The first team to successfully hack the electric vehicle maker's charger won $50,000 for their ingenuity.

Source: VDWI Automotive via Alamy Stock Photo

NEWS BRIEF

Researchers at the this year's Pwn2Own Automotive hacking contest successfully hacked Tesla's wall connector electric vehicle (EV) charger.

The annual contest focuses on hacking automotive technologies during the Automotive World tradeshow in Tokyo. The contest allows researchers to target car operating systems, electric vehicles, chargers, and infotainment systems in vehicles to uncover hidden vulnerabilities and potential threats.

Zero Day Initiative said the PHP Hooligans used a "numeric range comparison without minimum check" zero-day bug to take over the EV charger and crash it. This feat earned them $50,000 in prize money and five Master of Pwn points.

Right behind them was Synacktic, which hacked the Tesla EV charger through the charging connector.

The PHP Hooligans also exploited 23 other zero-day vulnerabilities in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers.

On day two of the contest, Trend Micro's Zero Day Initiative paid out $718,250 in rewards to onsite security researchers who discovered 39 unique zero-days.

Sina Kheirkhah is currently leading the Pwn2Own contest with 24.5 points, followed by Synacktiv in second place, and PHP Hooligans in third.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tesla Gear Gets Hacked Multiple Times in Pwn2Own Contests

PRESS RELEASE

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA), published Closing the Software Understanding Gap that calls for decisive and coordinated action by the U.S. government to obtain a deep, scalable understanding of software-controlled systems. Specifically, the report calls for software-controlled systems that can be assessed to verify functionality, safety, and security across all conditions, which is currently not available.

Mission owners and operators lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. The inadequate understanding leads to exploited software vulnerabilities because technology manufacturers create software that is not secure by design.

“Recent discoveries of adversarial state-sponsored activity in US critical infrastructure – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems – pose imminent threats to US national security. The software understanding gap exacerbates the risk to this threat activity,” said CISA Technical Director Chris Butera. “Mission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure. With our partners, we urge the USG to close this gap before other nations and urge software manufactures to align to Secure by Design principles.” 

The report highlights potential solutions to change the security posture of legacy and future software. One example is the application of mathematically rigorous techniques known as formal methods. For a long time, formally verified software has seemed hopelessly out of reach, but advances by DARPA and others over the past decade have made formal approaches more accessible for mainstream practice.

“We have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,” said DARPA’s Information Innovation Office Director, Kathleen Fisher. “Rapid action to implement these tools in legacy and future systems can dramatically reduce the United States’ cyber vulnerabilities ahead of future global conflicts.”

This report also provides recommendations to obtain a deep, scalable understanding of software-controlled systems, including AI-based systems. By providing an adequate capacity for software understanding, the United States will secure an advantage in geopolitics for the foreseeable future and will help harden critical infrastructure against state-sponsored activity.

This report highlights the enduring broad government coordination required to create the capabilities to address these threats.

For more information on Secure by Design, visit Secure by Design webpage.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

You May Also Like

CISA Calls For Action to Close the Software Understanding Gap

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

PRESS RELEASE

FRISCO, Texas, January 21, 2025 – Netwrix, a vendor specializing in cybersecurity solutions focused on data and identity threats, surveyed 1,309 IT and security professionals globally and today released findings for the healthcare sector based on the data collected.

It reveals that 84% of organizations in the healthcare sector spotted a cyberattack on their infrastructure within the last 12 months. Phishing was the most common type of incident experienced on premises, similar to other industries. Account compromise topped the list for cloud attacks: 74% of healthcare organizations that spotted a cyberattack reported user or admin account compromise.

“Healthcare workers regularly communicate with many people they do not know — patients, laboratory assistants, external auditors and more — so properly vetting every message is a huge burden. Plus, they do not realize how critical it is to be cautious, since security awareness training often takes a back seat to the urgent work of taking care of patients. Combined, these factors can lead to a higher rate of security incidents,” says Dirk Schrader, VP of Security Research and Field CISO EMEA at Netwrix.

A cyberattack resulted in financial damage for 69% of healthcare organizations, compared to 60% among other industries. One in five healthcare organizations that suffered an attack experienced a change in senior leadership (21%) or lawsuits (19%) as a result, compared to 13% for each of these outcomes among all industries surveyed.

“Due to the sensitivity of the protected health information (PHI) data, breaches can cause severe concerns among the general public and various stakeholders. On top of that, healthcare is a highly regulated industry where organizations face strict penalties for non-compliance. Together, these factors lead to a higher-than-average likelihood of lawsuits. At the same time, organizations can feel pressured to change IT or even executive leadership to signal their commitment to addressing security issues and rebuilding trust,” says Ilia Sotnikov, Security Strategist at Netwrix.

Learn more about how the healthcare sector can thwart attacks here. 

About Netwrix  

Netwrix champions cybersecurity to ensure a brighter digital future for any organization. Netwrix's innovative solutions safeguard data, identities, and infrastructure reducing both the risk and impact of a breach for more than 13,500 organizations across 100+ countries. Netwrix empowers security professionals to face digital threats with confidence by enabling them to identify and protect sensitive data as well as to detect, respond to, and recover from attacks.

For more information, visit www.netwrix.com.

You May Also Like

84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

Source: Brian Jackson via Alamy Stock Photo

A flaw in the widely used Cloudflare content delivery network (CDN) can expose someone's location by sending them an image on platforms like Signal and Discord, deanonymizing them in seconds without their knowledge.

That's according to a 15-year-old security researcher who goes by only "Daniel," who published research on GitHub Gist about the flaw — which he discovered three months ago — as a warning for journalists, activists, and hackers, who could be at physical risk.

The flaw allows an attacker to grab the location of any target within a 250-mile radius when a vulnerable app is installed on a target's phone, or even as a background application on their laptop. Using either a one-click or zero-click approach, an attacker can use the app to "send a malicious payload and deanonymize you within seconds — and you wouldn't even know," Daniel wrote.

**Cloudflare Content Caching Is the Cyber Culprit**

The core of the flaw lies in one of Cloudflare's most used features: caching, Daniel explained. Cloudflare's cache stores copies of frequently accessed content, such as images, videos, or webpages, in its datacenters, ostensibly to reduce server load and improve website performance.

When a device sends a request for a resource that can be cached, Cloudflare retrieves the resource from its local data center storage, if possible, or from the origin server. It then caches it locally, and returns it. "By default, some file extensions are automatically cached but site operators can also configure new cache rules," Daniel explained.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Because of this process flow, if an attacker can get a user's device to load a resource on a Cloudflare-backed site, causing it to be cached in their local datacenter, they can then enumerate all Cloudflare data centers to identify which one cached the resource. "This would provide an incredibly precise estimate of the user's location," Daniel explained.

Daniel did have to overcome a hurdle to this attack flow in that someone "can't simply send HTTP requests to individual Cloudflare datacenters," he wrote. However, he discovered a bug via a forum post that demonstrates how someone can send requests to specific Cloudflare datacenters with Cloudflare Workers, and created a tool called Cloudflare Teleport, a proxy powered by Cloudflare Workers that redirects HTTP requests to specific datacenters.

**How to Exploit the Cloudflare Location Flaw**

Daniel went on to demonstrate how he could send images via both Signal and Discord that would expose the recipient's location. For Signal, which is an app favored by journalists and activists due to its privacy features, a one-click attack allows someone to send either an attachment or an avatar to a user that exploits the cache geolocation method to pinpoint the recipient's location.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

An attacker also could use a zero-click attack in Signal by taking advantage of push notifications, which occur when a message is sent to a user while they are not actively using the app. In this case, the recipient doesn't even have to open the Signal conversation for their device to download the attachment, he said.

Attackers can exploit the flaw similarly in Discord, with potentially wider impact, using a custom emoji that's loaded from Discord's CDN and configured to be cached on Cloudflare, he explained.

"So, instead of sending an attachment in a Discord channel, an attacker can display a custom emoji in their user status and simply wait for the target to open their profile to run a deanonymization attack," Daniel wrote. A one-click attack vector also is possible in Discord by changing a user's avatar and sending a friend request to someone, which triggers a push notification, he added.

**Signal, Discord, Cloudflare Response & Mitigation**

Daniel contacted Signal, Discord, and Cloudflare about the bug. The first two companies did nothing to mitigate it, with Signal claiming users are responsible for protecting their own identities, and Discord claiming it was Cloudflare's responsibility.

Related:Trump Overturns Biden Rules on AI Development, Security

For its part, Cloudflare did fix the Cloudflare Workers bug that allowed Daniel to create the Teleport tool. The bug was reported to its HackerOne program a year ago by another researcher, but the company had not responded to the report. It reopened the case after Daniel's report and mitigated the issue, awarding him a $200 bug bounty in the process.

However, even after the mitigation, Daniel was able to exploit the flaw by reprogramming his Cloudflare Teleport tool to use a VPN instead, choosing a VPN provider with more than 3,000 servers located in various locations across 31 different countries worldwide. "Using this new method, I'm able to reach about 54% of all Cloudflare datacenters again," he explained.

At this time, "any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken," Daniel wrote.

And this can be especially dangerous for people who need to protect their location for various reasons, such as a woman who may be hiding from a violent boyfriend or husband, or a political dissident who is being targeted by a hostile government, says Roger Grimes, data-driven defense evangelist at KnowBe4.

“At first glance, the flaw seems really innocuous and barely relevant, but there are scenarios … where it could be a problem," he tells Dark Reading. Moreover, Grimes suspects that Cloudflare CDN is not the only CDN affected by such a flaw, as "the attack is just generic enough that I think it can be applied to more CDNs," he says.

Daniel advised that people concerned about their privacy should limit their exposure on the affected apps, which "can make a significant difference" when it comes to protecting their location data.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cloudflare CDN Bug Outs User Locations on Signal, Discord

The threat actors are abusing the vulnerabilities to gain initial access, obtain credentials, and install malicious scripts on user devices.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cyberattackers are using a new threat vector involving several Ivanti vulnerabilities in order to subvert the company's Cloud Service Appliance (CSA).

According to the Cybersecurity and Infrastructure Security (CISA) and the FBI, these include CVE-2024-8963, an admin bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, both remote code execution (RCE) vulnerabilities.

Using third-party incident-response data, CISA found that threat actors utilized the bugs by chaining them together to gain initial access, allowing them to conduct remote code execution (RCE), obtain credentials, and install Web shells on victim networks.

"All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0," CISA stated in the advisory.

In order to mitigate these threats, both organizations encourage network admins to upgrade to the latest supported version of Ivanti CSA and to use detection methods and the indicators of compromise (IoCs) provided in the CISA advisory to search for malicious activity on their networks.

Related:Tesla Gear Gets Hacked Multiple Times in Pwn2Own Contests

If organizations do detect compromise, it's recommended to quarantine or take offline potentially affected hosts and reimage them. Admins should also provide new account credentials, collect and review artifacts, and report the compromise to CISA. In addition to this, it's recommended to exercise, test, and validate a security program against threat actors listed in the MITRE ATT&CK for Enterprise framework.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Ivanti Vulns Chained Together in Cyberattack Onslaught

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Anuj Jaiswal, Chief Product Officer, Fortanix

January 23, 2025

3 Min Read

Source: LuckyStep48 via Alamy Stock Vector

COMMENTARY

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, potentially opening up security risks.

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.

The uncontrolled risk of shadow AI usage reveals the need for stringent privacy and security practices when employees use AI.

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business — regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.

To mitigate risk, organizations must secure their data while it's at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).

**How Can CISOs Secure GenAI and Company Data?**

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible — their data.

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise's most valuable asset?

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:

*   Protecting the data before it is even ingested into the GenAI model
    

*   Ensuring that the data output is completely secured, as this new data will drive the business outcomes and create true value
    

If the data life cycle isn't secure, this becomes a business-critical exposure.

More specifically, a multifaceted approach is necessary to protect sensitive data from being leaked, and though it starts with limiting shadow AI as much as possible, it is just as important to preserve data security and privacy with some basic best practices:

*   Encryption: Data encryption across its life cycle is vital, but it's equally important to manage and store encryption keys securely and separately from the data itself.
    
*   Obfuscation: Use data tokenization to anonymize any sensitive or PII data that could be fed to an LLM. This prevents data that enters the AI pipeline from being corrupted or leaked.
    
*   Access: Apply granular, role-based access controls to data so that only authorized users can see and use the data in plain text.
    
*   Governance: Commit to ethical business practices, embed data privacy across all operations, and remain current on data privacy regulations.
    

As is often the case with most tech advancements, GenAI's ease and convenience come with some fallbacks. While employees want to take advantage of the increased efficiency of GenAI and LLMs for work, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations to prevent sensitive data from entering the AI system. Along with making sure workers know the importance of data protection, it is key to mitigate potential risks by taking all measures to encrypt and secure data from the start.

**About the Author**

Chief Product Officer, Fortanix

Anuj Jaiswal is chief product officer at Fortanixa. He is seasoned product and engineering leader with an impressive track record spanning more than 20 years. Anuj previously served as vice president of engineering at Embrace.io and was a pivotal figure at Arkin, a company that caught the attention of VMware and was subsequently acquired in 2016. During his time at Arkin, Anuj played a critical role in the acquisition process, showcasing his strategic vision and technical insight. Before Arkin, Anuj worked as a senior leader at FrontRange Solutions (acquired by Ivanti) and DBO2 (acquired by Predictive Solutions).

Anuj's domain knowledge is extensive, covering crucial areas such as cloud security, network security, cybersecurity, data security and application performance monitoring (APM) for both cloud and mobile applications. His approach to product management — vision, strategy, customer-centric, roadmapping, partnerships, and UX — has consistently resulted in products that drive revenue and growth for organizations while meeting customer needs. Anuj holds a master's degree in computer applications and a bachelor's degree in business administration.

The Security Risk of Rampant Shadow AI

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

Source: LJSphotography via Alamy Stock Photo

Dozens of organizations have been infected with router malware that uses a packet-sniffing technique to minimize its footprint.

Rather than their far more popular Cisco counterparts, the campaign, which Black Lotus Labs named "J-magic," hones in on Juniper-brand routers at the edge of high-value networks. Exposed enterprise routers are tapped with a variant of a quarter-century-old backdoor, "cd00r," which stays dormant until it receives an activation phrase — a "magic packet." Only then does it grant access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices.

"There's been a lot of emphasis on small office/home office (SOHO) devices, but attackers are just as active in the enterprise space," warns Danny Adamitis, principal information security engineer with Black Lotus Labs. "It's just that they're living on these devices that don't really have endpoint detection and response (EDR), that are in front of a firewall, and don't really run things like Sysmon, so it's a little bit harder for people to detect these attacks."

**Backdoor Malware Infests Juniper Routers**

Exactly how the hackers obtained initial access to affected routers is unknown, but the openings they exploited are clear. Around half the Juniper routers victimized by J-magic were configured as virtual private network (VPN) gateways, and the other half possessed exposed Network Configuration Protocol (NETCONF) ports, which allow administrators to remotely manage and configure network settings, but also allow attackers to sneak through and do the same. These routers served as points of entry and control for much larger networks, affording attackers a wide canvas for their malicious deeds.

Related:Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

To exploit these prized devices, the attackers install their malware, cd00r, in a position where it can observe all TCP traffic coming into the edge device. Then it waits for one of five predefined packets meeting highly specific conditions, which act like an activation phrase. When a packet meeting one of these presets is received, the program will spawn a reverse shell connected to the attacker's IP address, through the port specified in the magic packet.

The technique works because it circumvents the already limited methods defenders have for picking up on edge malware. In a typical infection, Adamitis says, "If you're able to monitor traffic from a firewall or router, you can see that there is a beacon that occurs at a set interval. And if you perform a time series analysis, you can see activity continuously occurring with that interval, and it kind of stands out. With something like this, you don't have that consistent call out. This will evade that form of detection."

Related:Automox Releases Endpoint Management With FastAgent

A J-magic attack isn't entirely complete upon reception of the magic packet, though. To confirm that the handler is the intended attacker — not just some passerby trying to piggyback on their work — cd00r sends out a "challenge" string encrypted with a hardcoded public key. Only if the attacker passes this test — by returning the string back using their associated private key — do they obtain control over the reverse shell, and with it the power to control the infected device, steal enterprise data, and deploy further malware.

Evidence of these J-magic infections dates back to September 2023, but the majority of cases appear to have popped up in the spring and summer of 2024. In that year or so, cd00r spread to the US, the UK, Russia, Norway, India, and more countries in between, affecting organizations in construction, bioengineering, insurance, and IT services, among others.

**Blind Spot in Edge Network Cybersecurity**

Easily overlooked is the fact that cd00r, though updated with new features, is a 25-year-old program. It was originally developed and released in 2000, as a proof-of-concept (PoC) for an "invisible" backdoor, on the information security website Packet Storm.

Related:15K Fortinet Device Configs Leaked to the Dark Web

That such an old, and in some ways atavistic, malware would still suffice in 2025 speaks to just how much attackers can get away with in edge networks.

"On your corporate laptop, you probably have Windows Defender and something from your favorite EDR vendor. There tend to be a lot of vendors for end-user workstations, but edge devices don't really seem to have anything on them. So by living in those blind spots, attackers are able to get away with using this 20-year-old malware, because there's no one and nothing on that particular device to actually capture that sort of user interaction," Adamitis says.

"The reporting around these kinds of enterprise-grade routers tends to be a lot more sparse," he adds. "What we're trying to say is: We think there might be this low visibility spot in the perimeter."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Black 'Magic' Targets Enterprise Juniper Routers With Backdoor

The AI-powered work platform helps organizations securely identify and access internal enterprise data as part of business processes and workflows.

Source: YAY Media AS via Alamy Stock Photo

NEWS BRIEF

All organizations, regardless of size or industry, are experiencing a data boom, with information being stored in multiple applications, such as Confluence, GitLab, Jira, Monday, Slack, Salesforce, and Zendesk. In turn, the ability to search through the mountains of data to find what they need has become increasingly more difficult. Enterprise search is an area where artificial intelligence (AI) can shine, with tools that take questions from users and them look through various information sources to provide relevant answers quickly.

The challenge, however, is delivering those answers without compromising data security. AI's ability to look at all of an organization's data means that an unauthorized actor could potentially manipulate the system to obtain information that they should not be able to access or use in a manner they should not. Doti AI, an AI-powered enterprise work platform that emerged from stealth today, promises to secure the organization's data while giving employees the ability to find information as part of existing workflows. For example, customer support teams can resolve issues faster by retrieving relevant knowledge base articles or identifying similar past cases without searching across multiple systems, the company said in a statement.

"Doti creates a centralized 'organizational brain' that empowers employees to find accurate, relevant information quickly and effortlessly," the company said.

The platform consolidates data from multiple business applications and sources and presents a single interface to the organization's data, the company said. Because it can handle both structured and unstructured data, users can use the platform to analyze codebases, draft communications, retrieve historical project context, and answer policy questions.

It can be deployed on-premises or in the cloud, and gives organizations robust security controls, including real-time permissions enforcement, hybrid deployment options, and granular access controls. Doti's approach to tenant segregation means customers have "complete flexibility and control over their data." The software-as-a-service customers get a dedicated database. Organizations can deploy the platform locally within their environment in either a fully on-premise or hybrid setup.

If someone compromises the organization, that actor will have only limited access to a limited subset of all the data the platform can see. Doti enforces document-level permissions at the data source. Each resource Doti retrieves is checked every time to ensure the user is allowed to access that information. Doti also developed a layer called "spaces," where specific data is bound to specific users. This means only the intended users can access that information.

The platform has both direct and indirect prompt injection guardrails to prevent leakage of unauthorized information.

As part of the launch, Doti AI also raised $7 million in seed funding led by F2 Venture Capital and several angel investors. Doti AI was founded in January 2024 by Matan Cohen and Opher Hofshi, who have experience in enterprise software and cybersecurity. They were both at Wix — where Cohen was the former software group manager and Hofshi was the former security architects team leader — where they saw firsthand the impact of "organizational information chaos" in large, fast-paced organizations.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Source

DARKReading