Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately…

Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately to protect systems.

**SonicWall** has identified a critical security flaw in its Secure Mobile Access (SMA) 1000 Series appliances, which it believes has been exploited as a zero-day vulnerability. Learn about the vulnerability, impact, and how to mitigate the risk.

SonicWall issued a security advisory (SNWLID-2025-0002) on January 22nd, 2025, urging customers to address a critical zero-day vulnerability (**CVE-2025-23006)** impacting its Secure Mobile Access (SMA) 1000 Series appliances. Microsoft Threat Intelligence Centre discovered the flaw.

The vulnerability, rated 9.8 out of 10.0 on the CVSS scoring system, occurs due to improper handling of untrusted data during deserialization in the AMC (Appliance Management Console) and CMC (Central Management Console) components of the SMA 1000. Deserialization is a technical term for converting a stream of data back into a usable format. 

In this case, attackers can exploit weaknesses in how the SMA 1000 handles external data, possibly injecting malicious code to execute arbitrary commands on the system. The consequences of exploiting this vulnerability are severe. A successful attack could allow remote, unauthenticated attackers to gain complete control over affected devices. 

Moreover, attackers could steal sensitive information stored on the appliance, including user credentials, configuration data, or even confidential business documents, and may manipulate or disable critical system functions, rendering the appliance inoperable. Furthermore, a compromised SMA 1000 appliance could be used as a launching pad for further attacks within the network. 

Under certain conditions, this flaw could allow remote attackers to execute arbitrary commands, potentially compromising confidentiality, integrity, and availability.

SonicWall, a provider of secure remote access solutions for organizations like managed security service providers, enterprises, and government agencies, has been notified of potential active exploitation by unknown threat actors and urges customers to apply the fixes promptly. Germany’s CERT-Bund has also **issued advisories** (PDF) for immediate patch implementation, citing online exposure of 2,380 SMA1000 devices on Shodan.

Here’s what SonicWall recommended in its **advisory**:

*   Apply the Hotfix Immediately: Update your SMA 1000 appliance to the latest hotfix version (12.4.3-02854 or higher) to patch the vulnerability.

*   Restrict Access to Management Consoles: As a temporary workaround, limit access to the AMC and CMC consoles to trusted sources only. Refer to the SMA 1000 Administration Guide for best practices on securing these consoles.

This vulnerability exclusively impacts SonicWall SMA 1000 Series appliances running version 12.4.3-02804 (or earlier). SonicWall Firewalls and SMA 100 series products are not affected.

In a comment to Hackread.com, Bugcrowd founder **Casey Ellis** described the vulnerability as “gnarly” and emphasized that it reflects a broader trend of attackers increasingly targeting weaknesses in remote access systems and network devices.

_“_This vulnerability is gnarly and continues the trend of targeting vulnerabilities in Remote Access systems and network concentrators. Aside from patching, organizations should ensure that management interfaces for the SMA 1000, or any other device for that matter given the cluster of vulnerabilities, research, and exploitation, are not publicly accessible._“_

1.  **UNC5820 Exploits FortiManager 0-Day Flaw (CVE-2024-47575)**
2.  **Millions of Email Servers Exposed Due to Missing TLS Encryption**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **Fake PoC Exploit Targets Cybersecurity Researchers with Malware**
5.  **Zendesk’s Subdomain Registration Exposed to Pig Butchering Scams**

SonicWall SMA Appliances Exploited in Zero-Day Attacks

Cary, North Carolina, 26th January 2025, CyberNewsWire

**Cary, North Carolina, January 26th, 2025, CyberNewsWire**

INE Security, a leading global provider of cybersecurity training and certifications, today announced a new initiative designed to accelerate compliance with the Department of Defense’s (DoD) newly streamlined Cybersecurity Maturity Model Certification (CMMC) 2.0. This initiative aims to assist Defense Industry Base (DIB) contractors in swiftly adapting to the updated certification standards, which are critical to securing and maintaining defense contracts.

With the DoD’s reduction of CMMC levels from five to three, the path to compliance has become more direct but not less demanding. Recognizing the urgency for contractors to comply without delay, INE Security is offering a guide to strategic compliance acceleration. This includes a comprehensive checklist and guidance on how to implement the compliance requirements. 

> “The DoD’s updated framework requires greater clarity and speed in the compliance process than ever before,” said Dara Warn, CEO of INE Security. “At INE Security, we recognize the challenges organizations face in navigating the complexities of CMMC compliance. Our goal is to empower organizations to not only meet but exceed their compliance objectives by providing them with the tools and strategies needed for a faster and smoother journey. We are committed to simplifying the path to compliance, enabling our clients to focus on what they do best: securing their operations and contributing to our national defense.”

**Certification Requirements**

Each level carries its own stringent requirements, ranging from broad in scope at Level 1 to highly specialized at Level 3. Organizations can use this checklist to track progress and identify areas requiring attention before assessment. 

**Level 1 Certification Requirements**

**Technical Controls**

*   Basic password management
*   Access control implementation
*   Information integrity checks
*   Basic endpoint protection

**Documentation Needs**

*   System security policies
*   Access control documentation
*   Asset inventory
*   Basic security procedures

**Assessment Preparation**

*   Self-assessment documentation
*   Evidence collection
*   Policy review
*   Annual review planning

**Level 2 Certification Requirements**

**Technical Controls**

*   Multi-factor authentication
*   Network segmentation
*   Security monitoring tools
*   Incident response capabilities
*   Audit logging systems

**Documentation Needs**

*   System Security Plan (SSP)
*   Configuration management plans
*   Incident response procedures
*   Risk assessment documentation
*   POA&M development

**Assessment Preparation**

*   Third-party assessment readiness
*   Evidence compilation
*   Technical demonstrations
*   Staff interview preparation
*   Control validation testing

**Level 3 Certification Requirements**

**Technical Controls**

*   Advanced threat detection
*   Security orchestration
*   Continuous monitoring
*   Zero-trust implementation
*   Advanced access control

**Documentation Needs**

*   Enhanced SSP
*   Threat modeling documentation
*   Advanced security procedures
*   Risk management framework
*   Continuous monitoring plan

**Assessment Preparation**

*   Government assessment readiness
*   Advanced evidence compilation
*   Security control testing
*   Personnel training records
*   Program effectiveness metrics

**Implementation Guidance**

Successfully navigating the compliance requirements of CMMC 2.0 demands a structured approach to implementation and preparation. Each step, from initial technical review to mock assessments, is designed to build upon the previous, ensuring a seamless path to CMMC certification. 

**Technical Control Implementation**

*   Reviewing current architecture
*   Identifying gaps in controls
*   Developing implementation plan
*   Testing controls in staging
*   Deploying to production
*   Validating effectiveness

**Documentation Best Practices**

*   Using standard templates
*   Including revision history
*   Maintaining clear procedures
*   Documenting configurations
*   Tracking changes
*   Regular reviews

**Assessment Readiness**

*   Internal pre-assessment
*   Documentation review
*   Technical validation
*   Staff preparation
*   Evidence organization
*   Mock assessment

**How INE Security Helps Organizations Accelerate Compliance**

**Technical Training**

*   INE Security’s comprehensive technical training program provides hands-on experience through practical labs focused on control implementation and security tool configuration. Structured learning paths cover essential skills in network security implementation and monitoring system setup, giving users real-world experience with the tools and techniques required for CMMC compliance.

**Assessment Preparation**

*   Organizations can prepare confidently for CMMC assessment with INE Security’s practical scenarios and technical training tools. The training helps students master control validation exercises and provides thorough interview preparation guidance, ensuring students are prepared and the assessment process is smooth. 

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Director of Global Strategic Communications and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Alert: Expediting CMMC 2.0 Compliance

UnitedHealth Group has confirmed that a ransomware attack targeted its subsidiary, Change Healthcare, in February 2024, impacting 190…

UnitedHealth Group has confirmed that a ransomware attack targeted its subsidiary, Change Healthcare, in February 2024, impacting 190 million Americans. Discover the key details, impact, and implications of US history’s largest healthcare data breach.

UnitedHealth Group has confirmed that a ransomware attack that targeted its subsidiary, Change Healthcare, in February 2024, has impacted an estimated 190 million individuals in the United States. 

This significantly surpasses earlier estimates of around 100 million (PDF), making it the largest medical data breach in the US’s history. To give you an idea, this breach is 2.5 times larger than the 2015 Anthem Inc. data breach, which had exposed 78.8 million records.

It is worth noting that Change Healthcare is a major player in the healthcare technology sector, and handles a substantial volume of sensitive health and medical data, including patient records and healthcare claims, clearing nearly 40% of all medical claims annually.

The breach, attributed to the ALPHV aka Black Cat ransomware group, exploited a compromised account lacking multi-factor authentication and used compromised credentials on Citrix remote-access software to gain unauthorized access to Change Healthcare’s systems. The attack resulted in a reported $872 million financial impact and 6TB of sensitive data exfiltration. It took months for the company to restore systems.

While UnitedHealth claims no evidence of misuse of the stolen data despite hackers having access to the stolen data for almost a year, it is still concerning because the breach exposed sensitive medical records. This includes health insurance details, patient diagnoses, test results, and treatment information.

In addition, attackers stole sensitive personal data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical records. Following the attack, the company paid $22 million in ransom to prevent further data leaks.

Reportedly, BlackCat scammed the affiliate “Notchy” who conducted this breach, pocketing the ransom payment without paying their share. In response, the affiliate collaborated with RansomHub, attempting to extort Change Healthcare further, but no additional payments were made, leaving the stolen data in cybercriminals’ hands.

The impact of this breach extends far beyond the immediate theft of data. It disrupted healthcare services across the country, causing significant operational challenges and raising concerns about patient privacy and data security. A survey by the American Hospital Association revealed severe financial and patient care impacts of this breach with 94% of US hospitals bearing financial losses, nearly 40% of hospitals facing difficulty accessing care due to authorization delays and 67% of hospitals finding switching clearinghouses very difficult.

In adherence to the Health Insurance Portability and Accountability Act (HIPAA), UnitedHealth Group has notified most affected individuals about the February 2024 ransomware attack.

The incident has raised concerns about patient data security and healthcare sector vulnerabilities and highlighted the urgent need for implementing advanced cybersecurity measures to protect sensitive information and mitigate such threats.

1.  **Equifax Hack Exposes SSNs of 143M Americans**
2.  **Israeli firm leaks addresses of millions of Americans**
3.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
4.  **Apria Healthcare Major Data Breach Impacting 1.8M Users**
5.  **3 Billion Public Records with American SSNs Leaked Online**

UnitedHealth Group’s Massive Data Breach Impacts 190 Million Americans

Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023…

Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023 MOVEit breach. Learn about the exposed data and how to protect yourself.

SafetyDetectives’ Cybersecurity Team discovered a forum post on Breach Forums, a clear web platform for data breaches, where a threat actor shared a link to a database containing 279,332 lines of sensitive data allegedly belonging to the American National Insurance Company (ANICO). This data, apparently from the 2023 data breach, includes customer and some employee information.

For your information, American National Insurance Company, headquartered in Galveston, Texas, employs over 4,600 people and generates over $1.1 billion in annual revenue through its subsidiaries. The leaked data, available in a .CSV file, is still available on the forum to download. The exposed information includes:

*   Customer Data: Account ID, Status, Email Address, Full Name, Date of Birth, Age, Gender, Marital Status, Generation, Occupation, Phone, Language, Full physical address, Inforce Premium Amount, Inforce Premium Amount Annuity, Type of Policy.

*   Employee Data: Years In Force, Agent Name, Agent Email, MLGA/RGA Name, MLGA/RGA Email. 

SafetfyDetectives research suggests a strong connection between the 2023 MOVEit breach and the recent data exposure of American National Insurance Company. ANICO has publicly acknowledged being impacted by a cyberattack involving MOVEit, a file transfer application developed by Progress Software.

This indicates that the company’s systems were vulnerable to exploitation through the MOVEit vulnerability. The Cl0p ransomware group, known for exploiting the MOVEit vulnerability in numerous attacks, was specifically mentioned in ANICO’s investigation. In August 2023, the Cl0p ransomware group had listed the company as a victim. 

“Thus, it is possible that American National’s recent filing with the Texas Attorney General is referring to a MOVEit breach. However, this has not yet been confirmed by the American National,” SafetyDetectives’ blog post read.

While a separate report from data breach lawyers at Console & Associates, P.C., suggests the exposure of Social Security Numbers, financial account information, and medical information during the 2023 breach, the data shared on the forum does not explicitly confirm this.

Nevertheless, the exposure of this sensitive information poses significant risks to individuals. Malicious actors could use personal information like Social Security numbers and financial details to impersonate individuals and commit fraud.

In contrast, the disclosure of medical information could lead to discrimination or misuse. Moreover, the exposed data could be used to launch targeted phishing attacks, tricking victims into revealing more personal information or clicking on malicious links.

Considering these dire consequences, it is recommended that individuals change passwords for compromised accounts and enable two-factor authentication. It is also essential to remain cautious of phishing attempts, review privacy settings on social media, and closely monitor bank accounts and credit reports for unauthorized activity.

If you suspect identity theft or fraud, report the incident to local law enforcement and relevant authorities. Also, check out this article to stay protected from online fraud.

1.  **US Auto Insurance Price Site RateForce Leaks PII Data**
2.  **Cl0p Ransomware Exploits Cleo Flaw, Threatens Data Leaks**
3.  **13GB Data of Automobile Insurance Giant AA Exposed Online**
4.  **66K Affected in SIM-Swapping Attacks on US Insurance Giants**
5.  **3 Billion National Public Data Records with SSNs Leaked Online**

American National Insurance Company (ANICO) Data Leaked in MOVEit Breach

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to fund weapons programs. Stay alert, and report fraud.

Federal prosecutors in the United States have charged five individuals, including two North Korean nationals, for their roles in a scheme that tricked U.S. companies into **hiring North Korean IT workers**.

According to the Department of Justice (DOJ), the operation funneled hundreds of thousands of dollars to the North Korean government, which, other than **using hackers to steal cryptocurrency**, has been using such tactics to evade sanctions and fund its weapons programs.

The indicted individuals include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. citizens Erick Ntekereze Prince and Emanuel Ashtor. They are accused of using stolen identities and fraudulent documents to **pose as legitimate US-based IT professionals**, securing remote jobs with at least 64 American companies.

In a **detailed indictment** (PDF), the DOJ outlined that the group operated from April 2018 to August 2024, using fake identities and falsified documents to bypass hiring checks. Once employed, they allegedly transferred payments amounting to at least $866,255 from ten companies through a Chinese bank account to cover the money trail.

Fake documents used in the scam (Via US DoJ)

A key element of the operation, according to the DOJ’s **press release**, involved “laptop farms,” where company-issued computers were received at U.S. locations and set up with remote access software. This allowed North Korean operatives to control the devices from abroad, creating the impression that the workers were based in the United States.

The scheme came to light following an FBI investigation that led to the recent arrests of Prince and Ashtor in the U.S., while Alonso was apprehended in the Netherlands earlier this month.

All five defendants face charges that include conspiracy to commit wire fraud, identity theft, and money laundering. If convicted, they could face up to 20 years in prison.

****Repeated Pattern****

North Korea has long relied on cyber operations to generate revenue for its government. Thousands of IT workers, primarily based in China and Russia, have been deployed to secure freelance work under false identities. According to U.S. officials, these workers can earn up to $300,000 per year, collectively bringing in millions to support the country’s military ambitions.

To achieve this, they take advantage of online job platforms, social media, and payment services, often using unsuspecting individuals in the U.S. to help move money and avoid detection. In July 2024, cybersecurity firm **KnowBe4 was tricked** by a North Korean hacker posing as an IT worker whose next step was to load malware on a company-issued Macbook.

In response, the U.S. government has issued several warnings to businesses about the risks associated with hiring remote IT workers. The FBI and other agencies have **published guidelines** to help companies spot red flags and protect themselves from falling victim to similar scams.

Authorities are also urging businesses to stay alert when hiring remote workers and to report any unusual activity to the FBI. They emphasize the importance of protecting company data and following international sanctions to help stop this type of fraud.

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Russian hacker tried hiring Tesla worker for malware attack**
3.  **Hackers used fake job website to scam jobless US veterans**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**

US Charges Five in North Korean IT Worker Hiring Scam

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive data via Telegram-based C&C.

CloudSEK has discovered a new campaign involving a Trojanized version of the **XWorm RAT** builder. The malware spread through various channels, including file-sharing services (like Mega and Upload.ee), Github repositories (such as LifelsHex/FastCryptor and FullPenetrationTesting/888-RAT), Telegram channels (including HAX\_CRYPT and inheritedeu), and even Youtube and other websites. 

This campaign resulted in compromising over 18,459 devices globally. The stolen data included sensitive information like browser credentials, Discord tokens, Telegram data, and system information from the compromised devices.

“This builder provides attackers with a streamlined tool to deploy and operate a highly capable RAT, which features advanced capabilities like system reconnaissance, data exfiltration, and command execution,” CloudSEK’s **blog post** authored by the company’s Threat Intelligence Researcher, Vikas Kundu, revealed.

Threat actors specifically distributed a modified XWorm RAT builder to target inexperienced attackers (aka **Script Kiddies**). Once installed, the malware exfiltrated sensitive data like browser credentials, Discord tokens, Telegram data, and system information from the victim’s device. It also boasted advanced features like virtualization checks, the ability to modify the registry, and extensive command and control capabilities.

Furthermore, this malware relies on Telegram for its command and control functionality. It used bot tokens and Telegram API calls to receive commands from the attacker and exfiltrate stolen data.

Researchers were able to identify and leverage a “kill switch” functionality within the malware. This functionality was used to disrupt operations on active devices infected with the malware. However, this approach had limitations. Offline machines and Telegram’s rate limiting mechanisms prevented complete disruption.

Based on the investigation, researchers were able to link the threat actor to aliases “@shinyenigma” and “@milleniumrat.” Additionally, they were able to identify associated GitHub accounts and a ProtonMail address.

It is worth noting that XWorm has become a persistent threat with Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) **reporting** its usage in Russian cyber operations against Ukraine in the first half of 2024. 

To protect against such threats, organizations and individuals should use Endpoint Detection and Response (EDR) solutions to detect suspicious network activity and even malware identification.

Additionally, network monitoring using Intrusion Detection and Prevention Systems (IDPS) can block communication between infected devices and the malicious C&C server on Telegram. Proactive measures like blocking access to known malicious URLs and enforcing application whitelisting can prevent malware from being downloaded and executed.

**RELATED ARTICLES**

1.  **P2PInfect: Self-Replicating Worm Hits Redis Instances**
2.  **FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs**
3.  **Fake 7-Zip Exploit Code Traced to AI-Generated Misinterpretation**
4.  **NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT**
5.  **Black Basta-Style Attack Hits Inboxes with 1,165 Emails in 90 Minutes**

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes…

Abnormal Security uncovers GhostGPT, an uncensored AI chatbot built for cybercrime. Learn how it boosts cybercriminals’ abilities, makes malicious activities easier to execute, and creates serious challenges for cybersecurity experts.

Artificial intelligence (AI) has revolutionized countless industries, but its potential for misuse is undeniable. While **AI models like ChatGPT** have shown immense promise in various fields, their power can be easily exploited by threat actors through malicious AI chatbots like GhostGPT.

In late 2024, AI-powered email security solutions provider Abnormal Security uncovered this new AI chatbot designed specifically for cybercriminal activities. Dubbed GhostGPT, this malicious AI tool, readily available through platforms like Telegram, empowers cybercriminals with unprecedented capabilities, from crafting sophisticated phishing emails to developing sophisticated malware.

Unlike **traditional AI models** constrained by ethical guidelines and safety measures, GhostGPT operates without such restrictions. This unfettered access to powerful AI capabilities allows cybercriminals to generate malicious content, such as sophisticated phishing emails and malicious code, with unprecedented speed and ease. 

According to Abnormal Security’s analysis, GhostGPT is likely designed using a wrapper to connect to a **jailbroken version of ChatGPT** or an open-source LLM, removing ethical safeguards. This allows GhostGPT to provide direct, unfiltered answers to sensitive or harmful queries that traditional AI systems would block or flag.

This tool significantly lowers the barrier to entry for cybercrime. No longer requiring specialized skills or extensive technical knowledge, even less experienced actors can leverage the power of AI for malicious activities and launch more sophisticated and impactful attacks with greater efficiency.

Furthermore, GhostGPT prioritizes user anonymity, claiming that user activity is not recorded. This feature appeals to cybercriminals seeking to conceal their illegal activities and evade detection.

“GhostGPT is marketed for a range of malicious activities, including coding, malware creation, and exploit development. It can also be used to write convincing emails for business email compromise (BEC) scams, making it a convenient tool for committing cybercrime,” Abnormal Security’s **blog post** revealed.

GhostGPT’s easy availability on Telegram makes it highly convenient for cybercriminals. With a simple subscription, they can immediately start using the tool without the need for complex setups or technical expertise.

Abnormal Security researchers tested GhostGPT’s capabilities by creating a convincing **Docusign phishing** email template. The chatbot demonstrated its ability to trick potential victims, making it a powerful tool for anyone intending to use AI for malicious purposes.

GhostGPT on Telegram (left) – GhostGPT’s ad (right) – (Credit: Abnormal Security)

This is not the first time a chatbot has been created for malicious purposes. In 2023, researchers identified two other harmful chatbots, **WormGPT** and **FraudGPT**, which were used for criminal activities and caused serious concerns within the cybersecurity community.

Nevertheless, the rise in GhostGPT popularity, evidenced by thousands of views on online forums, indicates a growing **interest in AI by cybercriminals**, and the need for innovative cybersecurity measures. The cybersecurity community must continuously innovate and evolve its defences to stay ahead of the curve.

1.  **Malicious Abrax666 AI Chatbot Exposed as Potential Scam**
2.  **AI Generated Fake Obituary Websites Target Grieving Users**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Facebook Phishing Scam: Messenger Chatbots Stealing Logins**
5.  **Mozilla 0Din Warns of ChatGPT Flaws Enabling Python Execution**

Meet GhostGPT: The Malicious AI Chatbot Fueling Cybercrime and Scams

Memcyco’s AI-based solution enables organizations of all sizes to better protect their customers from phishing, impersonation fraud and…

Memcyco’s AI-based solution enables organizations of all sizes to better protect their customers from phishing, impersonation fraud and online scams.

New York, NY / January 23, 2025 / Memcyco has announced its next-generation digital impersonation protection solution, the latest innovation in its suite of protection solutions. The next-gen offering fundamentally changes how scam-targeted organizations not just detect, but disrupt digital impersonation attempts and fraud attacks in real time, protecting themselves and their customers.

Digital impersonation attacks have become one of the most common attacks for cybercriminals in recent years, utilizing various attack vectors such as phishing emails and websites or malicious ads to lure unsuspecting users to fake websites, where they are tricked into giving away sensitive personal and financial information.

A report from Egress revealed that impersonation was the most widespread phishing tactic in 2024, while Verizon’s 2024 Data Breach Report indicated that it only takes users 21 seconds to click on a phishing link, and 28 seconds to submit sensitive data.

Traditional scan-and-takedown solutions, and even recent solutions based on prediction, are detached from the real-time evolution of attacks, inhibiting their ability to fully protect companies and their users. Memcyco changes this dynamic, enabling companies to be present at the time of attacks by identifying them as soon as they begin and tracing them from start to finish, thanks to its proprietary, AI-based “nano defenders” and device DNA technology.

By closely monitoring the incident timeline, Memcyco’s agentless software is uniquely able to aggregate events as the attack unfolds, presenting them in a comprehensible, easy-to-consume manner. Companies are able to accelerate their investigations with real-time reports and take down phishing sites with unprecedented speed before any damage is done — and more importantly, protect their customers while the phishing attacks are unfolding until the takedown is completed, and beyond.

Among other techniques, Memcyco protects companies and their customers who visit phishing sites impersonating their brands by scrambling the sensitive information they enter, instead sending marked, decoy data to the attackers.

Memcyco also offers the option for companies to use red alert pop ups that warn users who visit an impersonated version of their site. In all events, Memcyco provides full details of the attack, including the identity of each individual victim, the attacker, and the type and scope of the attack committed.

With its next-gen solution, Memcyco offers a new approach to combating digital impersonation attacks, combining real-time protection with real-time visibility, generating previously unobtainable insights into the attackers and their methods and enhancing company incident reporting and investigative capabilities.

From a financial perspective, Memcyco helps companies save exponentially by decreasing operating expenses, reducing fraud damages (including reimbursement costs), and shielding revenue.

“Memcyco’s proactive solutions enable organizations to go on the offensive and keep themselves and their customers safe,” said Israel Mazin, co-founder, CEO and Chairman of Memcyco. “With our next-gen platform, companies gain sophisticated tools that allow them to seek out and take down malicious actors before they can launch their attacks, while achieving compliance with new customer protection regulations. It’s an entirely new way of combating phishing and digital impersonation that throws attackers into disarray.” 

Furthermore, Memcyco is one of the only solutions that, in addition to protecting companies, also provides customer protection, which is a glaring blindspot in cybersecurity. Its breakthrough capabilities raise this bar, reinforcing companies’ reputations as trustworthy brands that always have their customers’ backs. 

****About Memcyco****

Memcyco provides AI-driven solutions that protect businesses and their customers from fraud scams emanating from digital impersonation tactics. Its patented technology enables real-time, proactive defense and visibility, securing revenue and brand reputation in an increasingly digital world.

With a focus on transactional websites across industries such as financial services, retail, and airlines, Memcyco helps companies maintain trust with their customers and proactively defend against emerging phishing threats.

Memcyco Announces Next-Gen, AI Solution to Combat Fraud and Impersonation Attacks in Real Time

ChatGPT Outage: Service Down on Jan 23, 2025. Learn about the potential causes (DDoS or technical glitch) and…

ChatGPT Outage: Service Down on Jan 23, 2025. Learn about the potential causes (DDoS or technical glitch) and the latest updates from OpenAI on the service disruption.

ChatGPT, a popular large language model chatbot developed by OpenAI is currently experiencing an outage. Users attempting to access the service are encountering “**503 Service Temporarily Unavailable**” and “**Bad gateway – The web server reported a bad gateway error**” error messages on both desktops and smartphones.

According to ChatGPT’s **status page**, the outage began around 3:33 AM PST on Thursday, January 23rd, 2025. The status page indicates that OpenAI is aware of the issue and is currently investigating the cause. A “Bad Gateway” error means the server you’re trying to reach couldn’t get a proper response from another server it needs to communicate with.

ChatGPT right now (Credit: Hackread.com)

OpenAI has not yet commented on whether the outage is the result of a technical glitch or a distributed denial-of-service (DDoS) attack. A DDoS attack is a malicious attempt to overwhelm a website or service with traffic, making it unavailable to legitimate users.

Given its massive user base of over 200 million weekly active users, ChatGPT is a prime target for cyberattacks. In February 2024, a group called Anonymous Sudan **claimed** responsibility for a DDoS attack that coincided with another service outage.

At this time, it is unclear how long the outage will last. OpenAI has provided updates on their status page throughout the morning, indicating that they are working to resolve the issue.

The information available on the status page does not definitively identify the cause of the outage. While a DDoS attack is a possibility, it is also equally possible that the outage is due to a technical glitch.

For your information, the sudden onset of the outage and the “503 Service Temporarily Unavailable” error message could be indicative of a DDoS attack. However, there is no confirmation from OpenAI to support this.

On the other hand, technical glitches can also cause outages. The fact that OpenAI has identified the issue and is implementing a fix suggests it might be a technical issue.

This is the second time since December 2024 that ChatGPT has experienced service outages. **Last month**, both the company’s video generation model, Sora, and the Chatbot suffered several hours of service interruptions.

Nevertheless, this is a developing story, and we will continue to provide updates as they become available.

Source

HackRead