x100-byte XOR keyVariant 2 uses a 0x100-byte XOR key Variant 3 uses a 0x200 byte XOR keyThis aligns with Mustang Panda's tactic of rapidly iterating and modifying their tools, likely to evade detection.FakeTLS headerFakeTLS headers are a key feature of ToneShell, which helps disguise the malware’s network activity. They are used to mimic the TLS protocol in network traffic exchanged between the infected machine and the C2 server.Earlier ToneShell variants utilized the FakeTLS header with the bytes 0x17 0x03 0x03, corresponding to TLSv1.2. However, newer variants have introduced the FakeTLS header bytes 0x17 0x03 0x04, to spoof TLSv1.3. Interestingly, in Variant 2, the TLSv1.3 FakeTLS header was used for sending beacons, while the server continued responding with the older TLSv1.2 header.This modification appears to be an attempt by the threat actor to evade network signature-based detection systems that rely on identifying specific FakeTLS header patterns.C2 commandsToneShell variants continue to utilize a custom TCP-based protocol. Compared to earlier versions, these newer variants focus primarily on executing payloads received from the C2, reflecting Mustang Panda's pattern of iterating their tools, likely to evade detection while adopting a more minimalist design for remote shells.Variant 1 is a very minimal backdoor, which receives files and acts as a reverse shell. The table below shows the C2 commands supported by Variant 1.Command NumberDescription1Receives and processes the next command from the C2 server.2Creates an empty file at the C2-specified file path and stores the file handle.3Appends the bytes received to an open file handle (from Command 2).4Appends the bytes received to an open file handle (from Command 2), closes the file handle, and frees up the file path string in memory thereafter.5Creates a reverse shell (cmd.exe), redirecting both stdin and stdout. ToneShell keeps track of this subprocess using an ID received from the C2 server. A background thread is created to continually send the output from the subprocess back to the C2 server.6Finds the subprocess with the given ID and writes to its standard input.7Terminates the subprocess with the given ID.Table 4: C2 commands supported by Variant 1 of ToneShell.Variant 2 specifically includes functionality to download DLLs from the C2 and execute them within victim processes through DLL injection. The table below shows the C2 commands supported by Variant 2.Command NumberDescription1Receives and processes the next command from the C2 server.2Pauses operation for 3 minutes.3Terminates the current process.4Retrieves the name of the infected machine.5Identifies usernames that are not built-in accounts.6Specifies the file path to create a new file (used in Command 8).7Defines the size of the file to be downloaded (used in Command 8).8Creates and writes a DLL file likely used in conjunction with Command 10.9Updates the configuration for the executable path used in shellcode injection (Command 10). Defaults to C:\WINDOWS\system32\svchost.exe.10This command creates a child process using the victim executable path specified by command 9. If a particular user is targeted, Mustang Panda leverages the user’s token to create the process. ToneShell then decodes shellcode that is hardcoded into the malware with randomized padding bytes, and specific arguments, including dwGUIDHash (the 32-bit GUID hash), wUnkSig (an unknown signature), dwC2IPAddress (the IP address of the C2), and szFilePath (the path to the DLL that will be injected into the child process). The patched shellcode is then written to the child process, which will load the specified DLL by invoking LoadLibraryA(szFilePath). The first ordinal of this DLL is resolved by using GetProcAddress(hModule, 1) and the ordinal is called with the respective arguments: dwGUIDHash, wUnkSig, and dwC2IPAddress.Table 5: C2 commands supported by Variant 2 of ToneShell.ToneShell Variant 3 includes functionality to download files and create a subprocess that redirects standard input (stdin), standard output (stdout), and standard error (stderr) streams to the C2 server. The table below shows the C2 commands supported by Variant 3.Command NumberDescription3Creates an empty file at the C2-specified file path and stores the file handle.4Opens an existing file at the C2-specified file path, moves to the end of the file, and stores the file handle.5Appends bytes received from the C2 to an open file handle (from Command 3).6Deletes the file used in commands 3, 4, or 5.7Executes a subprocess using the command-line received from the C2, redirecting the stdin, stderr, and stdout subprocess.8Transfers bytes received from the C2 to the stdin subprocess and reads its output.9Retrieves the output of the subprocess.10Terminates the subprocess and closes all associated handles.Table 6: C2 commands supported by Variant 3 of ToneShell.StarProxyThreatLabz uncovered a new lateral movement tool associated with Mustang Panda’s operations, which we named StarProxy. This tool was found within a RAR archive hosted on the group’s staging server with the name client.rar. The archive contains two files: a legitimate, signed binary (IsoBurner.exe) and a malicious DLL (StarBurn.dll), which is the StarProxy tool. The StarProxy DLL is sideloaded when the IsoBurner.exe file is executed.Once active, StarProxy allows attackers to proxy traffic between infected devices and their C2 servers. StarProxy achieves this by utilizing TCP sockets to communicate with the C2 server via the FakeTLS protocol, encrypting all exchanged data with a custom XOR-based encryption algorithm. Additionally, the tool uses command-line arguments to specify the IP address and port for communication, enabling attackers to relay data through compromised machines. The figure below illustrates how StarProxy proxies traffic.Figure 1: High-level diagram of StarProxy activity.Given the features of the malware, and the use of command-line arguments, Mustang Panda likely uses StarProxy as a post-compromise tool to access systems that are not reachable directly over the Internet.InitializationThe StarProxy DLL contains a malicious export function named StarBurn_UpStartEx, which expects two command-line arguments: a C2 IP address and a port number. Upon execution, the DLL attempts to connect to the specified C2 IP address. If the connection fails, StarProxy will keep retrying until it succeeds, waiting for one second in between attempts.BeaconingOnce a connection to the C2 server is successfully established, StarProxy beacons to the C2 to receive commands. If the C2 server signals that there are no commands, StarProxy waits for one second before beaconing again. If the C2 server signals that there are further commands to execute, StarProxy makes additional requests to the C2 server to retrieve the commands and execute them.Packet encryption and decryptionAll messages exchanged between the client and the C2 server are encrypted using two hardcoded 0x100-byte XOR keys. Details of the XOR keys and the encryption algorithm are available on the ThreatLabz GitHub page.C2 protocolRequest HeaderAll messages sent by StarProxy to the C2 server are prefixed with a request header (SEND_HEADER), which includes the fields below.struct SEND_HEADER
{
BYTE fake_tls_header[3]; // 0x17 0x03 0x03.
WORD message_size; // Size of data after the FakeTLS header.
DWORD zero; // Zero bytes (start of encrypted data with a hardcoded key).
WORD message_type; // C2 message type.
WORD buffer_size; // Buffer size specific to each message type.
}Response header All messages sent by the C2 to StarProxy are prefixed with a response header (RECV_HEADER), which includes the fields below.struct RECV_HEADER
{
BYTE fake_tls_header[3]; // 0x17 0x03 0x03.
WORD buffer_size; // Size of the message body (RECV_BODY).
}Notably, the FakeTLS header in these messages is designed to impersonate the TLSv1.2 protocol similar to the earlier ToneShell variants.Response body (RECV_BODY)The RECV_HEADER is followed by the RECV_BODY, which includes the command number and data specific to the corresponding command. The generic structure of the RECV_BODY is shown below.struct RECV_BODY
{
DWORD unused1;
WORD command_number; // The ID of the command to be executed.
WORD unused2;
BYTE body[]; // Body data (variable length array).
}
Beacon messageAs mentioned in the beaconing section above, StarProxy sends a beacon message (CMD_0_MESSAGE) at regular intervals to check for commands to be executed. The structure of the beacon message is shown in the table below.struct BEACON_MESSAGE
{
SEND_HEADER send_header; // message_type = 0 to indicate beacon message.
DWORD hash_of_rand_arr; // The hash of a randomly generated array with variable length, computed using a custom hash algorithm.
DWORD size_of_rand_arr; // Number of bytes occupied by the random array. This is always a multiple of four.
BYTE rand_arr[]; // A variable-length random array, likely used to verify the correct decryption of messages from the client.
}StarProxy uses the following convoluted process to generate the array of random bytes:Calls GetLocalTime() to retrieve a SystemTime structure.Adds up all members of the SystemTime structure to generate a seed.The seed is used to initialize a pseudo-random number generator (PRNG) using srand().Generates a random number between 1 and 16. This value will be the variable length (in bytes) of the array containing 32-bit integers.The array is filled with randomly generated 32-bit integers, which are then used to generate a 32-bit hash.In response to the beacon message, StarProxy expects the following response format from the C2:struct BEACON_MESSAGE_RESPONSE
{
RECV_HEADER recv_header; // Contains the FakeTLS header and message size.
DWORD unused;
DWORD has_command; // 0: command data present; any other value: no data present.
}C2 command handlerThe StarProxy client supports 5 command IDs (RECV_BODY.wCmdNum). The table below describes each command ID and its purpose.Command IDDescription1Command 1 appears to be a ping command.2Command 2 also appears to be a ping command, implemented exactly as command 1. The purpose of this duplicated command is unclear.3Command 3 directs StarProxy to set up a TCP connection to a target IP or domain. Once the connection is established, StarProxy sends the newly created socket descriptor to the C2. StarProxy then sets up a background thread to receive data from the target and forward it back to the C2.Command 3 is used in conjunction with command 4 to establish two-way communication with the target.While this sample of StarProxy is hardcoded to set up a TCP connection, StarProxy contains code which supports both UDP and TCP connections.4Forwards message to specified socket descriptor.5Closes the socket descriptor specified by the StarProxy C2 server.Table 7: Lists StarProxy commands.The purpose of the duplicate command handlers 1 and 2 is not clear, but could suggest that StarProxy is still under development.To Be ContinuedIn Part 1, we explored Mustang Panda’s modifications to ToneShell and a new lateral movement tool that we discovered called StarProxy that is likely used for post-compromise activities and lateral movement. In Part 2, we will explore two new keyloggers and an EDR evasion driver, also discovered on Mustang Panda’s staging server.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Mustang Panda at various levels with the following threat names:Win32.Backdoor.ToneshellWin32.Trojan.MustangPandaIndicators Of Compromise (IOCs)File indicatorsMD5 HashSHA1 HashSHA256 HashFilenameDescription233214d22659aa85f32bb705812a0b22fcc7095f6ddbffb7c2ca29188c45bbdf4c922c66ede116e8f652728773363f6808fa8bbd5af873398e4bb5393c210677fa96a654cf.rarRAR archive hosted on attacker's server b695a31ea90e61cc08da1837d836655a03272f764bc0f6d80a830c164a5357cd9179030ea0f42337601429ffda00aa64b8e6102e2470b2388c132f96002f37d40f40d587libcef.dllToneShell DLL4fefc66a0f7e1b2ed8affc9c3ba66ec70d186cd1ecc525716ac08cbd5f59c58e44d082028fe76b434c9d57d5b82a786bcfac5aa3a75be88b19df5cd76e111af58c3c98c5mrender.exeLegitimate signed binary 4572914d6fd4b50604b30c761736ef7d1afde3bfe7ff7a9a164c9e6a0de12f5f1ce50b9a91d8b31259d8602539fb6eaa0588d6521bf01299ccd8ed830abfe2ace7aea54dclient.rarRAR archive hosted on the server db26dbad33580489204320c9c5ea400b81dce30dfb85d8a110f384ab72f23081f20f500dc1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8IsoBurner.exeLegitimate and signed binary 784bcd1f62b97589f479525d27f883cb70b286728cf006ae6da37d918d372b7cedd4085563aa30c452e4dc0aa2324ce891da1acfa90ce85476d2dd7ab85ff448f913af5eStarBurn.dllMalicious DLL - StarProxy 3ed1b60aada8ec3fc0965976c542dda5da01214c5df3ee4a5a6b99414e4bb1fd88f6eb3e649b32f2db7d71cd083e9af4fae2fb3c086f5ed73eac622f427f7fa5d513c605zz.rarRAR archive5788433d90e3297b32dfa009790490aa428c4da69023ec6ca7d253e5c643fd1c2689c55c69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736gpgconf.exeLegitimate and signed binary1b388ef6594415421ef1b3cd9502fc7a092cd5ad641ce749c100c2ad045e4aabb9bb7e90cf1f057bc8cb25b2d6d0704cef0655ea4d41ea247c51984b25635bd23c8ae109libgcrypt-20.dllToneShell DLL9afdcf5369eca11d412870f7cb805da920b4624781bdc1f670942dc07bf673abd1c5e70f21e271bde14b62a1c982ea3aefc1c42a7f5b412126e920e7dd4200cbf14fe475libgpg-error-0.dllN/A7c65d1e28fadf9b6d704b5c47016c05d67d777f491b89d052c709cec7762b91ab514d3e6a901fd9ef4044a872866ad9506cf3e17cbf58b93278ac3ca7e48820b3a228458Bandizip.exeLegitimate and signed binary2012bf5de269d9acd0bfd7250ab46c68337850d965dd9860162c2084d83d4113bac9559388e1b73318ba2107c2e70a59064d51e4fecd37ab6175735e43abfa8657d2cd91ark.x64.dllToneShell DLL5936b135905bee8f038b9266362f22c7f435900ebbc8a46c3b0b273d48b2ac149a35b194a9b1289383ffe3ee2bd0df96ad6918b9a7e27819e4bc10c3922d8bbd61cbd959ru.zipZip archived7ae078b2641b94c8042424a1387851b296c37ab1985c08bd3b194b129392c8d4d164399005754ced6f73a197a4a21c58da39d5e3ee84e484640765dbda2475f4ba2d3bdFastVD.exeLegitimate and signed binary6164f397ff13c56310e94af235a9aa02b2544370e041c2b3d38e5b1c0a22b4eab2d7058857e22a93fc31bd299871840864e82fa553e99501af7645102d07dceed2a8ef1aLogMeIn.dllToneShell DLLToneShell variantsThe table below shows details about the three ToneShell variants identified by ThreatLabz.VariantDescriptionVariant 1ITW Filename: libcef.dllMD5: b695a31ea90e61cc08da1837d836655aCompilation Time Stamp: Sun Dec 15 21:58:31 2024Variant 2ITW Filename: LogMeIn.dllMD5: 6164f397ff13c56310e94af235a9aa02Compilation Time Stamp: Tue Jan 14 02:42:26 2025Variant 3ITW Filename: libgcrypt-20.dllMD5: 1b388ef6594415421ef1b3cd9502fc7aCompilation Time Stamp: Thu Jan 02 09:48:51 2025Network indicatorsTypeIndicatorStaging server URL103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/C2 domainwww.dest-working[.]comC2 domainwww.profile-keybord[.]comC2 IP address43.229.79[.]163C2 IP address43.254.132[.]217C2 IP address181.215.246[.]155Host indicatorsToneShell GUID file pathsThe following files are used to store the GUID or its derived values.%temp%\cryption_event.iniC:\\ProgramData\\bcryptprimitive.appcore.tbiC:\Users\public\description.iniCertificate details of the signed binariesSHA256 HashBinary NameSigner Name8fe76b434c9d57d5b82a786bcfac5aa3a75be88b19df5cd76e111af58c3c98c5mrender.exeJUNYUN LIMITEDc1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8IsoBurner.exeLSoft Technologies Inc69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736gpgconf.exeg10 Code GmbHMITRE ATT&CK FrameworkIDTacticDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingAll the DLLs in this new toolset are sideloaded by legitimate and signed Windows binaries.TA0011Command and ControlStarProxy and ToneShell variants have command-and-control capabilities.T1573Encrypted ChannelStarProxy uses two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm. ToneShell variants use a randomly generated variable length (0x20 - 0x200 bytes) rolling XOR key to encrypt and decrypt network packets.T1090.001Proxy: Internal ProxyStarProxy is equipped with capabilities to route traffic between systems within a compromised network.T1573.001Symmetric CryptographyThe XOR encryption algorithms employed by Mustang Panda's tools are based on symmetric cryptography.TA0005Defense evasionEncrypted network packets exchanged between client and C2 server can be used to evade network security products.T1001.003Data Obfuscation: Protocol ImpersonationStarProxy and ToneShell variants use FakeTLS headers in network packets to impersonate various versions of TLS protocols and blend in with legitimate network traffic.T1027.007Obfuscated Files or Information: Dynamic API ResolutionToneShell uses a modified DJB2 algorithm to resolve APIs.T1055.001Process Injection: Dynamic-link Library InjectionToneShell uses DLL injection to execute payloads received from the C2 server.T1070.004Indicator Removal: File DeletionToneShell includes functionality to delete payload files received from the C2 server.T1134.002Access Token Manipulation: Create Process with TokenToneShell includes functionality to create sub-processes with a specific user’s token.T1087Account DiscoveryToneShell includes functionality to retrieve a list of user accounts.

The post Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 appeared first on Security Boulevard.

Author/Presenter: Brian Reilly

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Breaking Ground – Modern ColdFusion Exploitation and Attack Surface Reduction appeared first on Security Boulevard.

These are “interesting” times: U.S. government funding for the Common Vulnerabilities and Exposures program expires April 16.

The post MITRE Crisis: CVE Cash Ends TODAY — CISA says ‘No Lapse’ appeared first on Security Boulevard.

The Trump Administration is ending funding for MITRE's crucial CVE database program, a move that promises to hobble cybersecurity efforts around the world. However, CVE Board members introduce a new nonprofit organizations free of government funding and oversight.

The post CISA at the Last Minute Extends Funding for Crucial MITRE CVE Program appeared first on Security Boulevard.

Oracle addresses 171 CVEs in its second quarterly update of 2025 with 378 patches, including 40 critical updates.

Background

On April 15, Oracle released its Critical Patch Update (CPU) for April 2025, the second quarterly update of the year. This CPU contains fixes for 171 unique CVEs in 378 security updates across 32 Oracle product families. Out of the 378 security updates published this quarter, 10.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 54.5%, followed by high severity patches at 32.3%.

This quarter’s update includes 40 critical patches across 15 CVEs.

Severity Issues Patched CVEs Critical 40 15 High 122 52 Medium 206 98 Low 10 6 Total 378 171 Analysis

This quarter, the Oracle SQL Developer product family contained the highest number of patches at 103, accounting for 27.3% of the total patches, followed by Oracle Hyperion at 43 patches, which accounted for 11.4% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product Family Number of Patches Remote Exploit without Auth Oracle SQL Developer 103 82 Oracle Hyperion 43 2 Oracle Secure Backup 42 35 Oracle Communications 34 22 Oracle E-Business Suite 31 26 Oracle Commerce 16 11 Oracle Enterprise Manager 15 11 Oracle JD Edwards 11 11 Oracle Hospitality Applications 8 5 Oracle Database Server 7 3 Oracle TimesTen In-Memory Database 7 6 Oracle REST Data Services 6 5 Oracle Analytics 6 5 Oracle Essbase 4 2 Oracle Communications Applications 4 4 Oracle Insurance Applications 4 1 Oracle MySQL 4 2 Oracle Policy Automation 4 4 Oracle Construction and Engineering 3 2 Oracle Financial Services Applications 3 2 Oracle Food and Beverage Applications 3 2 Oracle Java SE 3 3 Oracle PeopleSoft 3 2 Oracle Supply Chain 3 0 Oracle NoSQL Database 2 2 Oracle Retail Applications 2 0 Oracle Siebel CRM 2 2 Oracle Application Express 1 1 Oracle Autonomous Health Framework 1 0 Oracle GoldenGate 1 1 Oracle Graph Server and Client 1 0 Oracle Fusion Middleware 1 1 Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2025 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

• Oracle Critical Patch Update Advisory - April 2025
• Oracle April 2025 Critical Patch Update Risk Matrices
• Oracle Advisory to CVE Map

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Oracle April 2025 Critical Patch Update Addresses 171 CVEs appeared first on Security Boulevard.

Struggling with proprietary identity solutions? This comprehensive guide explores how open source CIAM platforms offer enterprises transparency, flexibility, & cost control while maintaining robust security. Compare leading solutions and discover which best balances security and customer experience.

The post Open Source CIAM: A Practical Guide for the Modern Enterprise appeared first on Security Boulevard.

Palo Alto, California, 16th April 2025, CyberNewsWire

The post SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions appeared first on Security Boulevard.

DataDome conducted a security assessment of the UK's online driving test booking system and identified several vulnerabilities in the system’s protection mechanisms.

The post Alert: Security Gaps Allow Bots to Exploit UK Driving Test Booking System appeared first on Security Boulevard.

Shadow IT is reshaping enterprise risk. Learn which departments lead shadow SaaS adoption, why it’s growing, and how to gain control before security gaps widen.

The post Shadow IT in 2025: 5 Teams Most Likely to Use Shadow IT Apps appeared first on Security Boulevard.

MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. The lack of certainty surrounding the future of the CVE program creates great uncertainty about how newly discovered vulnerabilities will be cataloged.

Background

On April 15, reports circulated that the contract for funding the Common Vulnerabilities and Exposures (CVE) program along with other related programs, such as Common Weakness Enumeration (CWE), would be expiring on April 16. The letter below was sent to CVE Board Members and published on social media and other fora announcing the expiration of these programs:

The legitimacy of this letter and its contents was confirmed by cybersecurity journalist Brian Krebs in a post on Mastodon. Tenable has also independently confirmed the letter’s legitimacy.

CVE program importance

While flawed in some ways, the CVE program, which recently celebrated its 25th anniversary, has been an important pillar in cybersecurity for over two decades. It provides a common taxonomy for cybersecurity solutions and organizations to track vulnerabilities and exposures. Since its launch in 1999, the CVE program has published over 250,000 CVEs as of the end of 2024.

Risk to CVE program

With the report that the funding for the CVE program is potentially set to expire on April 16, the biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities. While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities. The historical CVE database will remain intact on GitHub following the expiration of the CVE program. However, MITRE’s CVE program also provides a centralized repository of CVEs from which many organizations fetch data and this may disappear. The lack of this centralized repository will create difficulties going forward for tracking new and noteworthy vulnerabilities under a common identifier.

Tenable’s response to the potential expiration of the MITRE CVE program

Tenable is closely monitoring the situation surrounding the possible expiration of the CVE program funding.

Last year, when we learned about NIST’s National Vulnerability Database (NVD) experiencing delays surrounding analysis efforts, we highlighted that Tenable Vulnerability Management products utilize a diverse range of sources for CVSS scoring and our customers experienced little to no impact.

As a provider of vulnerability scanning technology, we are not dependent on the CVE program directly for our vulnerability coverage. We develop our vulnerability coverage against vendor advisories directly, and will continue to do so, so long as vendors make those advisories available whether they contain CVE identifiers or not. Tenable also provides its customers with a richly sourced and curated Vulnerability Intelligence feed that provides contextualized information for any given vulnerability, regardless of a CVE assignment or not.

Tenable is a CNA, and we allocate CVEs for our vulnerability disclosures through our Tenable Research Advisories page. We also have reserved a large number of CVE designators for disclosures to ensure the cybersecurity community has clear identity for future discovered vulnerabilities.

As new developments surrounding the CVE program emerge, we will update this blog post accordingly.

Get more information

• MITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty

The post MITRE CVE Program Funding Set To Expire appeared first on Security Boulevard.

ADAMnetworks is excited to announce Wyo Support to the family of Licensed Technology Partners.

“After working with the various systems and technologies, there are few that compare with the protection that ADAMnetworks provides. It reduces the attack surface from the broad side of a barn down to the size of a keyhole. No other technology provides the simple end user interface for such a powerful connection management tool.”

ADAMnetworks is excited to announce our partnership with Wyo Support, a leading Managed Security Service Provider (MSSP), as our newest Licensed Technology Partner (LTP). With a shared commitment to proactive cybersecurity, Wyo Support will be delivering ADAMnetworks’ award-winning Zero Trust connectivity (ZTc) solution to clients across diverse sectors.

This partnership empowers Wyo Support to provide clients with the highest level of security available, safeguarding sensitive data and infrastructures against sophisticated threats like phishing, ransomware, and data exfiltration—even in cases of accidental clicks on phishing links.

Who is Wyo Support?

At Wyo Support, their mission is to empower businesses through exceptional IT expertise, cutting-edge cybersecurity solutions, and a strong commitment to education. As a leading Managed Service Provider (MSP), they specialize in delivering comprehensive managed services that not only safeguard your digital assets but also enhance your team’s understanding of technology and security best practices.

They believe that education is the cornerstone of a secure and efficient digital environment. Their passionate team is dedicated to providing personalized, innovative strategies while sharing valuable knowledge that empowers your staff. By demystifying complex technological concepts, they will help you make informed decisions and foster a culture of continuous learning within your organization.

With Wyo Support, you’re not just partnering with a service provider—you’re collaborating with educators and experts who are invested in your success. Let them guide you through the ever-evolving technological landscape, ensuring that your business is not only protected but also proficient in navigating the digital world.

Primary Industries

Wyo Support is dedicated to empowering a diverse range of industries with our specialized IT and cybersecurity solutions. Their primary focus includes small to medium-sized businesses (SMBs), government and public sector agencies, educational institutions, healthcare providers, financial services firms, and enterprise-level corporations.

Wyo Support shared how they serve each of these industries:

For Small to Medium-Sized Businesses (SMBs), we understand the need for flexible and scalable IT services that enable growth and competitive advantage. We offer customized strategies to streamline operations, reduce costs, and enhance productivity. Protecting your business from cyber threats is a top priority, and we provide robust security measures to safeguard your digital assets and customer data.

In serving Government and Public Sector Agencies, we navigate the complex landscape of regulations to ensure full compliance with necessary standards and protocols. We bolster these agencies with secure, reliable IT infrastructures that support critical operations and public services, enhancing their ability to serve the community effectively.

Our work with Educational Institutions involves partnering with schools to implement innovative IT solutions that enrich the educational experience for students and faculty alike. We prioritize safeguarding student information and institutional data, providing cybersecurity services that ensure a protected and conducive learning environment.

For Healthcare Providers, where patient data security is paramount, we help organizations secure sensitive information and comply with healthcare regulations like HIPAA. We optimize IT systems to improve patient care delivery and operational efficiency, enabling healthcare professionals to focus on what they do best.

In the Financial Services sector, we recognize the critical importance of data security, regulatory compliance, and system reliability. We assist banks, investment firms, insurance companies, and other financial institutions in implementing robust cybersecurity measures to protect sensitive financial data and transactions. Our expertise ensures adherence to industry regulations like PCI DSS and GDPR, or assisting with WISP preparation, our advanced IT solutions enhance operational efficiency and client trust.

With Enterprise-Level Corporations, we offer comprehensive IT management that adapts to the complexities of large-scale operations. Our team introduces cutting-edge technologies to drive innovation and maintain a competitive edge in the market, providing scalable IT strategies that meet the demands of big business.

Wyo Support’s Commitment to Education Across Industries

What truly sets Wyo Support apart is their unwavering commitment to education across all the industries they serve. They don’t just provide services; they empower your team with the knowledge and skills needed to leverage technology effectively. By demystifying complex technological concepts, they will help you make informed decisions and foster a culture of continuous learning within your organization.

They offer customized training sessions and workshops to educate your staff on the latest IT trends, cybersecurity best practices, and efficient use of technology tools. Their experts regularly share insights, tips, and updates to keep you informed about emerging technologies and potential risks. By working closely with your team, Wyo Support ensures your team understands the solutions implemented, fostering an environment where continuous improvement thrives.

Integrating education into their services helps you build a knowledgeable workforce that can confidently navigate the ever-evolving digital landscape. With Wyo Support as your partner, you’re not only investing in top-tier IT and cybersecurity solutions but also in the growth and development of your organization’s most valuable asset—its people.

Locations Wyo Support is proud to serve:

At Wyo Support, we believe that geography should never be a barrier to accessing top-tier IT and cybersecurity solutions. Our nationwide presence underscores our dedication to empowering businesses everywhere with the tools, knowledge, and support they need to thrive in today’s digital world. By bridging distances and connecting communities, we inspire confidence and drive success for our clients, no matter where they are located.

Wyo Support is proud to call Cheyenne home, strategically positioned to offer IT and cybersecurity solutions within a 200-mile radius of our base. This primary service area allows us to provide personalized, on-site support to businesses in our local region, fostering strong relationships and a deep understanding of the community’s unique needs.

But our reach doesn’t stop there. Leveraging advanced remote technologies and a dedicated team of experts, we have expanded our services nationwide. From the vibrant business hubs of Florida to the innovative tech landscapes of California, and from the plains of North Dakota down to the dynamic markets of Texas, Wyo Support has made a significant impact across the country. Our ability to effectively serve clients coast-to-coast is a testament to the quality, reliability, and adaptability of our services.

Whether you’re a local enterprise seeking hands-on assistance or a national corporation in need of expert guidance, Wyo Support is equipped to meet your needs. We blend the accessibility and commitment of a local provider with the expertise and resources of a nationwide firm.

Key Accomplishments

Wyo Support is entering their fifth year of business and has rapidly expanded, now managing thousands of endpoints nationwide. Their team boasts over 75 years of collective, hands-on IT experience across a diverse range of sectors—including education, critical infrastructure, medical, legal, and hospitality.

This wealth of expertise empowers them to understand deeply what it takes to comply with industry-specific regulations. They have a proven track record of assisting clients in navigating the ever-changing landscape of laws and compliance requirements. Their commitment goes beyond merely meeting standards; they strive to exceed them, ensuring that your organization is not only compliant but also secure and efficient.

How to get in touch with Wyo Support:

Call, write, or fill in the webform at WyoSupport.com

307-SUPPORT (787-7678) or 307-421-5705

Email: [email protected]

Facebook: Wyo Support LLC | Cheyenne WY

Linkedin: Wyo Support | LinkedIn

𝕏: twitter.com/WyoSupport

Instagram: instagram.com/wyosupport

YouTube: youtube.com/@wyosupport8077

1 post - 1 participant

Read full topic

The post Introducing Wyo Support – ADAMnetworks LTP appeared first on Security Boulevard.

Why is Cloud Data Security vital for Modern Businesses? Cloud data security has grown to be an inherent part of businesses across various industries today, ranging from financial services and healthcare to travel and DevOps. But, amidst this shift to digital transformation, have you ever considered how secure your data is in the cloud? Let’s […]

The post How to Feel Reassured with Cloud Data Security appeared first on Entro.

The post How to Feel Reassured with Cloud Data Security appeared first on Security Boulevard.

Are Your Non-Human Identities Secure? Where interactions between software, applications, and API components are crucial for seamless processes, Non-Human Identifies (NHIs) and their security cannot be overlooked. NHIs are machine identities that perform sessions, transactions, and process automation. But, are they well-protected against potential security threats? Understanding the Criticality of NHI Security Expanding digital, coupled […]

The post How Safe Are Your Non-Human Identities? appeared first on Entro.

The post How Safe Are Your Non-Human Identities? appeared first on Security Boulevard.

Author/Presenter: Fabricio Bortoluzzi

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Breaking Ground – Insights On Using A Cloud Telescope To Observe Internet-Wide Botnet Propagation Activity appeared first on Security Boulevard.

The post The Hidden Risks in AI Training Data—And How to Eliminate Them appeared first on Votiro.

The post The Hidden Risks in AI Training Data—And How to Eliminate Them appeared first on Security Boulevard.