Transcript
A (0:00)
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack with wired, wireless and cellular all in one integrated solution that's built for performance and scale. You can find them at meter.com CST.
B (0:20)
Massive patchless zero day flaw in Cisco Email gateways being exploited Latvian arrested trying to install Remote access tool in Ital in Hollywood style attack Klopp's back with a new file sharing and access tool hacking spree. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Today's first story comes via Hacker News and involves a known exploited vulnerability affecting Cisco email security infrastructure. Cisco is warning customers about active attacks exploiting a zero day flaw in Cisco Async os, the operating system used by Cisco Secure Email Gateway and Secure Email and Web Manager Appliances. Cisco attributes this activity to a China Nexus Advanced Persistent threat tracked as UAT9686. The vulnerability CVE2025 2393 carries a CVSS score of 10, the maximum. It allows attackers to execute arbitrary commands with root level privileges on affected appliances. Cisco has confirmed that attackers are not just gaining access, but also deploying persistence mechanisms allowing them to maintain long term control of compromised systems. All versions of Async OS are affected. Exploitation requires one specific condition. The Spam quarantine feature must be enabled and reachable from the Internet. While this feature is not enabled by default, Cisco has identified already a limited number of exposed appliances that were accessible externally. Cisco's investigation shows attackers deploying tunneling tools such as Reverse SSH and Chisel, along with a Python based backdoor called AquaShell. This backdoor listens for specially crafted HTTP requests and executes attacker commands directly on the system shell, giving threat actors durable covert access inside email security infrastructure. There is no patch available at this time. Cisco is advising customers to immediately restrict Internet exposure, placing appliances behind firewalls, disabling unnecessary services and monitoring suspicious activity. It also recommends separate mail and management interfaces. Cisco also warns that if compromise is confirmed, rebuilding the appliance is currently the only way to fully remove attacker persistence. Importantly, CISA has added CVE2025 2393 to its known exploited vulnerabilities catalog with US federal agencies required to apply mitigations by December 24th. I guess that's a Merry Christmas from China this year for a lot of tired government workers. Our second story today comes via France 24 and it highlights a cyber risk that crosses cleanly from the digital world into the world of physical safety. French authorities are investigating suspected foreign interference after malware capable of remote control was discovered aboard a passenger ferry docked in southern France. The vessel, the Fantastic, is operated by the Italian shipping company GNV and can carry more than 2,000 passengers. According to French prosecutors, the ship's operating system was infected with what appears to be a remote access Trojan, also known as a rat malware that allows attackers to take controls of systems from afar. Italian authorities had warned France in advance, triggering an emergency inspection once the ship reached port. A Latvian national has been arrested and charged while a second crew member was released. Investigators are examining whether the attack involved complicity within the crew, as experts say installing this type of malware would likely require physical access, potentially via removable media like a USB device, or by putting something like a Raspberry PI in proximity or on the network. France's domestic intelligence service, the dgsi, is leading the investigation. Underscoring the seriousness of the case, prosecutors say they are looking into whether an organized group acting in the interest of a foreign power attempted to compromise the ship. Systems officials have stopped short of naming a country, but France and other European governments have warned of escalating interference campaigns. Link to Russia Maritime cybersecurity experts are clear on the stakes. Any attempt to interfere with ship control systems represents a critical risk with potentially severe physical consequences for passengers and crew. The ship was ultimately cleared to sail after inspections confirmed no ongoing danger, and the operator says the intrusion attempt was identified and neutralized without impact. Still, the case has triggered international interest and cooperation, including searches in Latvia with support from Eurojust. The broader takeaway here is hard to miss. Cybersecurity failures in transportation systems aren't just IT incidents. They can become safety issues, national security issues and increasingly potentially geopolitical ones. When software controls physical systems, the consequences of compromise extend far beyond the screen. According to Bleeping Computer, the CLOP ransomware gang is targeting Internet exposed gladonet Center Stack file servers in an ongoing data theft extortion campaign. Gladonet Center Stack is used by organizations to provide secure access to on premises file servers through web browsers, mobile apps and map drives without requiring a vpn. Gladinet says the product is used by thousands of businesses across more than 49 countries. Threat intelligence shared with Bleeping Computer indicates that CLOP is actively scanning for and compromising Center Stack servers exposed to the Internet. Incident responders report that ransom notes are being left on breach systems indicating successful intrusions. At this time, the vulnerability being exploited has not been identified. Investigators have not confirmed whether CLOP is abusing a previously patched flaw or an unpatched zero day vulnerability. Recent scan data suggests there are more than 200 Internet facing center Stack servers that may be exposed. CLOP has a history of targeting secure file transfer and file sharing platforms in large scale data theft campaigns. Previous attacks have affected Acceleon, FTA, GoAnywhere, MFT, Clio and MoveIt Transfer, with the MoveIt campaign impacting more than 2,700 organizations worldwide. More recently, Clop exploited a zero day vulnerability in Oracle's e Business Suite, tracked as CVE2025 61882 to steal data from multiple organizations. Impacted victims reportedly include Harvard University, the Washington Post, Global Logic, the University of Pennsylvania, Logitech, and American Airlines subsidiary Envoy Air. In these attacks, CLOP typically focuses on data exfiltration rather than file encryption, publishing stolen documents on its Dark Web leak site to pressure victims into paying. A spokesperson for gladinat was not immediately available for comment at the time of reporting by bleeping computer wow, that's a lot. Heading into the holidays, I've been your host David Shipley. I'll be back on Monday covering the latest news as holiday 2025 looks sadly to be just as busy for security teams as past years. We'll do our best to keep you informed the latest threats and what you can do about them. I'll be joining Jim and our regular panel guests for a special Year in Review episode this weekend. Thanks for listening. If you enjoy the show, please help us spread the word. Like subscribe, consider leaving a review and if you do enjoy the show, please tell others we'd love to grow our audience and we need your help. I've been your host David Shipley. Jim Love will be back on the news desk in the new year.