CyberNews: 01/11/2025 Edition

Published by Dunateo on 2025-11-01

Today’s roundup

  • Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack
  • Old Linux Kernel flaw CVE-2024-1086 resurfaces in ransomware attacks
  • Australia warns of BadCandy infections on unpatched Cisco devices
  • UNC6384 Targets European Diplomatic Entities With Windows Exploit
  • Ribbon Communications Breach Marks Latest Telecom Attack
  • ‘We got hacked’ emails threaten to leak University of Pennsylvania data
  • OpenAI Unveils Aardvark: GPT-5 Agent That Finds and Fixes Code Flaws Automatically
  • Dead Domain Discovery: Discover Expired or Unregistered Domains

    • Summary

    Palo Alto Networks Unit 42 has identified a suspected nation-state threat actor, tracked as CL-STA-1009, distributing new "Airstalk" malware. This malware is being deployed as part of a likely supply chain attack and specifically misuses the AirWatch API for mobile device management (MDM).

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding active exploitation of the Linux kernel vulnerability CVE-2024-1086 by ransomware gangs. This high-severity use-after-free flaw resides in the netfilter: nf_tables component, enabling local privilege escalation. The flaw, introduced in 2014 and patched in January 2024, was added to CISA's Known Exploited Vulnerabilities catalog in March 2024.

    The Australian government has issued a warning concerning ongoing cyberattacks targeting unpatched Cisco IOS XE devices across the country. Threat actors are infecting these routers with a new webshell dubbed "BadCandy." The alert highlights the active exploitation of known vulnerabilities in critical network infrastructure.

    A sophisticated spear-phishing campaign, attributed to the threat group UNC6384, is actively targeting European diplomatic entities. The attackers are employing fake European Commission and NATO-themed lures to trick diplomatic personnel into clicking malicious links, which subsequently deploy a Windows exploit.

    Ribbon Communications, a U.S. telecommunications company, has disclosed a cybersecurity incident where suspected nation-state actors gained unauthorized access to its network. The intrusion reportedly began in December of the previous year, though it remains unclear whether any sensitive data was exfiltrated. This marks another instance of nation-state targeting against the telecom sector.

    The University of Pennsylvania is investigating a cybersecurity incident that occurred on Friday, where current and former students received a series of offensive emails. These emails, sent from various University addresses, claimed that a data breach had occurred and threatened to leak stolen information.

    OpenAI has announced the release of "Aardvark," an "agentic security researcher" powered by its GPT-5 large language model. This autonomous AI agent is designed to emulate human experts in scanning, understanding, and automatically patching code, aiming to assist developers and security teams in identifying and remediating security vulnerabilities.

    New tools for "Dead Domain Discovery" have been released, including a Chrome extension and a UDP DNS forwarder, to help security researchers and penetration testers identify expired or unregistered domains. These "dead domains" represent an often-overlooked bug class that attackers can exploit to achieve significant vulnerabilities such as Cross-Site Scripting, Information Disclosure, and Remote Code Execution by registering previously legitimate entities' abandoned domains.

    Want to dig deeper?

    Vulnerabilities

    CVE-2024-1086 High