Monday, August 11, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Trend Micro offers weak workaround for already-exploited critical vuln in management console

TH Author

Infosec In Brief A critical vulnerability in the on-prem version of Trend Micro’s Apex One endpoint security platform is under active exploitation, the company admitted last week, and there’s no patch available.

Trend Micro last week warned Apex One 2019 customers about CVE-2025-54948 and CVE-2025-54987, both with a CVSS score of 9.4 and both present in the platform’s web-based managed console.

According to the company, remote attackers with access to the management console can exploit the vulnerabilities to upload malicious code and execute commands on the affected machines. Trend Micro said the two flaws are identical, save for their impact on different CPU architectures – we’re pretty sure that means x86 and Arm.

Unfortunately for customers using Apex One 2019 Management Server versions 14039 and below, the vendor won’t deliver a patch until “around the middle of August.”

Trend Micro has explained a mitigation that will prevent exploitation in the intervening weeks, but warns that it has drawbacks.

“While it will fully protect against known exploits, [the fix tool] will disable the ability for administrators to utilize the Remote Install Agent function to deploy agents from the Trend Micro Apex One Management Console,” the company said. Fortunately, working around that is relatively simple too: Just use a device’s UNC path or an agent package to deploy needed software until the permanent solution is deployed.

Alternatively, you could also just make sure your management console isn’t exposed to the internet for anyone to find, Tenable senior staff researcher Scott Caveza told The Register.

“Management consoles and interfaces should be restricted to authorized and trusted administrators only,” Caveza told us in a statement. “Restricting access to management interfaces on edge devices is a crucial first line of defense and often one of the top recommendations on properly configuring and securing a device.”

Trend Micro agrees: “customers that have their console’s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied,” the company said in its bulletin.

Crypto-mixer founders admit money laundering

Arrested over a year ago on charges of money laundering, the CEO and CTO of crypto mixer Samourai have decided to cop to their crimes, and why not? They’re only facing a maximum of five years apiece despite admitting to laundering more than $200 million in criminal proceeds.

Keonne Rodriguez and William Lonergan Hill pled guilty to one count each of conspiracy to operate a money transmitting business knowing it transmitted the proceeds of crime. The pair agreed to forfeit nearly $238 million in ill-gotten gains, in addition to their jail sentences.

“The maximum potential sentence in this case is prescribed by Congress,” the DoJ said in its statement. “Any sentencing of the defendants will be determined by the judge.”

Mixers like Samourai deliberately obfuscate records of blockchain transactions. While not by themselves illegal and arguably a tool for online privacy, crypto mixers are regularly used by countries like North Korea to move funds stolen by its online operations.

DarkCloud infostealer resurgent

Fortinet and Palo Alto Networks both reported the discovery of a new infostealer malware campaign that, while heavily obfuscated and likely difficult to detect, uses familiar techniques.

This tricky new evolution of the DarkCloud infostealer has “complicated its analysis by adopting ConfuserEx and VB6 payload in its infection chain” per Palo Alto. The malware hides an encrypted DLL in a JPEG image that’s decoded by a PowerShell script, and hides every single string in its code – more than 600 of them, per Fortinet – behind encryption that’s removed dynamically in real-time as the malware executes.

Infecting users relies on the same old techniques: fooling a user into opening a phishing email, downloading and decompressing a RAR, TAR or 7Z file, then opening a mysterious JavaScript file.

Is it dangerous? Yes. Can you prevent infections with some good training and some solid email filters? Also yes. Probably.

Zut! Another French telecom gets hacked

It’s not a good time to be a privacy-conscious French citizen with a smartphone, as Bouygues Telecom announced a data breach last week, only days after carrier Orange disclosed a security incident.

While Orange escaped relatively unscathed – the company claims no customer data was stolen – Bouygues admitted that 6.4 million customers had their data stolen.

According to a FAQ page Bouygues set up for victims, stolen data includes contact information, contract data, and bank account information. Bank cards and login data remain safe, the company said.

Meta moves to save WhatsApp users from themselves

If you have an account on any encrypted anonymous chat platform, you likely know how the scammers operate: They drop you right into group messages promising big investment gains, or ping you with DMs offering lucrative work-from-home jobs and other shiny objects.

They’re all scams, they happen constantly, and people just keep falling for them, said Meta, which is adding some new tools to help users.

Meta will now caution users when they receive messages from someone who is not on their own contact list, or their friends’ contact lists. Group chats now feature a screen warning users to watch for scams and question whether they trust the person who added them to a group, along with a button to exit the group without ever seeing the chat message. For individual messages the tactic is similar, with warnings to “pause before responding” and think about whether the request seems legitimate.

Neither tactic, we note, will actually stop someone from clicking through and getting scammed if they’re determined to be an idiot. ®

READ MORE HERE