Riding the wave of notoriety from the Chinese company's R1 AT chatbot, attackers are spinning up lookalike sites for different malicious use cases.

Source: mundissima via Shutterstock

More than two weeks after China's DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company.

The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors.

**Coordinated Campaign?**

"Memcyco observed clusters of fake domains registered in waves, often adjusting their content and branding dynamically and in real time, based on how DeepSeek's website was being perceived and positioned in the market," says Israel Mazin, CEO and co-founder of Memcyco. "Some sites even changed their attack methods based on these trends to cater to what would be most effective." In some cases, the threat actors displayed remarkable agility by shifting their infrastructure to new locations and configurations to dodge takedown attempts, he says.

Dozens of phishing sites have popped up since DeepSeek released its free R1 AI chatbot on Jan. 20. Although many of these sites have been taken down, slow response times from some hosting providers, domain registrars, and other intermediaries continue to give phishing operators a window of opportunity to target users interested in exploring DeepSeek with fake websites.

Users that engage with these sites risk identity theft, financial fraud, and malware infection, Mazin says. Some sites even intercept login credentials in real-time, enabling account takeovers. Others distribute malware that allows remote access to users' devices, putting personal and corporate data at risk. "These attacks are especially dangerous when new, exciting, and hyped-up tools are launched, such as DeepSeek, and users are not yet familiar with the website or platform," he adds.

Others have reported on the threat as well. In a blog post last week, Cyble, for instance, said its researchers had spotted DeepSeek lookalike domains designed to trick users into believing they had landed on the real site. Some of the sites had links to cryptocurrency scams and others to fraudulent investment scams like one touting a nonexistent DeepSeek pre-IPO sale. The DeepSeek-linked cryptocurrency scam site attempted to lure site visitors into scanning a QR code that essentially opened the way for the threat actor to empty their crypto wallets. Another site that Cyble inspected attempted to lure unsuspecting users into purchasing a fake DeepSeekAI Agent crypto token. 

"As DeepSeek continues to gain global recognition, cybercriminals are capitalizing on its popularity to launch phishing campaigns, fake investment scams, and fraudulent cryptocurrency schemes," Cyble noted.

**Phishing Isn't the Only Threat**

Fraudulent websites are not the only concern. Innovative threat actors have found other ways to take advantage of the huge interest around DeepSeek. Researchers from Positive Technologies recently spotted two malicious packages labeled "deepseekai" and "deepseeek" on the popular PyPI Python package repository. The packages were targeted at developers and organizations seeking to integrate DeepSeek into their systems and gave its authors a way to steal information from environments where they had been downloaded.

Many of the phishing sites that Memcyco observed appeared to fit the pattern of phishing-as-a-service (PhaaS) operators that sell impersonation "phish kits" to fraudsters, Mazin notes. "This could include organized cybercriminal groups, state-backed hackers, or even immature phishers, all with financial or espionage motives."

The surge in malicious activity surrounding DeekSeek is typical for major news events. It is a reminder of the need for users to be cautious when approaching new, popular hyped-up services. That means extra vigilance for strange URLs with misspelled words or unprofessional website designs, Mazin advises. "Domain registrars and social media platforms must be proactive in monitoring when new domains and profiles are being registered or created," he says. "Businesses and organizations should improve scam detection \[and\] takedowns and deploy real-time digital impersonation protection capabilities to safeguard their users."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DeepSeek Phishing Sites Pursue User Data, Crypto Wallets

CISA and the FDA are warning that Contec CMS8000 and Epsimed MN-120 patient monitors are open to meddling and data theft; Claroty Team82 flagged the vulnerability as an avoidable insecure design issue.

Source: BMumin Mutlu via Alamy Stock Photo

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the US Food and Drug Administration (FDA), raised an alert for Contec CMS8000 and Epsimed MN-120 healthcare monitors, warning they potentially put patients at risk once connected to the Internet, due to a malicious, hidden backdoor embedded into the devices. But security researchers say the issue isn't actually intentional malware but, rather, just insecure design.

The devices continuously monitor patient vital signs, such as heart rate, blood oxygen saturation, temperature, respiration rate, and more. CISA and the FDA reported findings for three cybersecurity risks in the gear thanks to the "backdoor": an unauthorized user could remotely control a monitor and cause it to function in an unintended manner; attackers could compromise the device and pivot to a network; and an attacker could exfiltrate the data that the monitor collects. 

From a patient health perspective, if an attacker were able to manipulate the information the monitor gives patients, that could prevent them from realizing that there's something wrong. Though they reported no known cybersecurity incidents, deaths, or injuries related to the findings, the FDA still provided recommendations for patients and caregivers: talking to healthcare providers about evaluating their patient monitoring device and following certain steps if it does rely on an Internet connection.

Related:The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

The FDA also tasked healthcare providers with checking their patients' Contec CMS8000 or Epsimed MN-120 patient monitors to determine if they have been functioning unusually.

**Patient Monitor Cyber Bug: Not Malicious, Just Problematic**

After learning of the alerts, Claroty's Team82 investigated the firmware and reached a different conclusion from CISA and the FDA: It is likely not a hidden backdoor that makes these devices a liability to patients and their medical information, but rather an insecure design that creates a vulnerability open for exploit by threat actors.

The researchers pointed out that the vendors, and any resellers interested in relabeling and selling the monitor publicly, list the IP address on the instruction manuals.

"The CONTEC operator manual specifically mentions this 'hard-coded' IP address as the central management system (CMS) IP address that organizations should use, so it is not hidden functionally as stated by CISA," wrote the Team82 researchers. "This nuance is important because it demonstrates a lack of malicious intent and therefore changes the prioritization of remediation activities."

Related:How Are Modern Fraud Groups Using GenAI and Deepfakes?

The vulnerability still poses real-world consequences, but Noam Moshe, a Team82 researcher, notes that a threat actor would first require knowledge of the device's architecture and protocols. 

"To gain code execution, first the device needs to be put on a system-upgrade process," says Moshe. "From our research, this requires physical access to the device."

After that though, the hardcoded nature of the IP address opens the door to easier exploitation.

"To exploit this vulnerability, an attacker would need to serve devices with malicious binaries on the hardcoded public IP address, giving them code execution on the device," Moshe says. "In the case of the device trying to send personally identifiable information (PII) or personal health information (PHI) to the hardcoded IP address, using the HL7 protocol, this could occur if a certain feature of the device would be enabled."

**Healthcare Devices: Monitoring the Threat**

Perhaps exploitation of this particular vulnerability doesn't seem all that likely, but medical devices have been a point of cyber contention for years.

All the way back in 2011 for instance, Jay Radcliffe took to the Black Hat USA stage to show the audience how insulin pumps like the one he wore could be hacked, in a presentation entitled "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System."

Related:Backline Tackles Enterprise Security Backlogs With AI

And as healthcare institutions are ravaged by ransomware attacks compromising their resources and putting patient lives at risk, many medical devices still haven't caught up when it comes to bolstering cybersecurity guardrails. Specifically, many of them are aging and running legacy software that hasn't been updated in years, offering plenty of holes for attackers.

However, agencies like the FDA are pushing companies to make strides, such as in 2023 when it began to reject medical devices that don't comply with recent cybersecurity regulation.

But there is still a long way to go: In 2024, researchers cited healthcare and the Internet of Medical Things (IoMT) as the riskiest device sector, even it did have the biggest decline overall in the number of risky devices deployed.

As for the patient monitor, Team82 researchers recommend that healthcare organizations take steps to protect patients, such blocking all access to the subnet from their internal network, and blocking devices attempting to upgrade firmware from a WAN server or potentially send PII.

"Hospitals should implement vulnerability detection and patching processes," Moshe says, "alongside network segmentation, driven by high-quality passive visibility that will ensure the most secure network layout."

Agencies Sound Alarm on Patient Monitors With Hardcoded Backdoor

When it comes to protecting your company from cyberattacks, you don't have to be the fastest gazelle — you just can't afford to be the slowest.

Source: Daniel Lamborn via Alamy Stock Photo

COMMENTARY

Cybersecurity is a relentless, brutal, and unwinnable race. It's a savanna where organizations are gazelles and threat actors are cheetahs. There's no prize for coming first, no trophies for the fastest. It's actually simple: Run or be eaten. Harsh? Yes. But ignoring this reality won't save you. It'll make you the slowest gazelle.

**You're Not Losing to Hackers — You're Losing to Complacency**

Blaming hackers for breaches is a sign of avoidance. Yes, they're relentless and innovate faster than most companies defend, but they're not the reason your systems are wide open. That's on you!

Your real enemy is complacency. It's the decision to rely on the legacy tools you have because upgrading feels "too disruptive." It's adopting buzzwords like "shift-left security" without empowering developers to act on it and saying it doesn't work. This isn't about being perfect. It's about not being the easiest target. And right now, too many organizations are making it too easy.

**Did Anyone Say "Shift Left"?**

Shift-left security is pitched as the savior of modern AppSec. The promise? Catch vulnerabilities early in the development cycle when they're cheapest to fix and pose no immediate risk. The reality? Most organizations are implementing it wrong or not at all.

Let's be honest: When did you last see a developer voluntarily ask security to review their code? Developers are under constant pressure to write code and deliver fast. Security is often seen as an obstacle, not an ally. The result? Insecure code makes it to production, and shift-left becomes just another buzzword.

For shift-left to work, it needs to be invisible and automated. It needs to be Integrated seamlessly into developer workflows. Anything less is just wishful thinking and a sure-fire way to alienate your dev teams.

**The Ugly Truth: Companies Are Being Breached With Old Vulnerabilities**

The painful reality is that many organizations fall prey to cyberattacks exploiting vulnerabilities that were identified. Those vulnerabilities should have been patched years ago. As of 2024, more than 200,000 vulnerabilities have been identified, with more than 40,000 new ones disclosed in 2024 alone, marking a relentless upward trend.

Even when focusing on the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities, a list of around 1,250 vulnerabilities actively used in real-world attacks, the industry's response paints a grim picture. According to Verizon's "2024 Data Breach Investigations Report," only 15% of companies patch these vulnerabilities within the first 30 days of their inclusion on this critical list, and 8% remain unremediated even after a year.

This isn't about sophisticated zero-day exploits. Attackers often take the path of least resistance, targeting unpatched, well-documented vulnerabilities with a proven track record of success. The issue is compounded by overburdened security teams, constrained resources, and increasingly complex IT infrastructures, all of which make timely patching a challenge.

If you are slower, you will be breached. You could have prevented it, but due to complacency, misplaced priorities, or the inability to keep pace with the overwhelming number of vulnerabilities disclosed each year, you didn't.

**So, Why Run at All?**

If the race is unwinnable, what's the point? The point is this: You can make the race work for you. Survival isn't about perfection. It's about prioritization. It's about focusing on vulnerabilities that attackers can exploit in your environment and could significantly impact your organization. Concentrating your efforts here can make you a much tougher target, forcing attackers to move on to easier prey.

This isn't a race to fix everything; it's a race to focus on what matters. Smart prioritization is your edge.

**A Race You Can Win (If You Redefine Winning)**

Here's the good news: While you can't "win" this race in the traditional sense, you can succeed within it. Winning isn't about fixing every vulnerability or stopping every attack. It's about managing risk effectively and making it harder for attackers to succeed.

The savanna may be brutal, but it rewards organizations that are resilient, adaptable, and focused on what matters most. By homing in on vulnerabilities that are critical risks to you based on their factual reachability, exploitability, and impact, you can deliver results without being overwhelmed by the sheer volume of threats.

Yes, cybersecurity is hard, and the odds are stacked against you. But you're not powerless. By embracing resilience, prioritizing critical vulnerabilities, and fostering collaboration across teams, you can make the race work for you.

In this savanna, you don't have to be the fastest gazelle. You just can't afford to be the slowest. So, run smart. Run strong. Focus on what matters. And whatever you do — don't stop.

**About the Author**

Field CTO, OX Security

Boaz Barzel is the field CTO at OX Security, specializing in bridging the gap between security, technology, and business. Boaz is aligning product innovation with the real-world needs of customers and is known for transforming complex security challenges into strategic business advantages. With extensive expertise in application security and product innovation, he ensures security solutions are not just reactive but also proactively address emerging threats. Boaz is helping organizations integrate security seamlessly into their operations. He excels in translating technical risks into clear, actionable insights, enabling product teams to develop solutions that drive business growth while strengthening security. A trusted adviser to executives and security leaders, Boaz has helped countless organizations implement security strategies that align with business goals. At OX Security, he shapes product strategy, influences the market, and drives customer success.

The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

Source: Jayant Bahel via Alamy Stock Photo

A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.

The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.

**Banking Fraud in East India**

Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.

Source: Zimperium

The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).

To allow the attackers to log into victims' bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

The malware also sports stealth and anti-analysis measures, like "packing," where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users' devices by simply prodding a user to thoughtlessly hit "Allow" when it asks nicely.

"Since you don't see the app, it's not easy to uninstall it," explains Nico Chiaraviglio, chief scientist at Zimperium. "And then you \[have to deal with the\] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

**Why Fraud Works in India**

Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).

That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, "If you want to run some sort of exploit, it's easier to do on older devices," he says.

Related:Chinese APT Group Is Ransacking Japan's Secrets

"It's also widely known that there are a lot of scammers in India," he adds. In this campaign, "They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in."

One thing surprised him, he says: "We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It's very uncommon that we see a campaign that is only targeting one country."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Basket of Bank Trojans Defraud Citizens of East India

While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of hard decisions.

Source: Agata Gładykowska via Alamy Stock Photo

COMMENTARY

Many cybersecurity leaders kick off each new year with predictions for the year to come. You may have seen a deluge of them over the last month or so: "Cyberattacks will continue to be a problem." "This certain country will ban ransom payments." 

But as a cybersecurity company founder and CEO, as well as a licensed insurance broker, I believe that, instead of predictions, what we really need to protect ourselves is a better understanding of probability. Why? Predictions do not inspire solutions. Probabilities do. 

To understand why probability is so important in cybersecurity — and why it makes non-data-driven predictions highly impractical — let's look at what probability actually is. 

**Understanding the Nuances of Probability**

Traditional understandings of probability tend to be misguided. Many treat it as simply the frequency of events over many trials (think: flipping a coin). This requires extremely large datasets, and those datasets must be stable and consistent. Fighting threat actors, though, is famously neither a stable nor a consistent endeavor. Cybersecurity is thus inherently dynamic and uncertain; we require a more nuanced paradigm.

Bayesian probability, which views probability as a "degree of belief" based on available data and expert judgment, allows for the flexibility and adaptability needed in cybersecurity. While data may be limited and conditions evolve quickly, we can still use this approach to build risk models for a company's unique threat surface. These risk models combine the aforementioned data-driven probabilities with variables like control maturity, cyber-insurance claims data, and business and industry-specific factors to create accurate, up-to-date risk assessments. This Bayesian probability model is thus what I refer to when I say "probability." 

**Learning From Insurance **

We can glean a lot about cyber-risk and probability from what may sound like a surprising source: insurance data. Because my company provides cyber insurance as well as risk management strategies, we have visibility into just how many insurance claims actually become "material" to a company. In other words, we can see not only the number of attacks our clients faced — but also what the real financial impacts were. While we saw the frequency of claims rise by nearly 35% in 2024, these claims actually became material at a lower rate than we saw in 2023. 

What does this mean? At the most granular level, it means that companies in our portfolio aren't losing as much money from cyberattacks as they could have. That's encouraging in itself, but it also suggests a broader, encouraging trend: cybercrime is here to stay, but companies are getting better at withstanding the worst of the effects. And we're not alone in seeing this positive trend: Coveware recently reported a major decline in ransom payment rates, while Palo Alto Networks predicts a shift in the effectiveness of ransomware demands as organizations increasingly invest in not only better security postures, but more cyber resilient architectures overall. 

Whether through risk management strategies, a more cyber-aware and proactive board, investments in cyber insurance and best-in-class security tools, or a combination of these, companies are growing more resilient, even as cyber criminals get smarter and faster. 

**Putting Data and AI to Work**

These improvements in mitigating damages from cyberattacks over the past year are not happening in isolation. They are a result of a renewed, better focus on putting security and risk data to work. When we have the right data — and the right probability models — we can adopt a far more informed understanding of what's to come in the future, and what the potential impacts are.

For us, that means building a complex model based on the data we have. Our models are constructed as a network of event triggers and input signals; taken together, they inform the probability that losses will occur, the range of losses when they do occur, and the probabilities associated with the size of the losses in the range. We do this according to the kind of perils that can materialize into those losses, including business disruption, data breach, fraud, and extortion. 

The rate at which perils result in losses is influenced by the maturity of the security controls that our customers have. We tune the relationship between these signals, their level, and their output based on our experts' degrees of belief, cyber claims data, and firmographic data. This large network facilitates our probabilistic reasoning — and the results we observe tend to be quite accurate. 

**Resisting the FUD Mentality**

Fear, uncertainty, and doubt (FUD) often cloud our vision when it comes to cybersecurity decision-making and future projections. That's understandable: Cyberattacks on large organizations have affected many of us directly. Maybe you couldn't get a prescription in time after the Change Healthcare attack. Or perhaps you received a notice that your data had been breached as a result of an attack on AT&T. Even if you haven't been personally affected, an onslaught of doom-and-gloom headlines can make it tempting to look to the future and assume disaster is imminent — or worse yet, that there's nothing we can do about it. 

But when we remove our FUD glasses and look at the cold, hard data, those assumptions become glaringly incorrect. That's why assessing risk with a probabilistic model can give us far better insight into not only what's likely to happen, but what the actual impacts may be. And when we better understand potential impacts, we can conceptualize far more effective solutions. Think: choosing comprehensive security tools that protect whatever a company identifies its "crown jewels" to be; building a full team behind a company's chief information security officer (CISO) and adding new cyber-savvy board members; and even investing in cyber insurance. 

Furthermore, it's probability — not predictions lacking hard data — that helps us quickly make important decisions under pressure and uncertainty. While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of the hard decisions we make. And when we feel more confident in these decisions, we get better solutions that can make us essentially invincible to whatever cybercriminals may throw our way this year.

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

Why Cybersecurity Needs Probability — Not Predictions

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

A sophisticated cyberattack campaign is targeting organizations that still rely on Active Directory Federation Services (ADFS) for authentication across applications and services.

Source: Ronstik via Alamy Stock Photo

A phishing campaign is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts, allowing threat actors to commit further malicious activities across networks that depend on the service for single sign-on (SSO) authentication.

Researchers from Abnormal Security discovered the campaign, which is targeting about 150 organizations — primarily in the education sector — that rely on ADFS to authenticate across multiple on-premises and cloud-based systems.

The campaign uses spoofed emails that direct people to fake Microsoft ADFS log-in pages, which are personalized for the particular MFA setup used by the target. Once a victim enters credentials and an MFA code, attackers take over the accounts and are able to pivot to other services through the SSO function. They appear to be carrying out a range of post-compromise activities, including reconnaissance, the creation of mail filter rules to intercept communications, and lateral phishing that targets other users in the organization.

Targeting the legacy SSO capability in ADFS, a function that's "convenient for enterprise users," can reap big dividends, observes Jim Routh, chief trust officer at security firm Saviynt. The feature was originally designed for use behind a firewall but is now more exposed because it's increasingly been applied across cloud-based services, even though it was never designed for that, he notes.

Related:Why Cybersecurity Needs Probability — Not Predictions

Attackers in the campaign are spoofing Microsoft ADFS login pages to harvest user credentials and bypass MFA in a way that one longtime security professional says he hasn't seen before.

"This is the first time I've read about fake ADFS login pages," observes Roger Grimes, data-driven defense evangelist at security firm KnowBe4.

**Help Desk Lures for Credential Theft**

Targets of the campaign receive emails designed to appear as notifications from the organization's IT help desk — a widely used phishing ruse — with a message informing the recipient of an urgent or important update that requires their immediate attention. The message asks them to use the provided link to initiate the requested action, such as accepting a revised policy or completing a system upgrade.

Still, the emails include various features that make them appear convincing, including spoofed sender addresses that appear as if they originate from trusted entities, fraudulent login pages that mimic legitimate branding, and malicious links that mimic the structure of legitimate ADFS links, the researchers noted.

Related:DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

"In this campaign, attackers exploit the trusted environment and familiar design of ADFS sign-in pages to trick users into submitting their credentials and second-factor authentication details," according to the report.

**Targeting Legacy Users**

While the campaign targets various industries, organizations bearing the brunt of attacks — more than 50% — are schools, universities, and other educational institutions, the researchers said. "This highlights the attackers' preference for environments with high user volumes, legacy systems, fewer security personnel, and often less mature cybersecurity defenses," according to the report.

Other sectors targeted in the campaign that also reflect this preference include, in order of attack frequency: healthcare, government, technology, transportation, automotive, and manufacturing.

Indeed, while Microsoft and Abnormal Security both recommend that organizations transition to its modern identity platform, Entra, for authentication, many organizations with less sophisticated IT departments still depend on ADFS, and thus remain vulnerable, the researchers noted.

"This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies — making them prime targets for credential harvesting and account takeovers," according to the report.

Related:Black Hat USA 2024 Highlights

However, even if an organization is still using ADFS, it still can take steps to protect themselves, Grimes says. He recommends that all users use "phishing-resistant MFA" whenever they can, for example.

Other mitigations recommended by the researchers include user education about modern attacker phishing techniques and psychological tactics, and the use of advanced email filtering, anomaly detection, and behavior monitoring technologies to identify and mitigate phishing attacks and detect compromised accounts early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Target Education Sector, Hijack Microsoft Accounts

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

Threat Index global mapSource: Check Point Software Technologies

Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams.

On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people.

The defendants willfully "caused to be accessed, a computer system which was organized to seriously destabilize the economic and social structure of the Federal Republic of Nigeria, by procuring and employing several Nigerian youths for identity theft and other computer related fraud," according to an EFCC statement.

Cybercrime and cyberattacks continue to be a major problem for Nigeria, and Africa as a whole. The average African organization sees nearly 3,200 attacks per week, 73% more than the global average, according to data provided by cybersecurity firm Check Point Software Technologies. Africa has increasingly become a hub for cybercrime, charting eight countries in Check Point's top 20 areas at high risk of cybercrime. Ethiopia claimed the top spot as the riskiest nation for cybercrime, while Nigeria ranked number 19.

The continent is rapidly adopting technology, not always with the right security, leading to vulnerable systems, says Lionel Dartnall, acting country manager for South Africa at Check Point.

"We are seeing that Africa is particularly susceptible compared to other regions, and many attackers often test new methods here before deploying them in other parts of the world," he says, listing the rapidly expanding digital footprint and widespread adoption of cloud computing as factor\[s\] that are opening up the region to more attacks."

**Africa: Rapidly Securing Its Ecosystem**

Overall, the Global South — including nations in the African, Latin American, and South Asian regions — have the lowest number of organizations reporting themselves to be cyber-resilient, according to the World Economic Forum's "Global Cybersecurity Outlook 2025." In Europe and North America, about 15% of organizations lack confidence in their nation's ability to respond to significant cyber incidents. In Africa and Latin America, 36% and 42% lack confidence, respectively.

While African nations are disproportionately represented in the top-20 cyber-riskiest nations and in lacking confidence in their cyber resilience, their economies are also topping the list in terms of growth, with 11 of the 20 fastest-growing economies in Africa. Overall, Africa's younger population and the increased digitization brings more risk, but also more opportunities, Check Point's Dartnall says.

"\[T\]he continent has only 20,000 qualified cybersecurity engineers, indicating a critical need for more experts to join the field," he says. "However, there is a focus by both private and public sector institutions to stimulate cyber security training especially among young people, both to plug the acute skills gap and also provide critically needed employment."

Organizations in Nigeria — and Africa as a whole — have suffered a much higher pace of attacks, compared with global groups. Source: Check Point Software's "2024 African Perspectives on Cyber Security"

Nigeria, however, continues to face economic problems that impact its ability to create a trusted online ecosystem. Nigeria had significant economic challenges over the past three years, including annual inflation of more than 30%, higher unemployment, and growing debt, according to PricewaterhouseCoopers' 2025 Nigeria Budget and Economic Outlook. In 2024, the Nigerian government had to pause the implementation of a cybersecurity tax after public dissent. At the same time, Nigeria saw far more attacks per organizations than the global average.

**Importing Cybercrime**

The trick for countries like Nigeria is to make cybersecurity jobs available and more appealing than cybercrime. The government has already reached out to organizations, such as the Student Union Executives and the Nigeria Internet Registration Association (NIRA), to bolster cybersecurity training and fraud awareness.

In addition, law enforcement authorities have ramped up investigations and enforcement operations in the last year. In July 2024, Interpol worked with authorities in 21 countries to arrest the West African cybercriminals involved in financial fraud in an effort dubbed Operation Jackal III. In December 2024, similar cooperation led to the arrest of more than 1,000 suspects linked to more than $192 million in financial losses across Africa.

The Nigerian government has stressed that many of the cybercriminal schemes that operate in the country are not run by Nigerians. During the massive raid leading to the arrest of 792 suspects allegedly involved in a romance and cryptocurrency-investment fraud ring, nearly a quarter of those detained were not Nigerian citizens and included 148 Chinese, 40 Filipinos, two Kharzartans, one Pakistani, and one Indonesian, according to a December 2024 statement.

"Foreigners are taking advantage of our nation's unfortunate reputation as a haven of frauds to establish a foothold here to disguise their atrocious criminal enterprises," Ola Olukoyede, the EFCC chairman, said at a press conference. "But, as this operation has shown, there will be no hiding places for criminals in Nigeria."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria Touts Cyber Success, Even as Cybercrime Rises in Africa

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

Source: Ronstik via Alamy Stock Photo

NEWS BRIEF

Developers and security teams are bombarded with too many security alerts. Security tools are finding issues, but organizations lack the staff and time to address the most severe security findings. That is why there has been a lot of discussion on how artificial intelligence (AI) can help prioritize and triage the volume of security alerts to a more manageable amount.

Backline, which came out of stealth on Jan. 30, goes a step further, using AI agents to remediate security vulnerabilities and misconfigurations automatically. The autonomous security remediation platform integrates seamlessly with the organization's existing security tools and consolidates the information into a centralized security findings lake, the company said. The AI-native remediation playbooks the platform uses have been enriched with customer-specific context, Backline said.

Backline's autonomous security remediation platform can safely implement verified code and configuration changes. Backline's agents analyze security findings, gather necessary context, determine the optimal fix for the organization's environment, implement the necessary changes, and then test the fixes. Teams can choose their preferred level of oversight and automation.

When the AI agent needs human analysts to intervene or provide more context, it contacts the relevant engineers using tools such as Jira, Slack, and GitHub.

As part of the launch, Backline also raised $9 million in seed funding from StageOne Ventures, Evolution Equity Partners, and Gradient. Backline's co-founder and CEO, Maor Goldberg, previously co-founded Whitebox Security, which he sold to SailPoint in 2015, and Apolicy, which was sold to Sysdig in 2021. Goldberg left Sysdig in 2024 to start Backline with Eran Leib, chief customer officer, and Aviad Chen, vice president of research and development.

Source

DARKReading