article thumbnail

A new campaign is likely targeting a zero-day in Fortinet FortiGate firewalls

Security Affairs

” The researchers noticed that the attack targeted firmware versions of devices ranging between 7.0.14 In the reconnaissance phase, experts observed automated login/logout events without changes until November 22, 2024, when unauthorized configuration edits began. Targeting appeared opportunistic rather than targeted.

article thumbnail

How ToddyCat tried to hide behind AV software

SecureList

The resulting tool’s capabilities include modifying operating system kernel structures to disable notification routines, for example, about a process creation event in the system or a load event. This is a utility driver used to update PC drivers, BIOS and firmware.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Triada strikes back

SecureList

With time, the vulnerabilities were patched, and restrictions were added to the firmware. Attackers are leveraging this by embedding malicious software into Android device firmware. Attackers are now embedding a sophisticated multi-stage loader directly into device firmware. oat ) located in the same directory.

article thumbnail

Mercedes-Benz Head Unit security research report

SecureList

Firmware The MMB runs on Linux, and its filesystems are located on the eMMC. Custom IPC Inside the head unit, firmware services use custom IPC protocols for communication between their own threads, other services and other ECUs. Its main distinctive feature is that thriftme allows subscribers to be notified about particular events.

Backups 116
article thumbnail

Fully segregated networks? Your dual-homed devices might disagree

Pen Test Partners

Minimal Event Logging and Alerting Capabilities Some Embedded Systems often lack the capability to collect and collate event logs to a centralised location for SOC analysis. Figure 2: Dual-homed GPS timeserver Additionally, the firmware version installed on the GPS timeserver was outdated with several known vulnerabilities.

article thumbnail

Weaponizing Group Policy: Custom Client-Side Extensions as a Stealthy Backdoor into Active Directory

Penetration Testing

Antoine Cauchois highlights multiple strategies for defenders: Monitor Event ID 5145 (file access to SYSVOL) and 4688 (process creation). GUID hijacking: Replace the DLL path of a legitimate but unused built-in CSE, allowing attackers to use a “trusted” GUID to load malicious code.

article thumbnail

2025 Supply Chain Threat Landscape: AI, APIs, and the Weakest Link

SecureWorld News

In another case, a medical device manufacturer's firmware update system was targeted; malware was inserted into life-saving equipment (like pacemakers and insulin pumps), raising alarms about physical safety. Practicing joint response will make real events far less chaotic. Each device can be a new weak link if not secured.