The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

Several recent schemes were uncovered involving poker players at casinos allegedly using miniature cameras, concealed in personal electronics, to spot cards. Should players everywhere be concerned?

Matt Berkey was becoming suspicious.

Berkey, a 42-year-old poker pro known for his presence in some of the highest-stakes cash games in Las Vegas, was playing in a well-known casino poker room over the summer. One player in the game who wasn’t particularly familiar to Berkey and other regulars at the table, but who was believed to be an amateur based on his play style, was displaying some strange behavior.

For one, the player was wearing earbuds—typically a no-no in these kinds of semi-private games where many players have existing friendships.

“Nobody has headphones on during our games,” Berkey says. “The player in question had headphones in, so that’s already a bit off.”

The player’s style of play also raised some alarms.

Texas Hold’em, the game being played, features two individual cards dealt to each player, plus five community cards dealt in stages to the center of the table. Players combine their own cards with the community cards to make the best possible five-card poker hand. There are four rounds of betting: One before any communal cards are dealt, one after the first three communal cards are spread at once (the part of the game known as “the flop”), one after the fourth communal card (“the turn”), and one more after the fifth and final communal card (“the river”).

Berkey noticed that, despite presenting as an amateur who was clearly the least skilled player at the table, the suspicious player never seemed to lose on the river. When he was in a hand that reached that point, he always either folded or showed the winning hand—one of the first red flags seasoned poker players have come to recognize in suspected cheating situations. As the thinking goes, cheaters with knowledge of their opponents’ cards prefer to wait until all communal cards are dealt before making large bets, allowing them to do so with perfect information about who holds the best hand, which often isn’t certain until that final card.

“Playing all rivers perfectly over an eight-hour sample—that’s an anomaly that isn’t really statistically possible, especially from a recreational player,” Berkey says. “When you start to see things that don’t add up, like the least skilled player in the game never showing down a losing hand, that kind of begins to trigger your suspicions.”

The player also had his phone and earbuds case arranged around him, with the case on the felt and his phone on the rail that runs along the table’s edge. While occasional phone usage at poker tables is normal, that kind of arrangement is unusual and is even something many casinos have guarded against for years. Berkey began to wonder if this game was falling victim to a new cheating scheme that word had been spreading about in high-stakes circles for months: Hidden cameras placed at felt level, capturing the faces of cards as they’re dealt and transmitting that intel to an accomplice, who then relays it back to the player at the table through an earpiece.

Berkey also noticed that the player always seemed to sit in the seats directly to the left of the casino’s dealer, even across multiple days and playing sessions. That furthered suspicions, as the rumored cheating method required a player to be in these seats to maximize camera visibility.

Berkey says he quietly alerted other regulars of his suspicions, and the game eventually broke down, but not before the player had made enormous profits. “Not just for his skill level but for the stakes he was playing,” Berkey says. “He was up hundreds of thousands of dollars playing a $10,000 buy-in game.”

Berkey says he and the other regulars in the game flagged the incident to casino staff, but they are unsure what, if any, action was taken. Security for the casino declined to comment on this incident.

Several other such incidents involving the same suspected cheating method have been rumored in various locations over the past 18 months, including one other instance WIRED verified independently. (Specific casinos where these incidents are alleged are not being named in this story to protect the safety of players who confirmed the incidents occurred.) This form of cheating is now a known concern to high-stakes poker players everywhere.

But each of these rumored incidents has lacked a “smoking gun”—proof of the measures, methods, and equipment the cheaters were using to see the cards being dealt. That is, until recently. A breaking case in France has provided revealing new evidence, fueling concerns that this cheating method is rampant around the globe and may be more advanced than anyone had assumed.

What kinds of modern technology can facilitate such a scheme? Should poker players at all levels, not just high-stakes pros, be worried about scofflaws attempting it in games they play, and what can be done to prevent it?

The recent scandal sounds like a rejected _Ocean’s_ movie script.

Following tips of suspicious behavior at a major casino in Enghien-les-Bains, French police with the Central Racing and Gaming Service (SCCJ) launched an elaborate in-person and video surveillance operation around two suspected players at both blackjack and Ultimate Texas Hold’em poker (a type of poker played against the casino rather than against fellow players). Though they were initially in the dark about the method being used, investigators soon noticed a pattern.

“They were putting \[something\] beside the \[dealing\] shoe,” Stéphane Piallat, commissioner of SCCJ, alleges to WIRED, referring to the tabletop container a dealer pulls from to draw new cards. “But it was quite difficult to understand why.”

Both players were arrested inside the French casino in late July after weeks of surveillance, with police recovering a variety of items from both their person and their hotel rooms (including ID cards from casinos around Europe that suggested a prolonged scheme). The technology seized by law enforcement amazed even a seasoned gambling fraud officer like Piallat, both for its ingenuity and its relative simplicity.

The players had allegedly modified existing smartphone cameras with simple mirrors, allowing them to capture footage on a phone’s camera sensor laterally, while the phone was in a flat position. Sitting in the seat nearest to the dealer’s shoe, they placed these devices either on the felt (concealed in some situations by a hat or another piece of clothing) or within pockets of their own clothing (with tiny holes cut out to afford the camera a view of the cards). Police say they used these devices to capture card faces as they were dealt from the shoe—a stunning realization given that casino shoes are quite literally designed to prevent card exposure by allowing the dealer to slide new cards directly onto the felt. Clearly, some exposure was still being captured.

“It’s quite incredible,” Piallat says. “They didn’t need to mark cards … Those cards were normal cards.”

Police also recovered basic communication devices that transmitted these feeds to an outside accomplice, believed to be sitting in the casino parking lot. (As of WIRED’s interview with French police, this accomplice remains at large.) The accomplice is thought to have relayed information about which cards the dealer was holding back to their partner at the table, but not through a standard earbud.

“This device is so small that you can’t take it off with your fingers,” Piallat says of the hearing device recovered by police. “You need a magnet to pull it off, otherwise you can’t do it. It looks like a typical James Bond movie device.”

Due to the ongoing nature of the investigation, police declined to provide any pictures or further details about the specific items used to facilitate this scheme. A simple look at available technology, though, offers a number of cheap, simple candidates, including several that don’t require pairing with a phone or any other large device.

“The same kind of modules that are used in your iPhone or your DSLR, you can just buy them,” says John Coles, the director of technology for the VR company Rezzil, who has also spent years working in camera and broadcast technology.

The alleged cheaters in France used simple techniques to conceal their cameras, like hiding the devices in their clothing, but much more robust options exist on the open market. A device that looks like a battery charger may not cause alarm if it was spotted sitting on a poker or blackjack table, at least in casinos where devices are generally allowed (some have stopped allowing any devices on tables); one can find a 4K, Wi-Fi capable “hidden camera powerbank” on Amazon. (It’s marketed as a “nanny camera” for surveilling your child’s babysitter, naturally.) Even smaller options exist, like a “spy camera pen” or a pinhole camera that could easily be inserted into various items. And that’s just a fraction of the true marketplace, says Coles: “If that’s what you know about publicly, the stuff that exists behind closed doors is like 10 times what you’re aware of.”

“You could probably build that into a lighter,” Coles says of a typical tiny camera rig. “There are lighters and pens that have modules integrated that still work as those items so they’re less conspicuous.”

For bad actors at traditional poker tables that feature “pitch”-style dealing instead of a more secure casino shoe, the video quality demands are even lower. Card faces are visible for exponentially longer when pitched from a dealer’s hand situated a foot or so above the card table.

The transmission element of the scheme is similarly attainable using today’s technology. You can buy a “mini spy earpiece” from Amazon that receives signals from an inductive coil for just $18. An entire industry of earpieces appears to exist for exam cheating purposes, from tiny Bluetooth earpieces that connect to a phone to setups contained within glasses and pens. It’s easy to imagine these methods converted for use in cheating at the card table, especially when aided by basic video-calling technology and access to the Wi-Fi networks offered at most casinos. In fact, while police say the suspects in France allegedly used separate devices for capture and transmission, Coles believes it would be simple enough to handle the entire operation with a single device.

“I think it’s kind of surprising that a lot of these things don’t happen sooner, to be perfectly honest,” Coles says, noting that many of these cameras, earpieces, and transmitters have existed for a decade or more.

“You could do it with a very cheap investment,” Piallat says. “You won’t need a lot of money.”

Clearly, these schemes are out there and available. So should poker players everywhere be concerned?

Mini-camera cheating is now an open secret in the poker community, from its references in forums to an entire August episode from Berkey’s _Only Friends_ podcast that covered the alleged methods in detail. And if casinos and law enforcement weren’t aware of it much earlier, they certainly are now; Piallat confirmed to WIRED that his unit dispersed information about the case around the globe through Interpol networks.

What can casinos, players, and law enforcement do about it, though?

The first step is simple vigilance, something all these parties are well-versed in. Policing of suspicious players happens at casino level. WIRED independently confirmed a separate alleged incident at a different casino in June that included an individual reportedly earning seven-figure profits before disappearing. The alleged cheater in this case hasn’t been seen since, and Berkey wonders if he was banned from this and possibly other casinos.

“It would seem as though the Vegas casinos have acted,” Berkey says.

Those are retroactive measures, though; what about stopping this cheating as or before it happens?

Some Vegas casinos, per multiple sources, have begun banning phones from being set down at felt level on tables. Many casinos have long had policies prohibiting phone use during hands, and some have even banned phones entirely in prior years, and now these efforts are growing more widespread. However, with the knowledge that today’s miniature cameras can be built into lighters, pens, and other non-phone devices, is that enough of a safety measure? A true “no items on the table whatsoever” rule feels more prudent, but will casinos view that as too invasive toward their clientele? Then there’s a whole separate conversation about placing devices on the rail, which is where players rest their elbows and which sits slightly higher than the felt itself.

“There will be guys who want to watch the game at the table and have their phone propped up,” Berkey says. “That should just be fine. It’s a fine line; it’s a gray line.”

Berkey even suggested some sort of hybrid arrangement where phones or other devices are allowed so long as they sit behind chips or some other item that blocks their view of the felt. These solutions, though, also fail to account for rings or other jewelry that may contain a concealed camera.

The device removal tactic would have run into another big snag when the arrests in France took place: One of the suspects had nothing on the table at all. He allegedly concealed a camera in his clothing. If that scheme worked to capture card faces out of a dealer’s shoe, it would definitely work for the traditional dealer-pitch style used in Vegas.

The better long-term solution, one Berkey and others in the poker world support, involves retraining the dealers—a process that’s already begun.

The European Poker Tour has introduced a new form of dealer pitch known as slide dealing, where the deck remains on the table and the dealer slides each top card off individually to greatly minimize or eliminate any exposure. EPT tournament director Toby Stone directly cited issues of camera cheating as the impetus behind this change, which took effect within the past couple of months.

Casinos could take it even further; some have been cracking down for years. The Star casinos in Australia, for instance, have long used a modified version of a blackjack shoe meant for a single poker deck, which sits at the center of the table and allows cards to slide out from within it. This ostensibly makes it much harder to capture cards than from the traditional blackjack shoe placed at the very side of the table, closer to potential cameras. Anecdotally, these contraptions also seem to limit or eliminate other common risks like bottom-dealing or cards flipping over while being dealt.

While it might take time to retrain the world’s legion of poker dealers to mitigate these schemes, that could be the eventual outcome here.

“I’ve spoken to a few of the \[casino\] higher-ups, and it seems they’re all open to the idea of retraining dealers,” Berkey says.

Maybe even that eventual move wouldn’t completely eliminate mini camera cheating. As the suspects in France allegedly showed us, today’s video technology is truly amazing. Would you ever have guessed a mini camera could accurately capture which cards are being dealt during the split second they’re exposed as they’re pulled from a blackjack shoe?

Anyone putting their money down at a casino, particularly higher up the stakes spectrum, should at least be aware of the risk of bad actors—particularly in a game like poker, where your opponents are other patrons rather than the casino itself. Whether to combat this or any other potential scheme, a dose of diligence goes a long way.

“As long as there’s a fair game to be offered, there will be people who will try to corrupt it,” Berkey says. “The best we can do is continually work hard to keep the game as fair as possible.”

Poker Cheaters Allegedly Use Tiny Hidden Cameras to Spot Dealt Cards

Summary Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In…

**Summary**

*   **Large-Scale Hacking Operation Uncovered**: Researchers link ShinyHunters and Nemesis to an operation exploiting millions of websites to steal over 2 terabytes of sensitive data.

*   **Sophisticated Tools and Tactics**: Hackers used Python, PHP, AWS IP ranges, and tools like ffuf, httpx, and Shodan to automate and expand their exploitation across regions.

*   **Collaborative Mitigation Efforts**: Researchers worked with the AWS Fraud Team to notify affected users, implement mitigation measures, and identify individuals involved in selling stolen data on Telegram.

*   **Critical Discovery in Misconfigured S3 Bucket**: An open S3 bucket used by the hackers exposed their stolen data, tools, and even potential identities, offering a unique glimpse into their operations.

*   **Call for Stronger Cybersecurity Practices**: The incident shows the need for proper configurations to protect cloud environments and prevent such large-scale breaches.

Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In this operation, hackers exploited vulnerabilities in millions of websites and took advantage of misconfiguration to access sensitive information including customer data, infrastructure credentials, and proprietary source code.

According to Noam Rotem and Ran Locar, two independent researchers who conducted this research, these attacks were carried out from a French-speaking country. It is worth noting that one of the ShinyHunters members Le Français Sébastien Raoult (aka Sezyo Kaizen), a France national, was arrested in Morocco back in July 2022. In January 2024, he was sentenced in the US to three years in prison. However, after spending less than a year, the hacker returned to France just last week.

****Tools and Tricks****

In their report for vpnMentor, researchers explained that the hackers were able to extract critical keys and secrets, which provided them with access to valuable data including application databases. The operation utilised several scripting languages, including Python and PHP, alongside specialized tools like ffuf and httpx, to automate the exploitation process.

Furthermore, the hackers used publicly available AWS IP address ranges to search millions of targets. They also used Shodan, a search engine for internet-connected devices, to perform reverse lookups and identify domain names associated with the discovered IPs. This method especially expanded their reach, allowing them to find and exploit numerous endpoints across different regions.

Researchers then collaborated with the AWS Fraud Team to implement mitigation measures and notify affected customers. The investigation also identified the names and contact information of some individuals behind the incident, assisting in further actions against the culprits who are selling their stolen data in dedicated Telegram channels for hundreds of Euros per breach.

The breach led to the theft of over 2 terabytes of data, including AWS customer keys and secrets that allowed access to various AWS services, as well as database and Git credentials, exposing source code and sensitive databases. SMTP and SMS credentials were also stolen, enabling attackers to send phishing emails and spam messages.

Moreover, cryptocurrency wallets and trading platform credentials were compromised, granting access to digital assets and trading accounts, alongside social media and email accounts, jeopardizing personal and business communications.

****Link to ShinyHunters and Nemesis Groups****

Investigations traced the infrastructure of this operation back to the ShinyHunters and Nemesis hacking groups because the tools and scripts used by the attackers held similarities to those previously associated with ShinyHunters, a group known for breaches at major companies like Ticketmaster, AT&T, Mashable and many more. The group also owned and administrated the notorious cybercrime and data breach forum Breach Forums for a while.

Additionally, the now-seized Nemesis Blackmarket was identified as a marketplace where the stolen credentials and access keys were being sold, often fetching hundreds of Euros per breach on platforms like Telegram.

Attack Flaw (Via: vpnMentor)

****Hackers Exposed Their AWS Bucket While Hunting Exposed Databases****

One critical discovery was an open Amazon S3 bucket used by the attackers to store harvested data. This bucket acted as a shared storage space, mistakenly left unsecured by its owner, facilitating the easy collection and distribution of stolen information.

> _“The discovery provided a glimpse into the operations of a large-scale web-scanning operation, the code used by the attackers, and even the potential identities of the people behind it. Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner. The S3 bucket was being used as a “shared drive” between the attack group members, based on the source code of the tools used by them. These tools are documented in French and signed by “Sezyo Kaizen”._
> 
> Researchers

Jim Routh, Chief Trust Officer at Saviynt, emphasized the scale and technical prowess of these criminal groups stating, “ShinyHunters and Nemesis represent highly organized cybercriminal syndicates operating on a large scale for profit. They exploit vulnerabilities in cloud services, often taking advantage of enterprises that may not fully understand the complexities and security controls of cloud environments. The range of targeted information, from credentials and cryptocurrency wallets to source code and cloud account secrets, shows their broad and opportunistic approach.”

Routh also highlighted the irony that the attackers themselves made a critical mistake by leaving an AWS S3 bucket open, which ultimately led to the detection of their activities.

Nevertheless, this incident shows why proper configuration and implementing cybersecurity practices are important to protect your online infrastructure. It will be interesting to see if the details shared by researchers with authorities lead to arrests or further revelations about the individuals involved in the hacking spree.

1.  **ShinyHunters Leak 33M Twilio Authy Phone Numbers**
2.  **Canada Arrests Hacker Linked to Snowflake Data Breaches**
3.  **ShinyHunters’ Santander Bank Breach: 30M User Data for Sale**
4.  **ALBeast: Misconfiguration Flaw Exposes 15k AWS Load Balancers**
5.  **Hacker in $3 Billion SSN Leak Reveals Himself as Brazilian Citizen**

ShinyHunters, Nemesis Linked to Hacks After Leaking Their AWS S3 Bucket

The new film about an FBI agent chasing a white supremacist terror cell is based on a true story—and one that connects the headlines of 30 years ago to those of today.

In _The Order,_ director Justin Kurzel’s electric new film, Terry Husk, a haggard, possessed FBI veteran played by Jude Law, pores over a thin paperback with a blood-red cover, paging through diagrams of targeted killings, bombings, and a gallows erected in front of the United States Capitol.

“There are six steps in that book,” says a young sheriff deputized as his assistant, played by Tye Sheridan. He gives the Cliff Notes version as he scours the book, his eyes riveted.

“Recruiting,” he says. “Fundraising. Armed revolution. Domestic terror. Assassination.

“Number six is the day of the rope.”

The book is _The Turner Diaries_, a 1978 novel that depicts the violent overthrow of the American government by armed white supremacist insurgents and the extermination of people of color and Jews in a race war. Photocopied pages from it were found in Oklahoma City bomber Timothy McVeigh’s getaway car when he was apprehended by law enforcement.

Along with Husk and Bob Mathews—the founder of a murderous underground white supremacist guerrilla outfit that counterfeited money and robbed banks and armored cars, played by Nicholas Hoult—_The Turner Diaries_ is the third major character in _The Order_. Though Mathews formally named his group the Silent Brotherhood and claimed he took little inspiration from William Luther Pierce’s incendiary novel, he and his comrades did refer to their group as “The Order”—the same term used in the book for the protagonist’s genocidal militants.

The book’s crimson cover and lurid drawings resurface time and time again. Mathews reads excerpts to his young son before bedtime; a pastor at a neo-Nazi compound in Idaho proffers it to visiting law enforcement agents; and it turns up in the hands of FBI agents desperately seeking to plot out the insurgents’ next moves.

_The Order_ unearths a critical chapter in the history of the American extreme right largely forgotten by the general public. The murder of Jewish talk radio host Alan Berg in 1984 by two of Mathews’ acolytes brought the Order to national attention 30 years ago and inspired not one but two Hollywood films in that decade—_Betrayed_ and Oliver Stone’s _Talk Radio_. Since then, though, only close observers of prison gang and skinhead culture have had cause to track mentions of the Silent Brotherhood by tweaked-out Aryan Brotherhood killers or the annual “Martyrs Day” pilgrimage of Hammerskins from across the West Coast to Whidbey Island in the Puget Sound, where Mathews met his fiery death during a shootout with the FBI.

Now, as the country ponders a return to the 2016-2020 period, when Mathews’ ideological offspring ran riot from Oregon to Washington, DC, his saga is getting marquee billing.

While the film debuts almost a full decade into the American extreme right’s current revival, screenwriter Zach Baylin and producer Bryan Haas began developing the project back in 2016, before the deadly 2017 Unite the Right rally in Charlottesville, Virginia. Baylin tells WIRED that he and Haas stumbled on _The Turner Diaries_ while researching Ruby Ridge, the 1990s militia movement, and McVeigh (who slept with the book under his pillow) and casting around for a lesser-known story to explore the origins of American extremism.

“We were looking to encase the story of one of these groups inside a classic crime thriller,” Baylin says. They stumbled across _The Silent Brotherhood_, a 1989 book by reporters Kevin Flynn and Gary Gerhardt that traced the entire arc of Mathews’ crime spree, from his teenage radicalization through the John Birch Society and Phoenix militias all the way through his death and the subsequent criminal trials of his followers.

“The crimes the Order committed and the way the investigation unfolded, it had the framework of the kind of film that we’d been talking about,” he said.

Flynn and Gerhart’s book, which began with their coverage of Berg’s assassination in his driveway and followed the Order’s saga through the federal pursuit, investigation, and prosecution, is remarkably detailed. Once members of the group were up for trial, Flynn and Gerhart spent hours interviewing them in the Arapahoe County jail, gathering priceless material that allowed them to reconstruct the terrorist group’s inner workings in minute detail. Readers of the book, which is back in print (with a new title) after three decades off the shelves, will note the film’s fidelity to life, particularly in the robbery and heist scenes. However, for Flynn and Gerhardt—who died in 2015—the minutiae of Mathews’ terror campaign were a mechanism to engage audiences with a deeper, darker reality.

“We didn’t write the book for the details. We wrote it to expose the banality of evil, so readers could understand where these folks come from and how endemic it is in American society,” says Flynn, who reported for the Rocky Mountain News for nearly three decades before it shuttered in 2009. Since 2015, he has served as a city councilman in Denver.

_The Order_ is the sort of film America does not produce anymore. Its taut action scenes hearken back to _Heat_, _To Live and Die in L.A._, _The French Connection_, and Sidney Lumet’s police corruption canon (_Serpico_, _Prince of the City_, _Q&A_); the droning soundtrack does not overwhelm viewers; and Adam Arkapaw’s washed-out cinematography encapsulates both the grandeur and the intimidating solitude of the interior Pacific Northwest. The dialog is sparing, direct, and—in spite of Mathews’ grandiose promises of a renewed whites-only bastion in the Pacific Northwest—remarkably free of proselytizing.

For a movie shot in such wide-open landscapes, _The Order_ is tinged through with claustrophobia, a testament to the tension rife throughout Baylin’s writing and Kurzel’s meticulous direction. Like Al Pacino and Robert DeNiro in Michael Mann’s _Heat_, Hoult and Law only come face to face with each other a few times before their penultimate confrontation. However, Kurzel had both actors follow each other for a day and compile dossiers on their opposite number to develop a granular sense of how a manhunt actually functions.

“I wanted them to ask themselves, what does that feel like having a relationship with someone you’re trying to take down? You’re living with a phantom, in a way,” Kurzel says.

Law, whose slow-burn performance is unlike any prior role from his four decades on stage and screen, says the similarities between Husk and Mathews as two opposites of the same coin are at the core of _The Order_’s dramatic tension.

“They’re more alike than they’d ever admit—both are driven, charismatic, and know exactly how to manipulate those around them to achieve their goals,” he says. “Nicholas and I really leaned into that symmetry during our scenes together. It’s almost like they’re looking into a dark mirror—each recognizing qualities in the other that they either admire or fear. That underlying connection adds layers to their conflict, making it not just a clash of ideologies but also a deeply personal battle. It was fascinating to explore that tension with Nicholas.”

Mathews’ brief campaign of armed insurgency and domestic terrorism has continued to inspire generations of extremists in the United States and beyond, from McVeigh and the neo-Nazi bankrollers of the Aryan Republican Army to the killers of Germany’s National Socialist Underground, all the way through to contemporary groups like Atomwaffen Division, the Base and the Terrorgram Collective. The latter group, which federal law enforcement believes to be a “bold-letter, category one” domestic terrorism threat, circulates voluminous propaganda booklets that meld the ethos of _The Turner Diaries_ with Ted Kaczynski’s anti-industrial-civilization ethos and neo-Nazi occultism.

Terrorgram’s materials, which include viable bomb-making instructions, camouflage and tactical guides, and instructions on how to disable critical infrastructure like electrical substations, water treatment plants and dams, have radicalized at least one so-called “saint,” or mass shooter, and are alleged to have been connected to a series of power grid attacks in North Carolina as well as several active federal prosecutions.

“William Pierce doesn’t build bombs,” Mark Potok of the Southern Poverty Law Center, told Rolling Stone a quarter of a century ago. “He builds bombers.” In many ways, the Terrorgram Collective fulfills the same role now, and its publications have become the modern-day version of the _Turner Diaries_. Disseminated worldwide through the moderation-free wilderness of Telegram, the group’s message of hate and violence is now circulating independently of any organized group or ideology for disaffected, unbalanced “lone wolves” to latch onto as justification for future atrocities.

While _The Order_ remains firmly rooted in the past save for one passing reference to the 1995 Oklahoma City bombing in a title card, during production there was no escaping the drumbeat of resurgent far-right militancy in the United States. Kurzel, the director, recalls watching news coverage of the January 6 insurrection and remarking on the gallows erected outside the Capitol building—a drawing of which features in the book and the exposition scene with law. “_The Turner Diaries_ started to become more visible in a present-day setting in a way I was kind of shocked by,” he says, speaking to WIRED from his Tasmania residence. Indeed, following January 6, Amazon removed _The Turner Diaries_ from its online inventory.

Hoult’s bravura portrayal of an ice-cool, controlled yet menacing Mathews through the Order’s campaign of armed robbery, counterfeiting, murder, and armed confrontation with the FBI is one of the film’s dual anchors. Aside from a striking physical resemblance to the Silent Brotherhood’s founder, Hoult closely studied his subject, aping Mathews’ mannerisms and movements from old documentary footage, studying texts that radicalized his subject, lifting weights, and cutting alcohol from his diet.

“Mathews was someone who thought and planned so in advance of what his ultimate goal was, I think he always kept in sight. That’s something Justin and I spoke about, that he wouldn’t lose his head on trivial things or things that would potentially harm his cause. In his mind, he’d already, in some ways, planned his destiny,” Hoult tells WIRED.

By choosing to play Mathews with reserve instead of bombast, as more of a watcher who carefully observes his surroundings and other people to better understand how to turn situations to his advantage, Hoult aimed to show audiences how someone with the charisma of his villain could attract followers and build a movement.

“I think that shows how they penetrate communities and societies in a different way, and perhaps people in the future might be less susceptible to people who behave like him,” he says.

As with any artistic project that focuses on extremism and mass violence, _The Order_’s production team walked a fine line between showing Mathews’ magnetism and the murderous project at the heart of his ideology and actions.

“I think you need to understand the pull of a figure like this,” says Kurzel, whose prior films _Snowtown_ and _Nitram_ depicted, respectively, youthful serial killers and Australia’s worst mass shooting, the 1996 Port Arthur massacre. “Mathews is definitely someone who understands their reach and how to communicate and gather people. There’s gonna be a certain kind of charisma about that.”

Haas, one of the film’s producers, echoed Kurzel's remarks about art pushing the boundaries of acceptability. “It felt like part of the movie was to show the appeal of Bob. He was someone who had charisma, and that tied to these really toxic ideas is really dangerous,” Haas says, praising the “unrelenting realism” the cast brought to their performances.

Ultimately, the hope of slipping an unsparing portrayal of domestic extremism—produced outside of the Hollywood studio system—into the December award season is to reintroduce a discussion of radicalization to American society. “If you don’t learn from history, you’re doomed to repeat it—how a guy that, in the way Nick depicted him, could live down anybody’s street,” says Haas. “There are lots of people right now who are hurting and struggling and looking for answers.”

_Updated: 12/6/2024 4:01 pm EST: This story was updated to clarify which character reads out six steps given in_ The Turner Diaries.

The Real Story of “The Order”

The "Census of Free and Open Source Software" report, which identifies the most critical software projects, sees more cloud infrastructure and Python software designated as critical software components.

Source: Photon Photo via Shutterstock

Open source components aimed at connecting applications to cloud resources and those written in Python have jumped up the list of critical packages, according to the latest rankings of the open source software ecosystem — a reordering that underscores the projects that need to be well-funded to improve the security of the software ecosystem.

The data-collection effort — known as the "Census of Free and Open Source Software" — classifies the open source projects into eight top 500 lists, depending on their ecosystem, whether version information is included, and whether direct and indirect dependencies are taken into account. The latest survey of software, known as Census III, found that packages for Python software and those meant to connect developers with specific cloud services — such as a toolkit for Amazon's Elastic Computing Cloud (EC2) or the API for connecting Go programs to Google Cloud — have become much more popular and, thus, critical to software development.

While cloud-native and hybrid development are by no means new, cloud providers have created an increasing number of software development kits (SDKs) for developers. Their widespread use has boosted those tools in the rankings of critical software, says David Wheeler, director of open source supply chain security for the Linux Foundation, which collaborates with Harvard Business School to produce the census.

"Cloud providers offer a lot of specialized services, but the early uses of cloud were a lot of lift-and-shift moves," he says. "Increasingly, we're seeing people write software specifically intended to be run on a cloud, \[and there is a\] rising level of these kinds of packages — it's something that is dramatically increasing."

The third "Census of Free and Open Source Software" report comes more than two years after the official publication of Census II in March 2022 — an initial version of that report was released in 2020 — and nine years after the original census report. The data-collection exercises aim to identify the most critical open source software so that the public and private sectors can effectively invest in the projects as a path to improve software security. Each software package is scored using data from software supply chain firms FOSSA, Snyk, Sonatype, and the Black Duck Cybersecurity Research Center.

The resilience of the software supply chain has become a major concern of the software industry and national governments. The Biden administration, for example, released a National Cybersecurity Strategy that firmly emphasized finding ways to improve the security of software and the open source ecosystem on which most applications rely.

**Critical Connections to the Cloud**

The Amazon Web Services (AWS) software development kit for Python, known as Boto3, rose to fifth place on the list of critical software on the "Non-npm, Direct, Version Agnostic Packages" list. The library was not ranked in the previous Census II. A similar package — aws-sdk — rose to the seventh spot on the JavaScript-ecosystem "npm, Direct, Version Agnostic Packages" list, from 307th in the previous census.

Other cloud-focused packages saw similar jumps: The software development kit to connect Go programs to Google Cloud ranked eighth, while the AWS kit for .NET rose to number 30. Neither were ranked in the previous census.

Because the Node Package Manager (npm) ecosystem sees a significant volume of JavaScript downloads — 4.5 trillion in 2024, compared to 530 billion for Python, according to Sonatype — the data overwhelms measurements of popularity. As a result, the census breaks out npm downloads from those for other software ecosystems.

The data underscores the criticality of open source software to the infrastructure underpinning cloud services, says Brian Fox, CTO and co-founder of Sonatype, a software supply chain management firm.

"Open source across the board just continues to see 'hockey stick' growth year after year, which is shocking — we're starting to see really, really big numbers," he says. "That's the reason why they're doing the census, because it is so important to be shining a light on these things."

**Perils of Python 2 Boost Compatibility Library**

Replacing or patching outdated software has become a central focus of efforts to eliminate vulnerabilities from software. Over the past decade, for example, Python developers have only slowly moved to use Python 3, which was originally introduced in 2006. Last year, 1% of Python developers used Python 2 as their primary programming language, down from 13% in 2019, according to data from JetBrains' annual "Developer Ecosystem" report.

As a result, a project designed to allow compatibility between software written in Python 2 and code in Python 3 — the "Six" project — has become a critical software component, according to Census III. Typically, Python versions are supported for five years. Python 3.11 — currently used by 27% of developers as their primary programming language, making it the most popular version at present — will reach its end of life in October 2027. The final version of Python 2 — version 2.7 — passed its end of life in January 2020.

The data does not address how often developers encounter — and interact with — components written in Python 2. The overwhelming shift to Python 3 is driving the use of Six, as developers need to use older code with programs written in the latest version of Python. In addition, certain groups of developers — such as 29% of data scientists and 19% of Web developers — continue to use some Python 2 code, according to data from JetBrains, a maker of development tools.

"If you look at the raw numbers, Python 3 is far more common, but in various specific domains Python 2 is still widely, widely used, which is why Six is showing up more," the Linux Foundation's Wheeler says. "I would argue it's why we're finally able to get so many more Python 3 users is because the bridge to move from 2 to 3 is easier."

While Census III is available to download from the Linux Foundation, companies should be automating their package management and regularly testing and updating their software, says Sonatype's Fox. The real lesson from the census is not which packages should be given the most attention, but which projects need additional funds and paid maintainers.

"The sustainability of the \[open source ecosystem\] is something that should be top of mind," he says. "We're dependent more and more on largely an aging and unpaid workforce for maintaining critical software — those two things together don't end well."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Security Priorities Get a Reshuffle

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition…

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition to a more digital approach has become important for businesses that want to stay ahead in the market. A big part of this change is using customer relationship management (CRM) systems. Salesforce is one of the top choices for CRMs because it offers a wide range of features that can be adapted to different industries. This article will explore how using Salesforce can help drive digital transformation in organizations.

****Understanding Digital Transformation****

Digital transformation involves integrating technology into various aspects of business operations to change how companies function and fundamentally provide value to customers. It encompasses a culture shift that requires organizations to question traditional approaches, test new technologies, and adjust to evolving market trends.

According to Skydog Ops, a Salesforce integration company, Salesforce hosts more than 150,000 customers worldwide including Apple, Amazon Web Service and Walmart Inc, showcasing productivity and enhanced customer satisfaction.

****The Significance of CRM Systems****

Customer Relationship Management (CRM) systems play a critical role in driving transformation initiatives by enabling businesses to manage interactions with current and prospective customers more efficiently. These tools assist companies in gathering and analyzing customer data to improve decision-making and tailor experiences. Through the use of CRM systems, businesses can optimize their operations, automate tasks, and cultivate meaningful connections with customers.

****Salesforce: A Leader in CRM Solutions****

Salesforce has emerged as a leader in the CRM industry with its range of cloud-based solutions designed for sales support, customer service, and other business needs. Among the platform’s functionalities are wide applications that help businesses organize customer information, analyze interactions, and gather valuable insights. These tools are customized to fit an organization’s goals during its digital transformation efforts.

****Enhancing Customer Experience****

One of the primary goals of digital transformation is to enhance the customer experience, and Salesforce aids in achieving this by enabling companies to offer personalized and seamless interactions across various platforms. Leveraging real-time customer data allows businesses to customize their marketing strategies, delivering relevant content and promotions. Furthermore, with Salesforce’s automation features, organizations can provide timely responses to customer queries, improving satisfaction and fostering customer loyalty.

**Streamlining Business Processes**

Integrating Salesforce into business operations can greatly improve efficiency by automating routine tasks and enabling employees to focus on strategic priorities instead of manual work such as data entry, reporting, or workflow management. This shift toward automation helps minimize errors and boosts productivity across the organization. These improvements align with the goals of digital transformation, which seek to enhance both efficiency and effectiveness.

****Data-Driven Decision Making****

In today’s digital age, data is a valuable asset, and Salesforce equips businesses with the tools to unlock its full potential. By utilizing the in-depth analytics and reporting tools provided by Salesforce, businesses can gain insights into customer behaviour, discover sales patterns, and identify market opportunities. This data-driven approach allows companies to make informed decisions, refine strategies, and highlight areas for improvement—ultimately leading to enhanced agility and adaptability in response to evolving market dynamics.

****Fostering Collaboration and Innovation****

Salesforce’s use of cloud technology promotes collaboration by improving communication between departments and sparking creativity through shared access to information and ideas across the organization. The ability to work together seamlessly helps foster innovation and drives organizational growth.

****Scalability and Flexibility****

As companies grow and evolve, their requirements change. Salesforce’s scalability allows businesses to adapt their CRM system to meet the demands of growth and shifting circumstances. The platform’s versatility enables organizations to integrate new functionalities and applications, tailoring the system to meet their specific needs. This flexibility ensures that Salesforce remains a valuable tool throughout the entire transformation process.

****Overcoming Implementation Challenges****

Implementing Salesforce comes with its own set of challenges that organizations must address. Proper planning and execution are essential to avoid setbacks. To ensure a smooth rollout, it’s important to evaluate business requirements, set clear goals, and provide adequate training for employees. Working with professionals or consultants can also make the process more efficient, allowing businesses to fully leverage the benefits of Salesforce.

****Conclusion****

The use of Salesforce is crucial in leading the digital evolution of businesses across various sectors. Its wide range of features, flexibility, and focus on customer satisfaction make it an effective tool for improving productivity, promoting creativity, and gaining a competitive advantage. By adopting Salesforce, organizations can unlock the full benefits of digital transformation and position themselves for long-term success in an increasingly digital world.

1.  A Look at the 4 Main Functionalities of NetSuite
2.  The Role of Artificial Intelligence in Lead Generation
3.  How to Find Success with the Salesforce Admin Exam
4.  Types of SaaS Applications: Categories and Examples
5.  Effective, and powerful tools for identifying site visitors

The Role of Salesforce Implementation in Digital Transformation

Consumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.

Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches.

Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report.

We’ve identified specific advertiser accounts that make up the bulk of fraudulent ads we have reported to Google this past year. What’s interesting is that the scammers keep reusing the same accounts over time. For instance, one advertiser had over 30 reported incidents in the past 3 months.

While it would be foolish to assume fraudsters would stop scamming altogether if those accounts were terminated, it also exposes something problematic with our reporting, and to a greater extent with how Google’s policies apply to repeat offenders.

**Search for help, find a scam**

Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads.

Take this search for ‘_paypal help_‘ which displays an ad as the first result, followed by the official website. While the organic result looks more trustworthy, it does appear under. We should also note that sometimes it shows way below the fold, as documented in our recent blog “_Printer problems? Beware the bogus help_“.

Not only is the ad malicious, it is also linking to a fraudulent page hosted on Google Sites, Google’s free platform to build websites. The scammers created it with PayPal’s logo to make it look legitimate, with — quite literally — a simple call to action.

Somewhere far in Asia, someone in a call centre is waiting to welcome the next victim by starting with “_Hi, welcome to PayPal support, my name is John, how can I help you?_“

We have found and reported many of such fraudulent ads to Google over the past year. At some point, we realized that the same advertiser accounts kept coming up, begging the question: why would an account with multiple incidents not get blocked permanently?

In the screenshot below, you can see the same advertiser ID associated with over 30 incidents in a period of around 3 months.

In fact, these are only the malicious ads we were able to find, using our own tools. For example, not in the list of targeted brands in our tracking for this account is Amazon. Looking at this advertiser via Google’s Ads Transparency Center, we see a fraudulent ad we had missed reporting:

We reported 2 other advertiser accounts with very similar behavior, and perhaps not just a coincidence is that they all belonged to profiles registered and verified by Google from Vietnam.

**Taking down scammers**

Going after scammers is a relentless job that both private individuals, companies and government agencies perform day in and day out. It can be frustrating having to repeat the same thing over and over while the offenders have the upper hand.

Having said that, it is possible to make long lasting change by looking at incidents from a macro level. Rather than chasing one-offs, data shows us that criminals tend to reuse the same techniques, and in this case, the same accounts.

It’s unclear why Google has not taken definitive action on the advertiser profiles we have reported. However, we have escalated this issue and hope to see some changes as a result.

_The banner image for this blog post contains a typo. It was made using Google’s Gemini AI and despite several requests, it kept getting the spelling wrong._

**We don’t just report on threats—we block them**

Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today.

 Repeat offenders drive bulk of tech support scams via Google Ads 

A massive data leak linked to the MOVEit vulnerability has exposed millions of employee records from major companies. Learn about the impact of this leak, the role of the "data vigilante" Nam3L3ss.

****SUMMARY****

*   **MOVEit Flaw and Data Leak**: Data stolen during the MOVEit hack spree is still creating issues for companies.

*   **Nam3L3ss and the Leaks:** A self-proclaimed “data vigilante” named Nam3L3ss has leaked over 760,000 employee records from 27 major companies, including Bank of America, and Nokia + Jll.com’s database containing 12 million rows taking the total number to 13.12 million.

*   **Leaked Data Content:** Leaked data includes sensitive and non-sensitive information such as names, emails, phone numbers, addresses, and company location coordinates.

*   **Cl0p Ransomware Link:** Originally, the data was stolen by the Cl0p ransomware gang after exploiting the MOVEit flaw, while Nam3L3ss is cleaning and leaking the data.

A self-proclaimed “Data Vigilante” named Nam3L3ss has once again caused widespread concern by leaking millions of employee records online, highlighting the fallout from the major security vulnerability in file transfer software called MOVEit.

As seen by Hackread.com, Nam3L3ss has released the information of over 760,000 employees of major organizations on a popular hacking forum ‘BreachForums’ on Monday morning. The leak additionally includes the Jones Lang LaSalle Incorporated (JLL.com) database, containing over 12 million data rows, bringing the total number of leaked records to 13.12 million.

Nam3L3ss on Breach Forums leaking the Bank of America employee data (Source: Hackread.com)

****The MOVEit Mess****

The MOVEit vulnerability was identified in Progress Software’s file transfer tool in 2023 allowing threat actors unauthorized access to sensitive data. Hackers affiliated with the Cl0p ransomware gang exploited this vulnerability and stole information from thousands of companies, impacting an estimated 2,800 organizations and nearly 100 million individuals. They even created clear web websites to leak the stolen data in July 2024.

****Nam3L3ss Leaks Millions****

In November 2024, as reported by Hackread.com, Nam3L3ss emerged on the scene, leaking what they claim is data obtained from the MOVEit breach. These leaks targeted industry giants like Amazon, 3M, HP, and Delta, raising serious concerns about the security practices employed by these corporations. At that time, Nam3L3ss leaked over 7.9 million records from 27 companies.

Hackread.com analyzed the leaked data and found it contained a mix of sensitive and non-sensitive information, including names, email addresses, phone numbers, office and residential addresses, and even company location coordinates. This information could be used by malicious actors for social engineering attacks, identity theft, or targeted phishing scams.

Just weeks after the initial leaks from Nam3L3ss, another batch of employee data surfaced online on Monday. This new data dump contained records from companies like Bank of America, Koch Industries, Nokia, and Morgan Stanley, and appears to be linked to the same MOVEit vulnerability.

Here’s the full list of companies involved in this leak:

*   audible.com – 3,790
*   b-f.com – 1,302
*   xerox.com – 42,735
*   univision.net – 5,954
*   saic.com – 26,917
*   nokia.com – 94,252
*   meijer.com – 7,422
*   cna.com – 6,680
*   cm3.com.au – 6,153
*   ciena.com – 10,820
*   bwater.com – 2,161
*   kochinc.com – 237,486
*   medibank.com.au – 5,201
*   morganstanley.com – 32,860
*   bankofamerica.com – 288,296
*   joneslanglasalle.com aka jll.com – 12,352,524

*   Total: 13,124,553

While Nam3L3ss claims to be a vigilante bringing attention to security flaws, their motives remain unclear. Regardless of their intentions, these leaks expose the significant impact of the MOVEit vulnerability and the risks posed by stolen employee data.

If you’re an employee of one of the affected companies, stay alert for phishing attempts. These could come through email, text messages (smishing), or even phone calls (vishing), as scammers might use this leaked data to target you.

1.  **Hacker Leaks Thousands of Microsoft and Nokia Employee Details**
2.  **Hackers Calling Employees to Steal VPN Credentials from US Firms**
3.  **Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets**
4.  **Hacker Leaks Data of 33K Accenture Employees in 3rd-Party Breach**
5.  **Indian Ex-Employee Jailed for Wiping 180 Virtual Servers in Singapore**

Data Vigilante Leaks 772K Employee Records from Top Firms and 12.3M-Row Database

This paper provides an in-depth technical explanation, illustration, and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 that pertain to Warbird deficiencies, content key sniffer operation, magic XOR keys discovery, white-box crypto attack, and complete client identity compromise attacks.

Microsoft Warbird and PMP Security Research

Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Design Pics Inc Alamy Stock Photo

Researchers are warning that an otherwise positive European data regulation has introduced massive risks to individuals and the companies they work for.

Ever since the passage of the General Data Protection Regulation (GDPR), Internet users in Europe — and in many places around the world following suit — have been able to download the entirety of the data that websites save about them. Besides the obvious benefits to privacy and transparency, the idea was portability: Anyone could take the data one site possessed about them and transfer it to another.

In a new blog post, CyberArk highlights a theoretical yet severe cost to this new right to data portability. Before the rule, everyone's most sensitive data was protected behind brick walls at ultrasecure data centers. Now that users can retrieve that data via a cloud-based mechanism, hackers can access their accounts and steal it all. Considering the extent of the data that websites collect about us today, the possibilities for malfeasance are endless.

"It's my legal right, and it's perfectly fine that I'm capable \[of seeing\] what information is being kept about me," says Lior Yakim, threat researcher at CyberArk Labs, who dubs the attack "White FAANG," since the vulnerable data could be exported from services provided by major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG).

Related:'Bootkitty' First Bootloader to Take Aim at Linux

However, he warns, "Because it's so easy to get all of that highly intrusive information — together with the fact that people use the same devices for corporate and personal purposes — there's a major risk."

**The Data Sites Have on You**

Companies hoard gobs of sensitive information, especially the largest technology companies most central to our online lives. They possess everything from our most sensitive personally identifying information (PII) to the long histories of our online activity. But even the most jaded Internet users might be surprised just how deep this hole goes.

Meta, for example, records not only your documented Facebook activity, but also plenty of undocumented data, like what posts you viewed, and exactly how long you viewed them.

Google, likewise, saves not only your entire search history, but even searches you typed but didn't ultimately execute.

GDPR's well-intentioned data portability regulations forced companies to make all of this information exportable at the click of a button, in a machine-readable format. And what's stopping a hacker in possession of your account from doing just that? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

Related:China's Cyber Offensives Built in Lockstep With Private Firms, Academia

**The Risks to Individuals and Corporations**

With export data, there is no limit to what an attacker can do. They can use your Google search history to blackmail you, your GPS data from Meta to find where you live, and your Apple calendar history to know where you've been and where you'll be, to say nothing of the endless possibilities for cyberattacks.

Beyond all that, there's the risk to employers. Individual accounts can house all kinds of data that pertains to, or can otherwise be used to attack the companies they work for.

Again, the scenarios are limitless. With an Apple export, for example, a hacker could take the MAC address associated with an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access to them, then listen in on corporate meetings. Or, Yakim suggests, they can leverage information like the operating system version of the employee's mobile phone. "If I know, for example, that the mobile device of the employee is not up to date, I can search for specific, known vulnerabilities in order to target this employee," he says.

And there are far simpler, more present dangers than that. CyberArk surveyed 14,000 employees, finding that around 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. Thanks to this comingling, work passwords tend to end up stored in far less secure personal accounts, from which they can be exported. This was how Cisco got breached in 2022, and Okta in 2023, a case that affected every one of its customers as well.

Related:VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

To prevent that from happening, employees need to draw a clear line in the sand between their business and pleasure online. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#amazon