SUMMARY Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains.…

****SUMMARY****

*   **Cybersecurity firm watchTowr discovered over 4,000 active hacker backdoors relying on expired domain names.**

*   **These backdoors are pre-existing entry points on already compromised systems, allowing new actors to exploit previous breaches.**

*   **By registering these expired domains, watchTowr observed compromised systems “phoning home,” including government hosts in multiple countries.**

*   **The research highlights a concerning trend of attackers exploiting abandoned backdoors left by other hackers, creating a “hacking-on-autopilot” scenario.**

*   **Many older web shells, tools used for remote access, contain built-in mechanisms that unintentionally expose compromised systems through callbacks to now-expired domains.**

Cybersecurity researchers at watchTowr have identified over 4,000 live hacker backdoors, exploiting abandoned infrastructure and expired domains. These backdoors, hidden in compromised systems worldwide, have exposed a huge network of vulnerable government and educational institutions.

The investigation began when watchTowr registered over 40 expired domains, previously used by hackers, and set up logging servers to track incoming requests. The team collected 300MB of data, revealing a network of compromised hosts, including government-owned systems in Bangladesh, China, Nigeria, and more.

The researchers discovered that hackers had been using these abandoned backdoors to gain access to thousands of systems, without investing effort in identifying and compromising them. This technique has been termed by researchers as a _“mass-hacking-on-autopilot”_ approach, allowing hackers to commandeer and control compromised hosts, potentially leading to devastating consequences.

One notable example, according to watchTowr’s technical report shared with Hackread.com, is a backdoor linked to the Lazarus Group, a notorious hacking collective associated with North Korea. The researchers found over 3,900 unique compromised domains using this backdoor, which was designed to load a .gif image from the logging server, leaking the location of the compromised system.

**Simple Explanation**

To understand this better, consider the concept of a “web shell.” These are essentially small snippets of code secretly placed on a web server after a successful breach. They act as remote control panels, allowing attackers to execute commands, manage files, and even deploy further malicious tools.

Historically, these web shells often included mechanisms that “phoned home” to a specific domain or server controlled by the attacker. When that domain expires and is re-registered by someone else, those “phone calls” are now answered by an unexpected recipient.

Older web shells, like the infamous “r57shell” and “c99shell,” while outdated, still appear to be in use. Interestingly, some of these older shells even contained built-in backdoors _for the shell’s creator_. This meant that even if the initial attacker secured their access with a password, the original author could still gain entry using a secret “master key.” This highlights a history of the hacking community itself having a somewhat chaotic approach to security.

In one example, researchers observed a web shell constantly sending the login credentials (in plain text!) to a domain that watchTowr now controlled. The attacker believed they had secured their access, but the very tool they were using was betraying them.

One of the sites with a live Shell – This time it is a c99shell (Via watchTowr)

The report also highlights the vulnerability of government institutions, with compromised systems found in the Federal High Court of Nigeria and other government entities. The researchers emphasize that these findings demonstrate the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

****Dangerous Situation****

The watchTowr team warns that problems like this will persist, with consequences for software updates, cloud infrastructure, and SSLVPN appliances. The report also highlights that even attackers can make mistakes, as demonstrated by another research from researchers at vpnMentor. They identified high-profile groups, such as ShinyHunters and Nemesis, that exploited AWS buckets to steal over 2 terabytes of sensitive data. In the process, these groups inadvertently exposed their own S3 buckets.

The good news is that The Shadowserver Foundation has agreed to take ownership of the implicated domains and sinkhole them, preventing further exploitation. The watchTowr team’s research serves as a crucial reminder of the importance of responsible infrastructure management and the need for increased awareness about the risks of abandoned and expired domains.

1.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
2.  **Controller flaws let hackers physically damage moving bridges**
3.  **US and Europe Account for 73% of Global Exposed ICS Systems**
4.  **Thousands of Exposed ICSs in US and UK Threaten Water Supplies**
5.  **“Revolver Rabbit” Hacker Uses RDGA to Register 500,000 Domains**

Thousands of Live Hacker Backdoors Found in Expired Domains

Fortinet uncovers a new PayPal phishing scam exploiting legitimate platform features. Learn how this sophisticated attack works and how to protect yourself from falling victim.

****SUMMARY****

*   **Phishing Scam Targets PayPal**: Scammers exploit PayPal’s system to link victim accounts to unauthorized addresses.

*   **Legitimate-Looking Emails**: The scam uses real-looking emails and valid PayPal login pages to deceive users.

*   **Microsoft365 Exploit**: Attackers use MS365 domains to send PayPal money requests, bypassing phishing filters.

*   **Account Takeover**: Victims unknowingly link their PayPal accounts to the scammer, risking financial loss.

*   **Stay Safe**: Avoid unsolicited emails, verify URLs, and enable 2FA to protect your PayPal account.

Fortinet’s FortiGuard Labs has identified a sophisticated PayPal phishing scam targeting unsuspecting users by exploiting a loophole in the platform’s system. According to Fortinet’s CISO (Chief Information Security Officer) Carl Windsor, the scam leverages legitimate PayPal functionality to trick users into linking their accounts to unauthorized addresses, potentially granting attackers control over their finances.

The attack utilizes a seemingly legitimate email, often with a valid sender address and a genuine-looking URL. However, the true danger lies within the email’s content. It directs recipients to a legitimate PayPal login page, prompting them to log in to investigate a supposed payment request.

Screenshot of the actual phishing email (Via Fortinet’s FortiGuard Labs)

Further probing revealed that the scammer registered an MS365 test domain and created a Distribution List containing victim emails (Billingdepartments1gkjyryfjy876.onmicrosoft.com), then sent a legitimate PayPal money request to all recipients. 

They added the list to the PayPal web portal and distributed it to targeted victims. The Microsoft365 SRS rewrite scheme rewrites the sender to pass the SPF/DKIM/DMARC check. It is worth noting that Microsoft365 SRS (Sender Rewriting Scheme) is a feature in Microsoft 365 that rewrites the sender address of an email message.

Once the victim logs in, the scammer’s account is linked to the victim’s account, allowing them to take control of the victim’s PayPal account, a trick that bypasses PayPal’s phishing check instructions.

“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote in a blog post.

This new phishing scam highlights the importance of cybersecurity awareness. Users must be cautious of unsolicited emails, avoid clicking on links or attachments from unknown senders, hover over links to verify URLs, and never enter login credentials on websites unless certain of the authenticity. Enabling two-factor authentication (2FA) on PayPal accounts can further enhance security.

1.  **PayPal Notifies 35,000 Users of Data Breach**
2.  **PayPal Users hit with “Suspicious Activity” Phishing Scam**
3.  **Microsoft, PayPal, Facebook most targeted brands in phishing**
4.  **World Bank SSL Certificate Hacked to Host PayPal Phishing Scam**
5.  **DocuSign API Abused to Evade Spam Filters with Phishing Invoices**

New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools…

****SUMMARY****

*   **Sophisticated Scam in the Middle East**: Cybercriminals are posing as government officials to carry out refund scams, using remote access tools like AnyDesk and TeamViewer to steal victims’ personal and financial information.

*   **Scam Process**: Victims are contacted via phone, asked to download legitimate remote access software, and unknowingly grant access to their devices, exposing sensitive data such as card details and OTPs.

*   **Targeted Victims and Impact**: The scam focuses on individuals who have lodged complaints with government services portals, making it easier for scammers to gain their trust. Average losses per victim are around $1,300, with some losing as much as $5,000.

*   **Potential Inside Job**: The scam’s effectiveness suggests possible insider involvement, as scammers appear to have access to government complaint data.

*   **Prevention and Awareness**: Individuals should avoid downloading remote access software or sharing sensitive information during unsolicited calls. Government and financial institutions must enhance security measures and educate the public about social engineering risks.

Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools and software to steal personal and financial information from victims in the Middle East.

The modus operandi of the scam involves these scammers posing as government officials, gaining the trust of their targets by offering to help them claim refunds for unsatisfactory purchases. In return, scammers end up collecting personal details from victims including personal information, card data, and the one-time passwords (OTPs) necessary for online transactions.

****The Call****

The scam begins with a phone call from scammers claiming to be a government representative. The victim is required to download a legitimate remote access application, such as AnyDesk or TeamViewer, which allows them to access the victim’s device. Once access is granted, these scammers can view the victim’s screen and capture sensitive information, including credit card details and one-time passwords (OTPs).

How it works (Via Group-IB)

The scammers use this information to make online purchases or recharge local e-wallets, often using 3D-secured transactions to avoid detection. The average loss per transaction is estimated to be around $1,300, although some victims have reported losses of up to $5,000.

The scam is particularly effective because it targets individuals who have previously submitted complaints to government services portals. The scammers use this information to gain the victim’s trust, making it more likely that they will cooperate with the scam.

Although it’s unclear how the scammers gained access to the complainant, it suggests the possibility of an inside job involving government officials. Group-IB has been tracking this scam and reports that it is widespread in the Middle East. The company believes that having access to customers’ real-time information can also be possible due to the widespread use of inforstealers like META, Redline, Vidar and Formbook.

The company’s analysts have identified several key features of the scam, including the use of remote access software and the targeting of victims who have submitted complaints to government services portals.

Screenshot of two of the genuine complaints (Via Group-IB)

To avoid falling victim to this scam, individuals are advised to be careful when receiving unsolicited phone calls from government officials. It is also important to be wary of requests to download remote access software or provide sensitive information over the phone.

Tools like AnyDesk and TeamViewer, originally developed for legitimate assistance purposes, can become major threats in the wrong hands. Last year, thousands of compromised AnyDesk login credentials were sold on the dark web. Similarly, TeamViewer has been exploited in several high-profile cyberattacks, including the attempted water supply poisoning in Oldsmar, Florida, in 2021.

Government agencies and financial institutions can also take steps to prevent this scam. This includes implementing stronger security measures to protect against account breaches and theft, as well as educating customers about the risks of social engineering attacks.

1.  **Hackers Sending Fake Tax Refund Emails with Malware**
2.  **Black Basta Ransomware Uses MS Teams to Spread Malware**
3.  **FireScam Infostealer Spyware Hits Android via Fake Telegram**
4.  **Fake TeamViewer download ads distributing new ZLoader variant**
5.  **TeamViewer Abused to Obtain Remote Access, Deploy Ransomware**

Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps

Millions of email servers worldwide remain alarmingly vulnerable to cyberattacks due to a critical security oversight: the absence of Transport Layer Security (TLS) encryption.

**SUMMARY**

*   **Critical Oversight in Email Servers**: Over 3.3 million email servers worldwide lack TLS encryption, leaving usernames, passwords, and email content vulnerable to interception during transmission.

*   **Top Affected Regions**: The U.S. has nearly 900,000 exposed servers, followed by Germany (500,000+) and Poland (380,000+), highlighting the global scope of the issue.

*   **Vulnerability Details**: POP3 and IMAP protocols, commonly used for email access, are at risk when not secured with TLS, enabling eavesdropping and dictionary attacks.

*   **Mitigation Steps**: ShadowServer urges organizations to enable TLS, review the necessity of these protocols, or move services behind a VPN to secure email communications.

*   **Broader Security Recommendations**: Experts stress the importance of advanced measures like strong password policies, regular audits, and proactive monitoring of external attack surfaces for robust email system protection.

A recent investigation by ShadowServer has uncovered a critical security flaw affecting millions of email servers worldwide. The study revealed a staggering 3.3 million POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) servers operating without **Transport Layer Security** (TLS) encryption.

This lack of encryption renders these servers susceptible to attacks like data interception and dictionary attacks, where attackers attempt to guess common usernames and passwords. The United States leads in the number of vulnerable hosts, with nearly 900,000 exposed. Germany and Poland follow closely with over 500,000 and 380,000 vulnerable servers, respectively. 

****Why did the issue occur?** **

Two primary protocols facilitate email access: POP3 (Post Office Protocol 3), which downloads emails to the user’s device, and IMAP (Internet Message Access Protocol), which allows access from multiple devices. The vulnerability arises when these protocols operate without TLS, leaving the communication channel open for eavesdropping.

For your information, TLS is a fundamental security protocol that encrypts communication channels, ensuring the confidentiality and integrity of data exchanged over the Internet. Its absence in these email servers exposes them to **significant risks**.

Without TLS, user credentials and email content are transmitted in plain text, making them easily accessible to anyone monitoring the network traffic. This not only compromises user privacy but also opens the door to **password-guessing attacks**, where attackers can systematically try common passwords to gain unauthorized access to email accounts.

The Shadowserver Foundation urges affected organizations to immediately enable TLS support for their IMAP/POP3 services. They also recommend evaluating the necessity of these services and considering alternative solutions like moving them behind a **Virtual Private Network** (VPN).

However, while enabling TLS encryption is crucial, it’s essential to recognize that it alone cannot prevent all attacks. You must adopt advanced and reliable security measures, including stronger password policies and regular security audits, to safeguard email systems from evolving threats.

> We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).
> 
> It's time to retire those! pic.twitter.com/Iw9cZPxshg
> 
> — The Shadowserver Foundation (@Shadowserver) December 31, 2024

Martin Jartelius, CISO at Outpost24 commented on the issue stating, _“_As always, a reminder for all that keeping an eye on your external attack surface and ensuring that things are, and remain, configured appropriately is a simple and cost-effective security control._“_

_“_Most modern email clients will use opportunistic TLS, meaning they start by attempting encrypted connections, so the de facto impact of this is in parts mitigated provided a system also supports encrypted options. But one should not rely on the connecting clients for the security of the exchange as the primary control_,”_ Martin added.

1.  **New EmailGPT Flaw Puts User Data at Risk**
2.  **Mailcow Patches Critical XSS and File Overwrite Flaws**
3.  **How to Recover Deleted Emails from Exchange Server?**
4.  **DNS Tunneling Used for Stealthy Scans and Email Tracking**
5.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
6.  **Future of Phishing Email Training for Employees in Cybersecurity**

Millions of Email Servers Exposed Due to Missing TLS Encryption

Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 &…

Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 & CVE-2024-9140, including privilege escalation and OS command injection risks. Find mitigation strategies and affected products.

Moxa, an industrial networking and communications provider, has identified a critical vulnerability in its cellular routers, secure routers, and network security appliances, allowing remote attackers to gain root privileges and execute arbitrary commands, potentially leading to code execution.

In its security advisory, MPSA-241155, Moxa addresses two critical vulnerabilities, CVE-2024-9138 (8.6, high severity) and CVE-2024-9140 (9.3, critical severity), identified by Lars Haulin and found to be affecting its routers and network security appliances.

**CVE-2024-9138** exploits hard-coded credentials, allowing an authenticated user to escalate privileges to the root level. This could lead to severe consequences, including system compromise, unauthorized modifications, data exposure, and service disruption. 

On the other hand, **CVE-2024-9140** is an OS Command Injection vulnerability, which allows attackers to exploit special characters in input to execute arbitrary commands on the system. This flaw is particularly dangerous because remote attackers can exploit it to gain unauthorized control over the device. 

The advisory provides detailed information on affected products and firmware versions, along with recommended solutions such as firmware upgrades, which can be checked **here**.

Moxa has confirmed that the vulnerabilities do not affect the MRC-1002 Series, TN-5900 Series, and OnCell 3120-LTE-1 Series. For products without immediate firmware updates available, the advisory recommends mitigating the risks by minimizing network exposure, limiting SSH access, and implementing intrusion detection or prevention systems. Their advisory emphasizes the importance of promptly addressing these critical vulnerabilities to maintain the security and integrity of the affected device

The rise in vulnerabilities affecting routers and network security appliances in recent years demonstrates the necessity for continuous caution and proactive security measures.

Hackread recently reported VulnCheck’s **discovery** of a new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), stemming from a weakness in the router’s system time adjustment functionality. This flaw allowed attackers to remotely execute commands on vulnerable devices.

Censys research earlier **identified** 14 vulnerabilities in DrayTek Vigor routers, allowing attackers to potentially control network devices and launch further attacks. The most impacted regions included Taiwan, Vietnam, Germany, the Netherlands, and the United Kingdom.

Now the Moxa vulnerabilities, with their potential for privilege escalation and remote code execution, further highlight the rising severity of such vulnerabilities. These flaws can allow attackers to gain unauthorized control over devices, disrupt critical operations, steal sensitive data, or use compromised devices as launching points for further attacks.

Therefore, promptly addressing these vulnerabilities through firmware updates, implementing strong access controls, and **regularly reviewing** and updating security configurations are crucial for maintaining a secure network environment.

**John Bambenek**, President at Bambenek Consulting commented on the issue stating, “It has not been a good year for network devices and one of the vulnerabilities being flagged as a device having hard-coded default credentials really begs the question of how these devices end up shipped to the world with no apparent security auditing._“_

_“_If organizations cannot patch, they should restrict inbound access to the devices themselves to prevent exploitation,_“_ John advised_._ _“_This is a reminder for ICS/OT companies to do some basic security hygiene to prevent against these and other as of yet undisclosed vulnerabilities._“_

1.  **TheMoon Malware: 6,000 Asus Routers Hacked in 72 Hours**
2.  **Critical Flaw Exposes Four-Faith Routers to Remote Exploitation**
3.  **D-Link home routers plagued with multiple critical vulnerabilities**

Critical Vulnerabilities in Moxa Routers Allow Root Privilege Escalation

Philadelphia, Pennsylvania, 7th January 2025, CyberNewsWire

**Philadelphia, Pennsylvania, January 7th, 2025, CyberNewsWire**

Security Risk Advisors today announced it has become a member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security technology to better defend mutual customers against a world of increasing cyber threats.

Security Risk Advisors (SRA) is a leading cybersecurity firm dedicated to providing comprehensive security solutions to businesses worldwide. With a commitment to maintaining the highest ethical standards, SRA offers a range of services including security testing, security program development, 24×7 monitoring and response. Joining MISA represents a significant milestone, demonstrates the company’s ability to deliver impactful security solutions while increasing adoption of their SCALR XDR offering and helping clients maximize their investment in Microsoft Security technologies.

Security Risk Advisors’ SCALR™ XDR is both a platform, built on Microsoft Azure and a 24×7 monitoring service with Microsoft Sentinel. SCALR™ uses a security data lake architecture to minimize SIEM costs, maximizing the user’s ability to store security events, and accelerate search and hunting capabilities. The SCALR™ XDR service is enhanced by SRA’s distinctive Purple Teams & Threat Resilience Benchmarks powered by VECTR™.

> “We are honored that Microsoft has recognized SRA’s expertise and proven track record by welcoming us into the Microsoft Intelligent Security Association (MISA). This achievement further energizes our commitment to empowering clients to adopt and optimize Microsoft Security technologies, enhancing their threat management programs and overall security posture.”

– Tim Wainwright, CEO, Security Risk Advisors

> “I am pleased to have Security Risk Advisors join us as a member of the Microsoft Intelligent Security Association (MISA). By including our strategic Managed Security Services Providers (MSSPs) in MISA, we help enable further collaboration between cybersecurity industry leaders in protecting and supporting our joint customers.”

– Parri Munsell, Senior Director, Security Partner Marketing

Established in 2018 to bring together Microsoft leaders, ISVs, and MSSPs, MISA focuses on collaborating to combat security threats and create a safer environment for all. Its mission is to provide intelligent, industry-leading security solutions that work together to help protect organizations at the speed and scale of AI in an ever-increasing threat landscape.

Partners who are interested in learning more can visit the MISA Website: Microsoft Intelligent Security Association.

**About Security Risk Advisors:**

Security Risk Advisors offers Purple and Red Teams, Cloud Security, Penetration Testing, OT Security and 24x7x365 Cybersecurity Operations. Based in Philadelphia, SRA operates across the USA, Ireland and Australia. To learn more: https://sra.io.

**Contact**

**Marketing Lead**  
**Kim Sandberg**  
**Security Risk Advisors**  
**\[email protected\]**

Security Risk Advisors joins the Microsoft Intelligent Security Association

Ramat Gan, Israel, 7th January 2025, CyberNewsWire

**Ramat Gan, Israel, January 7th, 2025, CyberNewsWire**

CyTwist, a leader in advanced next-generation threat detection solutions, has launched its patented detection engine to combat the insidious rise of AI-generated malware.

The cybersecurity landscape is evolving as attackers harness the power of artificial intelligence (AI) to develop advanced and evasive threats. The rise of AI-generated malware and AI-enhanced cyberattacks has escalated the threat landscape, leaving traditional defenses struggling to keep up. Businesses now face the critical challenge of adapting to this new era of cyber warfare, characterized by speed, sophistication, and adaptability.

**The Threat of AI-Driven Cyberattacks**

AI has altered the dynamics of cyber conflict, enabling attackers to execute sophisticated operations previously associated with state-sponsored entities. AI-generated phishing emails, adaptive botnets, and automated reconnaissance tools are now common components of cybercriminal tactics. These technologies bypass signature-based defenses and mimic legitimate behavior, making detection more challenging.

For example, in a recent attack on French corporates and government agencies, an AI-engineered malware exploited advanced techniques like COM hijacking and encrypted payloads, enabling attackers to remain undetected for extended periods, exfiltrate sensitive data, and establish long-term persistence within the network. This incident highlights three key risks of AI-driven attacks:

·      Sophistication: AI allows attacks to evolve in real-time, rendering static defenses obsolete.

·      Speed: Automated reconnaissance and attack execution drastically reduce the time needed to breach networks and execute the attack.

·      Evasion: AI-generated threats mimic human behavior, complicating detection for security teams.

In response to this growing challenge, CyTwist has developed a patented detection engine that identifies stealthy, AI-driven attack campaigns and malware that bypass traditional security tools, including leading EDR and XDR solutions. By leveraging advanced behavioral analysis, CyTwist Profiler identifies new and emerging threats in real time, stopping attackers before they can cause harm.

**CyTwist: Advanced Defense Against AI-Generated Threats**

CyTwist recently demonstrated its advanced detection capabilities during a red team simulation with a major telecommunications provider. The exercise mirrored the sophisticated techniques observed in the recent attack on French organizations and government agencies, employing AI-generated malware with encryption and evasion tactics. While the existing security tools failed to detect the attack, CyTwist’s solution identified malicious activity within minutes.

The head of incident response at the telecom operator highlighted the tool’s value, stating “We were impressed by CyTwist’s capability of detecting sophisticated, AI-generated malware that our EDR had failed to pick up. CyTwist provided the critical insights we needed to detect the attack in time, adding a valuable security layer against AI-generated threats.”

This simulation underscored the importance of adopting advanced technologies to address modern cyber challenges.

> “The use of AI in cyberattacks is reshaping the threat landscape, enabling attackers to operate elusively and at speed, capable of gliding past traditional security solutions. Our patented detection engine is specifically engineered to address these challenges.” Said Eran Orzel, CEO of CyTwist.

**Strategies for Mitigating AI-Generated Threats**

As organizations face increasing threats from AI-driven attacks, proactive strategies are essential. Key recommendations include:

**1\. Adopting Advanced Detection Technologies:** Traditional detection tools are not always sufficient defense against the dynamic nature of modern cyber threats. Modern detection tools that leverage AI, machine learning, behavioral analytics, and anomaly detection are needed to uncover threats missed by traditional approaches.

**2\. Prioritized Rapid Detection and Response:** Speed is critical when responding to AI-driven threats. Continuous monitoring and automated response systems enable swift containment of threats and real-time triage tools help security teams focus on critical alerts and ignore the noise.

**3\. Enhanced Resilience Through Security Frameworks:** Building adaptive security frameworks that integrate advanced detection tools will enable a response to emerging threats in real time. Regular training for security teams is needed to build the skills to counter the latest AI-driven attack methods.

CyTwist’s patented detection engine represents a significant advancement in addressing AI-enhanced cyber threats, providing organizations with the tools needed to navigate this increasingly complex landscape.

To learn more about CyTwist’s cutting-edge solutions, users can visit cytwist.com or reach out via \[email protected\].

**About CyTwist**

CyTwist is an advanced cybersecurity solution, specializing in next-generation threat detection and response. Its patented detection engine enables organizations to stay ahead of evolving threats, providing unmatched protection against stealthy, AI-generated attacks and novel malware. CyTwist was founded by a team of experienced cybersecurity professionals and former intelligence officers who bring extensive expertise in counterintelligence and cybersecurity.

In an era where attackers leverage AI to outpace traditional defenses, CyTwist Profiler provides a critical layer of security, enabling organizations to detect, investigate, and neutralize threats before they cause harm.

**Contact**

**CEO**  
**Eran Orzel**  
**CyTwist**  
**\[email protected\]**

CyTwist Launches Advanced Security Solution to identify AI-Driven Cyber Threats in minutes

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of…

The Wall Street Journal reports that Charter, Consolidated, and Windstream have been added to the growing list of US telecom companies breached by Chinese state-sponsored hackers in the Salt Typhoon campaign.

The list of telecommunications companies compromised in the **Salt Typhoon cyberattack** continues to grow, with recent reports naming Charter Communications, Consolidated Communications, and Windstream as the latest victims of Chinese government espionage. 

This follows previous confirmations from **AT&T, Verizon, T-Mobile**, and Lumen Technologies, as earlier reported by Hackread.com, that their networks had been breached. According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, Chinese hackers have targeted nine US telecoms, with the latest three remaining unclear.

The Wall Street Journal **reported** that Chinese spies exploited vulnerabilities in network devices from Fortinet and Cisco to gain unauthorized access to these telecom networks. In some cases, attackers gained control of high-level network management accounts lacking multi-factor authentication, granting them access to several routers. This access allowed them to potentially monitor network traffic and cover their tracks.

This incident has prompted several government-level security developments. The US Department of Treasury **recently sanctioned** a Chinese cybersecurity company for its role in another cyberattack, and the US government is taking steps to strengthen the security of American telecom infrastructure.

These measures include increased scrutiny by the FCC, legislative efforts to enhance security, and recommendations for individuals and organizations to improve their cybersecurity practices.

Moreover, given the ongoing wave of Salt Typhoon’s breaches, the US Cybersecurity and Infrastructure Security Agency (CISA) is advising government officials to switch to end-to-end encrypted messaging apps like Signal. 

The latest revelation highlights the growing threat of Chinese cyberattacks on US infrastructure, with the Salt Typhoon campaign indicating a shift from traditional espionage to more disruptive activities. Experts urge organizations in international business or critical infrastructure to enhance their cybersecurity defences.

**Chris Hauk**, Consumer Privacy Champion at Pixel Privacy commented on the latest development stating, _“_Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack. Actually, any organization would be advised to follow the steps._“_

_“_Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack_,”_ Chris added.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **CISA – FBI: Chinese Hackers Compromised US Telecom Networks**
3.  **US Charges 5 Suspected MGM Hackers from Scattered Spider Gang**
4.  **Microsoft: Chinese Flax Typhoon uses legit tools for cyber espionage**
5.  **Chinese Hackers Breach US Firm, Maintain Network Access for Months**

US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers

US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets…

US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets and banning US dealings.

The US Treasury Department has **sanctioned** Integrity Technology Group, a Beijing-based company, accusing it of involvement in cyberattacks against American infrastructure. The decision, announced on January 3, 2025, has escalated tensions between the US and China over cybersecurity issues.

****What’s Behind the Sanctions?****

Integrity Technology Group, also known as Yongxin Zhicheng Technology Group, is alleged to have worked closely with the Chinese state-sponsored hacking group “**Flax Typhoon**.” US officials claim the company played a key role in cyber activities targeting government systems, businesses, and critical infrastructure. Over 250,000 devices worldwide were reportedly compromised in these incidents.

The sanctions freeze the company’s assets in the US and prohibit American entities from doing business with it. By cutting off financial ties, the US aims to limit the group’s resources for continuing cyber operations.

****Official Statements and Responses****

The US government has **stated** that these actions are part of ongoing efforts to protect national security and hold cyber offenders accountable. Treasury Secretary Janet Yellen commented, “This sends a clear message to entities enabling malicious cyber activity: we will not tolerate these actions.”

China, however, has rejected the accusations. A spokesperson for the Chinese Foreign Ministry called the sanctions “baseless” and accused the US of deflecting blame for its own cybersecurity issues. Integrity Technology Group has denied the allegations, claiming it operates within legal bounds and condemning the sanctions as damaging to its reputation.

****What This Means for Businesses****

The sanctions warn international companies and organizations about the risks of associating with entities involved in cyber activities. US companies, in particular, are urged to reassess their supply chains and partnerships to avoid unintentional involvement with blacklisted groups.

The case also highlights the growing use of economic measures to address cybersecurity threats, signaling a shift in how nations respond to cyber attacks.

As cyber threats are evolving, such measures will likely become more common. Businesses and governments worldwide are expected to increase their focus on building stronger cybersecurity protection. For individuals and organizations, staying informed about these developments is more important than ever to protect against similar risks.

This story is developing, and further updates will be provided as more information becomes available.

1.  **US Sanctions Chinese Cybersecurity Firm over Firewall Exploit**
2.  **U.S. Treasury Imposes Sanctions on ISIS Cybersecurity Experts**
3.  **US Sanctions Intellexa Spyware Network Over National Security**
4.  **Linux Kernel Project Drops 11 Russian Developers Amid Sanctions**
5.  **China’s Salt Typhoon Hacks AT&T, Verizon, Accessing Wiretap Data**

U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

Source

HackRead