Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers - Related to stealers, ips, cisco, 4,000, brute-force

Cisco warns of Webex for BroadWorks flaw exposing credentials

Cisco warned consumers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely.

Webex for BroadWorks integrates Cisco Webex's video conferencing and collaboration capabilities with the BroadWorks unified communications platform.

While the firm has yet to assign a CVE ID to track this security issue, Cisco says in a Tuesday security advisory that it already pushed a configuration change to address the flaw and advised people to restart their Cisco Webex app to get the fix.

"A low-severity vulnerability in Cisco Webex for BroadWorks Release [website] could allow an unauthenticated, remote attacker to access data and credentials if unsecure transport is configured for the SIP communication," Cisco explained.

"A related issue could allow an authenticated user to access credentials in plain text in the client and server logs. A malicious actor could exploit this vulnerability and the related issue to access data and credentials and impersonate the user."

The vulnerability is caused by sensitive information exposed in the SIP headers and only affects Cisco BroadWorks (on-premises) and Cisco Webex for BroadWorks (hybrid cloud/on-premises) instances running in Windows environments.

The enterprise advises admins to configure secure transport for SIP communication to encrypt data in transit as a temporary workaround until the configuration change reaches their environment.

"Cisco also recommends rotating credentials to protect against the possibility that the credentials have been acquired by a malicious actor," the corporation added.

It also added that its Product Security Incident Response Team (PSIRT) has no evidence of malicious use in the wild or public announcements sharing further information on this vulnerability.

On Monday, CISA tagged another Cisco vulnerability (CVE-2023-20118) patched in January 2023 as actively exploited. This flaw allows attackers to execute arbitrary commands on Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers.

Last month, Recorded Future's Insikt Group threat research division also reported that China's Salt Typhoon hackers had breached more [website] telecom providers via unpatched Cisco IOS XE network devices.

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines,......

TrapC ist eine neue, auf Cybersicherheit spezialisierte Variante der Programmiersprache C. Sie zielt darauf ab, die in C und C++ gängigen Speicherprob......

Microsoft hat Windows 365 Disaster Recovery Plus vorgestellt. Zum jetzigen Zeitpunkt liegt das Disaster-Recovery-Tool als lizenzpflichtiges Add-on für......

Silk Typhoon hackers now target IT supply chains to breach networks

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream end-clients.

The tech giant has confirmed breaches across multiple industries, including government, IT services, healthcare, defense, education, NGOs, and energy.

"They [Silk Typhoon] exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities," reads Microsoft's analysis.

"After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."

Silk Typhoon is a Chinese state-sponsored espionage group known for hacking the [website] Office of Foreign Assets Control (OFAC) office in early December 2024 and stealing data from the Committee on Foreign Investment in the United States (CFIUS).

Silk Typhoon switched tactics around that period, abusing stolen API keys and compromised credentials for IT providers, identity management, privileged access management, and RMM solutions, which are then used to access downstream customer networks and data.

Microsoft says the attackers scan GitHub repositories and other public resources to locate leaked authentication keys or credentials and then use them to breach environments. The threat actors are also known for using password spray attacks to gain access to valid credentials.

Previously, the threat actors were primarily leveraging zero-day and n-day flaws in public-facing edge devices to gain initial access, plant web shells, and then move laterally via compromised VPNs and RDPs.

Switching from organization-level breaches to MSP-level hacks allows the attackers to move within cloud environments, stealing Active Directory sync credentials (AADConnect), and abusing OAuth applications for a much stealthier attack.

The threat actors no longer rely on malware and web shells, with Silk Typhoon now exploiting cloud apps to steal data and then clear logs, leaving only a minimal trace behind.

's observations, Silk Typhoon continues to exploit vulnerabilities alongside its new tactics, sometimes as zero days, for initial access.

Most in recent times, the threat group was observed exploiting a critical Ivanti Pulse Connect VPN privilege escalation flaw (CVE-2025-0282) as a zero-day to breach corporate networks.

Earlier, in 2024, Silk Typhoon exploited CVE-2024-3400, a command injection vulnerability in Palo Alto Networks GlobalProtect, and CVE-2023-3519, a remote code execution flaw in Citrix NetScaler ADC and NetScaler Gateway.

Microsoft says the threat actors have created a "CovertNetwork" consisting of compromised Cyberoam appliances, Zyxel routers, and QNAP devices, which are used to launch attacks and obfuscate malicious activities.

Microsoft has listed updated indicators of compromise and detection rules that reflect Silk Typhoon's latest shift in tactics at the bottom of its study, and defenders are recommended to add the available information to their security tools to detect and block any attacks timely.

Wenn Angreifer erfolgreich an einer Schwachstelle in Kibana ansetzen, können sie Systeme mit Schadcode verseuchen. Attacken sind aber nicht in jedem F......

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Hap......

Artificial intelligence (AI) and machine learning (ML) have entered the enterprise environment.

Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts.

The findings come from the Splunk Threat Research Team, which expressed the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems.

The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned firm noted in a technical findings .

"This actor also moves and pivots primarily by using tools that depend and run on scripting languages ([website], Python and Powershell), allowing the actor to perform under restricted environments and use API calls ([website], Telegram) for C2 [command-and-control] operations."

The attacks have been observed leveraging brute-force attacks exploiting weak credentials. These intrusion attempts originate from IP addresses associated with Eastern Europe. Over 4,000 IP addresses of ISP providers are stated to have been specifically targeted.

Upon obtaining initial access to target environments, the attacks have been found to drop several executables via PowerShell to conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim's computational resources.

Prior to the payload execution is a preparatory phase that involves turning off security product functions and terminating services associated with cryptominer detection.

The stealer malware, besides featuring the ability to capture screenshots, serves akin to a clipper malware that's designed to steal clipboard content by searching for wallet addresses for cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).

The gathered information is subsequently exfiltrated to a Telegram bot. Also dropped to the infected machine is a binary that, in turn, launches additional payloads -.

[website], which is designed to download a password list ([website] and list of IP addresses ([website] from its C2 server for carrying out brute-force attacks.

"The actor targeted specific CIDRs of ISP infrastructure providers located on the West Coast of the United States and in the country of China," Splunk mentioned.

"These IPs were targeted by using a masscan tool which allows operators to scan large numbers of IP addresses which can subsequently be probed for open ports and credential brute-force attacks."

HP liefert mit ThinPro ein Linux-basiertes Betriebssystem für Thin-Clients. Jetzt hat das Unternehmen eine Aktualisierung veröffentlicht, die hunderte......

A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organiz......

The Hunters International ransomware gang has claimed responsibility for a January cyberattack attack on Tata Technologies, stating they stole [website] o......