Cybersecurity Bulletin - February 2025
Check out what happened in the field of cybersecurity in February.
Brute-Force Attacks Target VPN Devices: 2.8 Million IP Addresses Used, Raising Security Concerns
Recent reports from cybersecurity experts worldwide indicate a large-scale brute-force attack targeting VPN (Virtual Private Network) devices. This attack, orchestrated by hacker groups, utilizes 2.8 million different IP addresses to attempt to breach VPN infrastructures. The hackers aim to compromise VPN device security and gain access to user data. Specifically, attackers are testing username and password combinations to bypass firewalls, focusing on VPN networks with weak passwords.
These attacks aim to infiltrate the firewalls of internet users and companies and steal sensitive data. While VPN devices help users conceal their identities and establish secure connections over the internet, such attacks can lead to service interruptions, potential data breaches, and significant damage to corporate networks.
Cyberwise Insight: Cybersecurity has become more crucial than ever for VPN service providers and users. These large-scale brute-force attacks, carried out with 2.8 million IP addresses, demonstrate the increasing complexity of cyber threats and the growing challenge of ensuring digital security.
Though VPN devices are tools that enable secure and anonymous internet connections, encryption and authentication systems are being targeted by cybercriminals who seek to exploit their weaknesses.
Cybersecurity experts warn that such attacks are likely to intensify, urging users to elevate their digital security to the highest level. This incident once again highlights the importance of enhancing the security of all digital infrastructures and protecting every individual's personal information.
Warnings and Protection Methods from Cybersecurity Experts
Use Strong and Complex Passwords: Passwords should not be simple; they must consist of various characters (letters, numbers, special characters). Furthermore, password security can be enhanced by using different passwords for each service.
Two-Factor Authentication (2FA): 2FA requires users to log in using not only a password but also another verification method (SMS, email verification, or an application). This added layer of security provides serious protection against cyberattacks.
Keep VPN Software Updated: VPN software should be regularly updated to close security vulnerabilities. Security flaws can make it easier for attackers to infiltrate systems, so keeping software up-to-date is critically important.
IP Restrictions and Firewalls: VPN providers can limit traffic from user IP addresses and use strong firewalls to block suspicious activities. This can limit brute-force attacks.
Attack Detection and Monitoring Systems: VPN service providers can establish real-time monitoring detection systems to immediately spot and block suspicious activities. Such security measures allow attacks to be prevented in their early stages.
Use Secure Connections: VPN providers protect user data by using strong encryption protocols (e.g., OpenVPN or WireGuard). These encryption standards help prevent potential external interference.
Caution: PayPal's "New Address" Feature Exploited in Phishing Attacks – Users Must Be Vigilant
PayPal, a digital payment platform with millions of users worldwide, is increasingly favored by many. However, recently, the platform's "New Address" feature has become a target for malicious actors. These individuals are sending users messages containing fake links, instructing them to click to add a new address or verify their account. While such emails often appear to be "from PayPal," the addresses are typically incorrect or suspicious, aiming to steal the user's personal data.
Emails are usually riddled with false links claiming to be from PayPal. When users click these links, their information is transmitted to malicious actors. Such attacks can jeopardize both your personal and financial data.
Cyberwise Insight: Phishing attacks typically begin with fake emails that appear to originate from a trustworthy source. These messages aim to mislead users, stealing their personal or financial data to gain unauthorized access to their accounts.
Since PayPal's "New Address" feature is used by legitimate users to add a new address or update existing ones, scammers exploit this feature to send fake verification requests.
PayPal continuously develops new security measures to ensure its users' safety, but the greatest responsibility lies with user vigilance. By enhancing your digital security precautions, you can build a stronger defense against phishing attacks.
Warnings and Protection Methods from Cybersecurity Experts
Examine Emails Carefully: Check the sender's address in suspicious emails. PayPal or similar platforms will not ask for personal information.
Check Links: Carefully review the URL before clicking on links in emails. Real websites start with "https://" and display a secure icon (padlock).
Go Directly to the Website: Instead of clicking links in emails, navigate directly to the official PayPal website or other platforms in your browser.
Use Two-Factor Authentication (2FA): Enable 2FA to add an extra layer of security to your account.
Use and Update Antivirus Software: Keep antivirus software updated on your computer and mobile devices to protect against malicious software.
Report Suspicious Activity: If you receive a suspicious email or message, report it immediately to the relevant platform.
Regularly Check Account Activity: Regularly review your account's transaction history and report any suspicious transactions.
Australia's Kaspersky Decision: Is It Time for Indigenous Cybersecurity Solutions?
The Australian government has banned the software and services of Russia-based cybersecurity company Kaspersky Lab from its government systems. This decision was made to ensure the security of software used in government institutions, but it also ignited a deeper cybersecurity debate.
Stephanie Foster, Secretary of the Department of Home Affairs, stated that this step was taken due to concerns that Kaspersky products could pose a potential threat to government networks. Foster indicated that Russia's history of cyberattacks and the geopolitical situation intensified security concerns regarding Kaspersky products. In this context, it was highlighted that Kaspersky products carry the potential for risks such as cyber espionage or sabotage.
Under the new regulation, all Australian government agencies will be required to remove Kaspersky software from their systems by April 1, 2025. Furthermore, the installation of Kaspersky products will be prohibited in the future. However, it was noted that some exemptions may apply for special circumstances and national security concerns. These exceptions will be limited and implemented with specific security measures.
Kaspersky Lab opposed the Australian government's decision, arguing that the measures taken were not based on a technical assessment but were a political move. The company stated that it has established transparency centers and is subject to independent audits to prove the reliability of its software. It also emphasized that various security measures have been taken to protect user data from access by foreign governments.
Cyberwise Insight: This ban is not limited to Australia; countries like the U.S., Canada, and the UK have previously imposed similar restrictions on Kaspersky products due to security concerns, indicating that such decisions are becoming a global trend.
Australia's Kaspersky ban should not be viewed solely as a security measure. Many countries, including Türkiye, are taking significant steps to develop their own cybersecurity software. Such software plays a critical role in ensuring both national security and increasing digital independence. Indigenous products are an important tool for ensuring the security of data and systems, independent of international geopolitical tensions.
In the future, countries may increasingly pursue the development of domestic and national technologies to reduce their reliance on foreign digital infrastructures. In this context, the role of indigenous cybersecurity products will grow increasingly important and become a critical element in ensuring national security.
Basic Auth Vulnerability in Microsoft 365: BotNet Password Spraying Attacks on the Rise
Recently, a development causing significant concern in the cybersecurity world has emerged. A large botnet, consisting of over 130,000 compromised devices globally, has launched password spraying attacks targeting Microsoft 365 (M365) accounts. The focus of these attacks is the use of Basic Authentication (Basic Auth). Microsoft acknowledged in 2019 that Basic Auth poses a major vulnerability for such attacks and recommended that users switch to modern authentication methods. However, attacks continue, and Basic Auth still presents a risk to many users and organizations as it has not been fully eliminated.
Microsoft 365 accounts serve millions of corporate users worldwide. Therefore, the accounts targeted by attackers may include not only individual users but also organizations with large corporate infrastructures. The attacks not only lead to account compromises but also enable access to sensitive data, data leaks, and potential misuse.
Microsoft plans to disable Basic Auth in September 2025 and expects all users to transition to modern authentication methods by this date. This change aims to move users away from legacy systems and direct them towards more secure, encrypted, and two-factor authentication methods.
Cyberwise Insight: Basic Authentication is an authentication method commonly used in older systems. However, this method has serious security vulnerabilities according to current cybersecurity standards. Since passwords are sent in clear text or base64 encoding, attacks using this method allow passwords to be easily compromised.
Such large-scale attacks once again highlight the fragility of outdated security systems. The transition to modern and secure authentication methods should not be limited solely to discontinuing Basic Auth. All organizations must continuously review their cybersecurity strategies and strengthen their defenses against new threats. Microsoft's decision to disable Basic Auth is, in fact, not just a software update but also a symbol of a fundamental change in digital security culture. This transition is a critical step towards reducing vulnerabilities and building a more robust defense against online threats.
Additionally, here are a few important protection methods for organizations:
Disable Basic Authentication: Organizations should disable Basic Auth as soon as possible and transition to Modern Authentication methods. This prevents attackers from using outdated and vulnerable technology.
Implement Multi-Factor Authentication (MFA): MFA provides a security layer beyond just passwords in the user authentication process. Enabling MFA for Microsoft 365 significantly enhances the security of your accounts.
Strengthen Password Policies: Password complexity should be increased, and passwords should be changed regularly. Users should also be encouraged to use different passwords for each account.
System Updates and Patch Application: It is crucial for users and organizations to apply Microsoft's security patches and updates in a timely manner. These updates can help prevent the insecure use of outdated and vulnerable systems.
IP-Based Blocking: Organizations can review their firewall configurations to block attacks targeting specific IP addresses. Suspicious or unusual access attempts should be immediately reported and blocked.
Account Monitoring and Incident Response: Continuous monitoring for suspicious activities and account access audits should be performed. When relevant anomalies are detected, rapid intervention is necessary.
Darcula PhaaS Introduces New Dimension to Phishing Attacks: Automated Brand-Specific Kits
In the cybersecurity world, more sophisticated and dangerous attack methods emerge every day. In this context, the Darcula Phishing-as-a-Service (PhaaS) platform has introduced a new feature that will greatly facilitate cybercriminals.
This new feature offered by Darcula significantly simplifies the work of cyber attackers. The platform allows attackers to select their target brand, and then instantly generates phishing pages tailored to that brand. This automated generation process involves the exact replication of HTML, CSS, JavaScript, and brand-specific images. As a result, the phishing page closely resembles the original site, providing a significant advantage to attackers aiming to steal credentials without users' notice.
Darcula not only facilitates the creation of phishing pages but also provides the necessary infrastructure for hosting and distributing these pages. This allows cyber attackers to publish their phishing kits online with just a few clicks and reach potential victims.
Darcula's hosting and distribution features enable phishing attacks to be carried out much faster and on a wider scale. The platform automatically distributes these pages globally, reaching many more individuals. This makes it extremely challenging for security experts to combat such threats.
Cyberwise Insight: Darcula's automated phishing kits elevate cybersecurity threats to a new level. Now, with the ability to create customized replica pages for any brand, the speed and variety of phishing attacks are set to increase.
However, it's possible to build resilience against these attacks by implementing effective security measures. Experts state that strengthening multi-factor authentication (MFA) implementations is the first line of defense against such attacks. Specifically, they emphasize that older methods like one-time passwords (OTP) or SMS verification should now be replaced with more secure alternatives.
The implementation of passwordless authentication systems is also crucial. These systems enhance the security of the authentication process with methods that are extremely difficult to steal, such as device-bound keys. User credentials are only verified with physical devices, making it harder for cybercriminals to steal passwords.
Furthermore, device security is a significant factor. Regularly auditing whether each user device is secure can reduce the likelihood of successful phishing attacks. User devices should also undergo security assessments; real-time device posture checks should be used to block unauthorized and insecure devices from accessing resources. If devices are compromised by malware, phishing attacks launched from these devices could pose a significant danger to organizations.
The only way to protect against cyberattacks is through advanced security measures and trained users. Organizations must implement constantly updated defense strategies with modern security solutions and user awareness to build resilience against phishing attacks.
