The marketing of illegal drugs on open platforms is “gaining prominence,” authorities note, while the number of drug transactions on the darkweb has decreased in recent years.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

For every illegal drug, there is a combination of emojis that dealers and consumers use to evade detection on social media and messaging platforms. Snowflakes, snowfall, and snowmen symbolize cocaine. Love hearts, lightning bolts, and pill capsules mean MDMA, or “molly.” Brown hearts and dragons represent heroin. Grapes and baby bottles are the calling cards for codeine-containing cough syrup, aka “lean.” The humble maple leaf, meanwhile, is the universal symbol for all drugs.

The proliferation of open drug dealing on Instagram, Snapchat, and X—as well as on encrypted messaging platforms Telegram and WhatsApp—has transformed the fabric of illegal substance procurement, gradually making it more convenient, and arguably safer, for consumers, who can receive packages in the mail without meeting people on street corners or going through the rigmarole of the dark web. There is no reliable way to gauge drug trafficking on social media, but the European Union Drugs Agency acknowledged in its latest report on the drivers of European drug sales that purchases brokered through such platforms “appear to be gaining in prominence.”

Initial studies into drug sales on social media began to be published in 2012. Over the next decade, piecemeal studies began to reveal a notable portion of drug sales were being mediated by social platforms. In 2021, it was estimated some 20 percent of drug purchases in Ireland were being arranged through social media. In the US in 2018 and Spain in 2019, a tenth of young people who used drugs appear to have connected with dealers through the internet, with the large majority doing so through social media, according to one small study.

Some dealers these days are even brazen enough to boost their posts and pay for sponsored advertising. “Mushrooms and marijuana used to be hard to get and now they’re being marketed to me in beautiful packaging on Instagram,” says one 34-year-old in Austin, Texas that WIRED spoke to. Dealers ran hundreds of paid advertisements on Meta platforms in 2024 to sell illegal opioids and what appeared to be cocaine and ecstasy pills, according to a report this year by the Tech Transparency Project, and federal prosecutors are investigating Meta over the issue.

“You’re seeing a more sophisticated commoditization of the available marketplaces,” says Adam Winstock, a British consultant psychiatrist and addiction medicine specialist who is also the founder of the Global Drug Survey. The current drug-using younger generation are entirely used to getting everything online, he adds, reflecting the increasing integration of social media in people’s lives. “It’s convenient, \[and\] there’s less chance of violence.”

There are heightened concerns over the presence of super-strength opioids like fentanyl in drugs. But despite some contaminated pills having lethal effects on those who purchased them on the internet, Winstock says that drugs purchased through online networks are subject to “potentially better quality control”—with Telegram channels devoted to discussing the quality of drugs purveyed by certain dealers, and Amazon-style feedback sections within some vendors’ stores. “The question is where in the food chain that they’re cut,” Winstock says.

The menus provided by dealers through messaging apps and on social media are often lengthy and diverse, featuring prized varieties advertised for their purity and sold at significantly lower costs than equivalents available on the streets of London and New York. However, there’s been no formal evaluation of online and street drug sales that can attest to the relative purity and safety of what’s sold in either place—and illegal drugs always come with a safety risk, regardless of where they are bought from.

Even while traditional drug transactions continue to dominate, the apparent rise in sales of drugs through social media has coincided with a steep increase in the average value of transactions on the dark web, amid a fall in the overall number of transactions, according to the UN Office on Drugs and Crime’s 2024 World Drug Report. To the UNODC, this suggests “an increase in wholesale activities” on the dark web—though this could also reflect consumers who buy smaller quantities shifting from the darknet to the clearnet and encrypted messaging apps.

“End users seem to be buying their drugs on the dark web to a lesser extent than in previous years,” the UNODC said in its 2023 report. “Qualitative information provided by people who use social media suggests that the use of such media for drug purchasing purposes has been increasing, especially at the retail level.”

The shifting market trends also bring troubling developments. New and potentially more vulnerable population segments can be reached by exploitative drug dealers as they begin to sell on social platforms and the number of drug consumers in the US and around the world grows. The US Drug Enforcement Administration has warned that because dealers are “no longer confined to street corners and the dark web,” social media users’ posts and inboxes can be peppered by dealers seeking to purvey these addictive and, when misused, harmful drugs. “Social media extends the reach of the Sinaloa and Jalisco cartels directly into drug users’ phones, with potentially fatal consequences,” the DEA said in its 2024 national drug threat assessment report, bemoaning that dealers are more difficult to apprehend online than the streets.

Social media companies are under growing pressure to eradicate drug dealing on their platforms, says Ashly Fuller, a PhD candidate at University College London researching the sale and advertisement of illegal drugs to young people on social media. Data released by social media companies shows that millions of pieces of drug-related content are already taken down every year. (Facebook and Instagram took action against 9.3 million pieces of drug-related content last year, while Snapchat says it did so in 241,227 cases in the second half of 2023.) But these companies’ actions are sometimes indiscriminate. The accounts of organizations promoting drug harm reduction and social media personalities who post content about drugs and psychedelics, but who do not sell them, are being caught in the crossfire of efforts to get a grip on the issue.

A study by Fuller last year indicates that as many as 13 percent social media posts may advertise illegal drugs—underlining the scale of the issue Meta, X, TikTok, and Snapchat have on their hands. Drug sale advertisements could even be increasing in prevalence, according to a forthcoming study by Fuller which was shared with WIRED. She surveyed 1,100 13- to 18-year-olds and found that 60 percent of young people have seen drug-related content on social media (mostly for cannabis and psychedelics, which have been legalized or decriminalized in a few parts of the world). “They’re common enough that young people stumble upon them on TikTok and Instagram.”

In response, social media companies’ algorithms to detect drug-selling behavior are getting smarter and are aggregating images and emojis, Fuller says. “There is an understanding that seeing these ads on social media is correlated to a decreased risk perception, and young people are led to think the drugs are safer.” Of the teenagers she sampled, 10 percent reported purchasing drugs via social media. “Those exposed to drug ads were 17 times more likely to purchase drugs on social media compared to those who had not seen such ads,” she adds.

But according to Meta, no more than 1 in 2,000 views on Facebook is of content that violates its restricted goods policy. Between July and September 2024, Meta says that 96 percent of drug sales content that violated its terms was removed before a user reported it. TikTok, meanwhile, removed 99.5 percent of content violating its policy on alcohol, tobacco, and drugs before it was reported, according to its Community Guidelines Enforcement Report for the second quarter of 2024.

Meta, SnapChat, and TikTok declined to offer an on-the-record statement. X did not respond to requests for comment. A Telegram spokesperson said: “Telegram actively combats misuse of the platform, including for the sale of illicit substances. Moderators, empowered with custom AI and machine learning tools, remove millions of pieces of harmful content each day to keep the platform safe.”

The world’s first internet-facilitated sale, in the early 1970s and on the internet precursor Arpanet, was for an undetermined amount of cannabis. The agreement was between students. Today, strangers may contact you on social media offering drugs to buy. For as many people who believe this is something of a utopian development, you can be sure many more view it as dystopian—especially if the dealers are in fact scammers or selling dodgy goods.

“We were wondering if you will be interested in having a trip with our products,” one Instagram account messaged me recently. On X, meanwhile, posts related to psychedelics are regularly infiltrated by bots directing traffic to dealers. “Virtually all psychedelic post\[s\] are followed by bots selling microdoses,” leading psychedelics researcher Matthew Johnson posted on X in December. “All my blocking & spam reporting seems futile.” An account recently replied to one of my posts, linking to the profile of their apparent boss: “He’s got all Psyche meds & acids.”

Some dealers lurking on social media are even more shady. The drug information organization Pill Report has told of people wiring cash to dealers and getting duped, with nothing sent to them. When one such person interviewed by WIRED sent money for cannabis through a cash transfer app but received nothing in the mail, he reported the account. “It became a threatening match and they sent photos of thugs with guns saying they were going to come for me,” he says.

In a VICE documentary on drug sales on social media, it took the host just 5 minutes to connect with a dealer in London. “Anyone can sell nowadays,” another dealer told the journalist. “You see little kids, 12-year-olds and everything, setting up accounts. It’s easy, isn’t it? You can sit at home, make an account, and make money. Who doesn’t want to do that?” As part of a separate research project, a 15-year-old was able to locate an account selling Xanax tablets in mere seconds on Instagram.

Telegram’s drug markets remain somewhat complicated to access for the average person, but are still far easier to access than those on the darknet. “The problem with darknet markets is that you need to install Tor, get a PGP, and have cryptocurrencies,” says Francois Lamy, an associate professor at Mahidol University in Thailand who researches the sociology of drug use. “It’s a little bit more difficult to navigate. With Telegram, you type a few keywords, and there you go. You can find everything.”

When the Telegram founder Pavel Durov was arrested outside of Paris, France, in August, prosecutors cited the scale of drug trafficking on the platform as part of the justification. The next month, a new Telegram user policy was introduced to “discourage criminals” and hand over the data of users who are accused of illegal behavior on the platform by authorities with search warrants. “While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,” Durov said in a statement at the time.

But experts warn that any increased enforcement on Telegram will simply cause dealers to go elsewhere, disrupting a market that has largely established itself as a safer source of drugs. “If one supply avenue is closed by enforcement, another is soon found to replace it,” says Steve Rolles, senior policy analyst at the Transform Drug Policy Foundation, a UK-based NGO. “Enforcement has, somewhat ironically, actually accelerated these innovations—driving the evolution of ever more sophisticated sales models. The only way such markets can be defeated in the longer term is to replace them through legal regulation.”

Drug Dealers Have Moved Onto Social Media

Task scams are a new type of scams where victims are slowly tricked into paying to get paid for repetitive simple tasks

An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money.

The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024.

In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually organized in sets of 40 tasks that will take the victim to a “next level” once they are completed.

Sometimes the victim will get a so-called double task that earns a bigger commission. The trick is that the scammers will make the victim think they are earning money to raise trust in the system. The money can be fake and only displayed in the system, but some victims report actually receiving small sums.

But at some point, the scammers will tell the victims, they have to make a deposit to get the next set of tasks or get your earnings out of the app. So, victims are likely to make that deposit, or all their work will have been for naught.

Scammers use cryptocurrency like USDT (a digital stable-coin with a value tied to the value of the US dollar) to make their payments.

Task scams typically begin with unsolicited text messages or messages via platforms like WhatsApp, Telegram, or other messaging apps. These messages often come from unknown numbers or profiles that may appear professional to gain trust. Reportedly, these scams like to impersonate legitimate companies such as Deloitte, Amazon, McKinsey and Company, and Airbnb.

Scammers count on the urge that victims do not want to “cut their losses” and will try to pull victims in even deeper, sometimes inviting them into groups where newcomers can learn and hear success stories from (fake) experienced workers.

**How to avoid task scams**

Once you know the red flags, it is easier to shy away from task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps.
*   Never pay to get paid.
*   Verify the legitimacy of the employer through official channels.
*   Don’t trust anyone who offer to pay for something illegal such as rating or liking things online.

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov.

 Task scams surge by 400%, but what are they? 

Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

Your main business is healthcare, so your excuse when you get hacked is that you didn’t have the budget to secure your network. Am I right?

So, in order to prevent a ransomware gang from infiltrating your network, you could just give them what they want—all your data.

The seemingly preferred method to accomplish this is to leave the information unprotected and unencrypted in an exposed Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

Security researcher Jeremiah Fowler is always looking for exposed cloud storage. And recently he found one that contained over 4.8 million documents with a total size of 2.2 TB.

He soon found out that it belonged to a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care, called Care1. Care1 Canada provides software tools that “take patient care to the next level.”

The information Jeremiah found included eye exam results, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained lists of patients which included their home addresses, Personal Health Numbers (PHN), and details regarding their health.

In the Canadian healthcare system, a Personal Health Number (PHN) is a unique lifetime identifier that is used to share a patient’s health information among healthcare providers.

This type of healthcare information can be used in phishing attacks, identity theft, and can cause health privacy issues. Ransomware gangs know this is highly coveted, which is why ThreatDown numbers regularly show that 5 to 6% of ransomware attacks are targeting the healthcare industry.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 4.8 million healthcare records left freely accessible 

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and…

Learn how blockchain and smart contracts improve cybersecurity factors in online transactions, remove the element of fraud, and promote trust with automation and transparency.

In this connected age, where data breaches and online fraud are rising concerns, blockchain technology and smart contracts have become powerful solutions for secure transactions. Their ability to provide transparency, remove middlemen, and enable fraud-resistant mechanisms has made them a key part of today’s financial systems and more.

****How Blockchain Builds a Secure Foundation****

Blockchain is best known as the technology behind cryptocurrencies like Bitcoin and Ethereum, but its uses go well beyond digital currencies. It works as a decentralized ledger, recording transactions across multiple points in a network, which makes it incredibly secure and nearly impossible for cybercriminals to tamper with or hack.

When it comes to digital payments, this decentralization is key. Traditional payment systems rely on central authorities, which are vulnerable to malware attacks, breaches and fraud.

Blockchain, on the other hand, distributes the transaction record across a network, reducing the risk of a single point of failure. The stability of blockchain also means that once a transaction is recorded, it cannot be changed, adding another layer of trust and accountability.

****The Role of Smart Contracts****

Smart contracts take blockchain’s security a step further. These self-executing agreements operate based on established criteria rules written into code. Once the conditions are met, the contract automatically executes, removing the need for intermediaries.

For example, imagine buying a digital service. A smart contract can be programmed to release payment only when the service is delivered and verified. This reduces the risk of fraud and disputes, as the terms are enforced automatically.

Another benefit is efficiency. By automating processes, smart contracts not only save time but also reduce costs associated with manual verification and third-party oversight. This makes them especially appealing for industries like supply chain management, insurance, and real estate, where trust and speed are paramount.

However, security vulnerabilities have also affected smart contracts, which need to be addressed by skilled blockchain developers or specialized auditing teams. According to Onchainpay, a European secure cryptocurrency payment gateway, smart contract vulnerabilities are one single major factor that continues to pose security risks within the blockchain infrastructure.

A recent systematic literature review identified 101 distinct vulnerabilities in Ethereum smart contracts, categorized into ten groups. In particular, in the first quarter of 2024 alone, exploits targeting these vulnerabilities resulted in nearly $45 million in losses across 16 incidents, averaging $2.8 million per exploit.

****Real-World Applications****

Nevertheless, despite ups and downs, Blockchain and smart contracts are already being used to secure payments and transactions globally. As noticed by Halborn, Microsoft, JPMorgan Chase, Walmart, IBM and Amazon are just some major examples.

In international payments, they enable faster and more transparent transfers without the hefty fees associated with traditional banking. In e-commerce, smart contracts can automate escrow services, protecting both buyers and sellers.

Even outside of payments, blockchain is enhancing security. From safeguarding healthcare records to verifying the authenticity of luxury goods, its applications are vast.

****What This Means for Businesses****

As cybersecurity threats grow, businesses opting for blockchain and smart contracts gain a competitive advantage in security and efficiency. For consumers, this means safer and more reliable transactions.

While the technology isn’t without challenges, such as regulatory hurdles and technical complexity, its benefits are clear. Businesses looking to adopt secure payment systems should consider solutions that leverage blockchain and smart contracts to protect their data and enhance trust in their transactions.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **5 Platforms for Identifying Smart Contract Vulnerabilities**
3.  **Growing Importance of Secure Crypto Payment Gateways**
4.  **Best Crypto Marketing Agencies for Web3 Security Brands**
5.  **Why Hosting firms have started accepting crypto payments**
6.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities**

The Role of Blockchain and Smart Contracts in Securing Digital Transactions

Open source Prometheus servers and exporters are leaking plaintext passwords and tokens, along with API addresses of internal locations.

Statue of PrometheusSource: luminous via Alamy Stock Photo

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, "It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information."

Apparently, a whole lot of users either aren't aware of the ways in which Prometheus is exposed by default, or don't realize the value of the data that's exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed "exporters," which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for "repojacking" and DoS attacks.

**What Prometheus Exposes**

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

"We think that it's only statistics — it's only information about the health of the system. That's the problem," says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

"We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden," Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company's subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There's the '/debug/pprof' endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

"The result was conclusive: We ended up stopping virtual machines each time we ran our script," Morag reports. To drive home the significance of such an attack scenario, he jokes, "I read somewhere that Kubernetes clusters run in fighter jets. I don't think that they are exposed to the Internet, but \[it goes to show\] we run Kubernetes in lots of places today."

**Repojacking Opportunities in Prometheus**

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn't perform a namespace retirement. Simply, an attacker registers the developer's old username, then plants malware under the same title as the developer's old, legitimate projects. Then any projects that reference this repository but aren't updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus' official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. "It's not that difficult," he says. "But if you're doing it for millions of open source projects, that's where the problem starts. If you use an automated \[scanning tool\], you could be safe."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

336K Prometheus Instances Exposed to DoS, 'Repojacking'

Researchers at Cavero have created a correlating numbers mechanism, adding a layer of privacy that even threat actors can't gain enough information to breach.

Source: ArtemisDiana via Alamy Stock Photo

A future that uses quantum computing is not far off — but not quite here either. When it does arrive, it will ultimately render the methods we use to encrypt information useless. And while some organizations and businesses may be slow to act, bad actors are already preparing, stealing large amounts of encrypted data and putting it on hold until a later date, when quantum capabilities become available and allow them to decrypt it.

These attacks are known as harvest now, decrypt later (HNDL) attacks — and they pose a serious threat in the future, should bad actors gain access to quantum computers and find the means to actually use them.

"What we need is a new way for us to be able to encrypt data which protects that data now and in the future as well," says Frey Wilson, co-founder and CTO at Cavero Quantum.

**The Cavero Method**

Cavero has created a cryptographic system that uses symmetric keys in two different ways, one using computation complexity and the other using an information theoretical method. The latter typically uses physical resources, but Wilson notes that Cavero achieves it by using the properties of random numbers.

"If you can create two correlated data sets and ensure that any third data set is correlated \[but\] not in the same way as the initial two, then from the correlated data, you can use essentially low entropy sections of that data to be able to generate a key mutually," says Wilson, ahead of a Black Hat Europe 2024 briefing on the approach.

Related:Library of Congress Offers AI Legal Guidance to Researchers

These keys aren't passkeys, though the intention is on the same track, Wilson stresses. Passkeys fall under the category of asymmetric keys, a cryptographic method of encrypting and decrypting data. The risk with this, however, is that passkeys are limited within their own ecosystems, such as Apple or Amazon, unable to cross-correlate with other ecosystems.

"Because this key is sent from a central server initially, there's a moment that the key is in transit to get to a device," says James Trenholme, CEO of Cavero Quantum. "It has the potential to be hacked or viewed by a third party."

Cavero aims to solve this problem by providing a solution that doesn't share any information publicly. Keys are mutually generated for each party using the correlating numbers mechanism, so that even if a threat actor is watching the exchange in the middle, they are unable to gather enough information to calculate or intercept the key, Trenholme adds.

**The Past & Future of Cryptography Keys**

Wilson says the solution, which uses smaller key sizes and is deployable on any device regardless of the size, is unique in its approach.

Related:'White FAANG' Data Export Attack: A Gold Mine for PII Threats

"That appeal to history is absolutely something that we hear regularly," says Wilson of their solution, which is nearly 12 years in the making. "This is based off a body of work that has existed here that we’ve taken, and we've expanded on. It just so happens that we've taken it in a direction that's been slightly different to other people."

Wilson plans to go into detail on that at Black Hat Europe, noting that "it's a new way of looking at the methodology that sits underneath it."

Going forward, the pair would like to see Cavero's keys used as the cornerstone in many, if not all, types of communications. And while its natural for a CEO to say this about their company's product, it seems as though Cavero's keys are in the best interest of communications processes in the name of privacy and security.

Some industries will benefit from Cavero's technology sooner than others, like those that manage high-value data or have a long-term data source.

"We'd like to see it used in every kind of communication, whether it be a voice call, a message, a data transfer, logging applications, the list goes on," says Trenholme, including telecommunications, defense, financial services, identity frameworks, and more.

Related:'Bootkitty' First Bootloader to Take Aim at Linux

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Symmetrical Cryptography Pioneer Targets the Post-Quantum Era

A critical security flaw in Dell Power Manager has been discovered that could allow attackers to compromise your systems and execute arbitrary code.

****SUMMARY:****

*   **Critical Vulnerability Alert:** Dell Power Manager versions before 3.17 have a high-severity access control flaw (CVE-2024-49600) allowing attackers to gain elevated privileges.

*   **Exploitation Risk:** Attackers with local access can execute arbitrary code, bypass security measures, and compromise system confidentiality, integrity, and availability.

*   **Software Update:** Dell has released Power Manager version 3.17 to address this vulnerability; users should update immediately as no workaround is available.

*   **Vulnerability Discovery:** The flaw was identified and responsibly disclosed by TsungShu Chiu from CHT Security.

*   **Dell’s Recent Breaches:** Dell faced multiple data breaches in September 2024, exposing sensitive information of employees and projects, further emphasizing the need for robust security measures.

Dell has issued a critical security alert (DSA-2024-439) regarding an Improper Access Control vulnerability discovered in its Power Manager software. This vulnerability, identified as CVE-2024-49600, could potentially allow attackers to execute malicious code and gain elevated privileges on affected systems. The vulnerability affects versions of Dell Power Manager released before 3.17.

For your information, Dell Power Manager is a software widely used to manage power settings on Dell systems. This application extends system battery life and provides customizable battery maintenance settings. It also alerts users about power adapter, battery, docking, and USB Type-C device incompatibility.

The vulnerability occurs from improper access control within the software, making it exploitable by low-privileged users with local access. Attackers can bypass security measures, execute arbitrary code, and gain unauthorized access to sensitive system functions. The severity of this vulnerability is rated as high, with a CVSS Base Score of 7.8.

If exploited, it could lead to significant security risks to compromised systems, jeopardizing their confidentiality, integrity, and availability. Execution of arbitrary code can lead to malware installation, data theft, or system compromise, and gaining higher-level system privileges would enable unauthorized actors to perform actions that were otherwise restricted. 

Dell has released an updated version of Power Manager (version 3.17) that addresses the vulnerability. Users are strongly advised to update their software immediately to protect their systems as no workaround is currently available.

“Dell Technologies highly recommends applying this important update as soon as possible. The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system,” the advisory read.

TsungShu Chiu from CHT Security identified this vulnerability and responsibly disclosed it to Dell Technologies, which in turn acknowledged and appreciated Chiu’s efforts. 

Dell has been in the news for all the wrong reasons lately. Hackread.com recently reported a series of Dell data breaches involving the exposure of sensitive information. Between 19 and 24 September 2024, a hacker, known as “grep,” was revealed to have breached Dell thrice (once with fellow hacker “Chucky”) stealing confidential data related to Jira files, database tables, and schema migrations, totalling 3.5 GB of uncompressed data, data for 10,863 employees, and approximately 500 MB of sensitive data, including project documents and Multi-Factor Authentication (MFA) data.

1.  **Dell resets all customer passwords after security breach**
2.  **Critical Vulnerabilities Found in Pre-Installed Dell Software**
3.  **8 Million Employee Records from Amazon, HP, Others Leaked**
4.  **30M Dell devices at risk by BIOSConnect code execution bugs**
5.  **Flashpoint Uncovers 100,000+ Hidden Flaws, Including Zero-Days**

Dell Urges Immediate Update to Fix Critical Power Manager Vulnerability

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

Several recent schemes were uncovered involving poker players at casinos allegedly using miniature cameras, concealed in personal electronics, to spot cards. Should players everywhere be concerned?

Matt Berkey was becoming suspicious.

Berkey, a 42-year-old poker pro known for his presence in some of the highest-stakes cash games in Las Vegas, was playing in a well-known casino poker room over the summer. One player in the game who wasn’t particularly familiar to Berkey and other regulars at the table, but who was believed to be an amateur based on his play style, was displaying some strange behavior.

For one, the player was wearing earbuds—typically a no-no in these kinds of semi-private games where many players have existing friendships.

“Nobody has headphones on during our games,” Berkey says. “The player in question had headphones in, so that’s already a bit off.”

The player’s style of play also raised some alarms.

Texas Hold’em, the game being played, features two individual cards dealt to each player, plus five community cards dealt in stages to the center of the table. Players combine their own cards with the community cards to make the best possible five-card poker hand. There are four rounds of betting: One before any communal cards are dealt, one after the first three communal cards are spread at once (the part of the game known as “the flop”), one after the fourth communal card (“the turn”), and one more after the fifth and final communal card (“the river”).

Berkey noticed that, despite presenting as an amateur who was clearly the least skilled player at the table, the suspicious player never seemed to lose on the river. When he was in a hand that reached that point, he always either folded or showed the winning hand—one of the first red flags seasoned poker players have come to recognize in suspected cheating situations. As the thinking goes, cheaters with knowledge of their opponents’ cards prefer to wait until all communal cards are dealt before making large bets, allowing them to do so with perfect information about who holds the best hand, which often isn’t certain until that final card.

“Playing all rivers perfectly over an eight-hour sample—that’s an anomaly that isn’t really statistically possible, especially from a recreational player,” Berkey says. “When you start to see things that don’t add up, like the least skilled player in the game never showing down a losing hand, that kind of begins to trigger your suspicions.”

The player also had his phone and earbuds case arranged around him, with the case on the felt and his phone on the rail that runs along the table’s edge. While occasional phone usage at poker tables is normal, that kind of arrangement is unusual and is even something many casinos have guarded against for years. Berkey began to wonder if this game was falling victim to a new cheating scheme that word had been spreading about in high-stakes circles for months: Hidden cameras placed at felt level, capturing the faces of cards as they’re dealt and transmitting that intel to an accomplice, who then relays it back to the player at the table through an earpiece.

Berkey also noticed that the player always seemed to sit in the seats directly to the left of the casino’s dealer, even across multiple days and playing sessions. That furthered suspicions, as the rumored cheating method required a player to be in these seats to maximize camera visibility.

Berkey says he quietly alerted other regulars of his suspicions, and the game eventually broke down, but not before the player had made enormous profits. “Not just for his skill level but for the stakes he was playing,” Berkey says. “He was up hundreds of thousands of dollars playing a $10,000 buy-in game.”

Berkey says he and the other regulars in the game flagged the incident to casino staff, but they are unsure what, if any, action was taken. Security for the casino declined to comment on this incident.

Several other such incidents involving the same suspected cheating method have been rumored in various locations over the past 18 months, including one other instance WIRED verified independently. (Specific casinos where these incidents are alleged are not being named in this story to protect the safety of players who confirmed the incidents occurred.) This form of cheating is now a known concern to high-stakes poker players everywhere.

But each of these rumored incidents has lacked a “smoking gun”—proof of the measures, methods, and equipment the cheaters were using to see the cards being dealt. That is, until recently. A breaking case in France has provided revealing new evidence, fueling concerns that this cheating method is rampant around the globe and may be more advanced than anyone had assumed.

What kinds of modern technology can facilitate such a scheme? Should poker players at all levels, not just high-stakes pros, be worried about scofflaws attempting it in games they play, and what can be done to prevent it?

The recent scandal sounds like a rejected _Ocean’s_ movie script.

Following tips of suspicious behavior at a major casino in Enghien-les-Bains, French police with the Central Racing and Gaming Service (SCCJ) launched an elaborate in-person and video surveillance operation around two suspected players at both blackjack and Ultimate Texas Hold’em poker (a type of poker played against the casino rather than against fellow players). Though they were initially in the dark about the method being used, investigators soon noticed a pattern.

“They were putting \[something\] beside the \[dealing\] shoe,” Stéphane Piallat, commissioner of SCCJ, alleges to WIRED, referring to the tabletop container a dealer pulls from to draw new cards. “But it was quite difficult to understand why.”

Both players were arrested inside the French casino in late July after weeks of surveillance, with police recovering a variety of items from both their person and their hotel rooms (including ID cards from casinos around Europe that suggested a prolonged scheme). The technology seized by law enforcement amazed even a seasoned gambling fraud officer like Piallat, both for its ingenuity and its relative simplicity.

The players had allegedly modified existing smartphone cameras with simple mirrors, allowing them to capture footage on a phone’s camera sensor laterally, while the phone was in a flat position. Sitting in the seat nearest to the dealer’s shoe, they placed these devices either on the felt (concealed in some situations by a hat or another piece of clothing) or within pockets of their own clothing (with tiny holes cut out to afford the camera a view of the cards). Police say they used these devices to capture card faces as they were dealt from the shoe—a stunning realization given that casino shoes are quite literally designed to prevent card exposure by allowing the dealer to slide new cards directly onto the felt. Clearly, some exposure was still being captured.

“It’s quite incredible,” Piallat says. “They didn’t need to mark cards … Those cards were normal cards.”

Police also recovered basic communication devices that transmitted these feeds to an outside accomplice, believed to be sitting in the casino parking lot. (As of WIRED’s interview with French police, this accomplice remains at large.) The accomplice is thought to have relayed information about which cards the dealer was holding back to their partner at the table, but not through a standard earbud.

“This device is so small that you can’t take it off with your fingers,” Piallat says of the hearing device recovered by police. “You need a magnet to pull it off, otherwise you can’t do it. It looks like a typical James Bond movie device.”

Due to the ongoing nature of the investigation, police declined to provide any pictures or further details about the specific items used to facilitate this scheme. A simple look at available technology, though, offers a number of cheap, simple candidates, including several that don’t require pairing with a phone or any other large device.

“The same kind of modules that are used in your iPhone or your DSLR, you can just buy them,” says John Coles, the director of technology for the VR company Rezzil, who has also spent years working in camera and broadcast technology.

The alleged cheaters in France used simple techniques to conceal their cameras, like hiding the devices in their clothing, but much more robust options exist on the open market. A device that looks like a battery charger may not cause alarm if it was spotted sitting on a poker or blackjack table, at least in casinos where devices are generally allowed (some have stopped allowing any devices on tables); one can find a 4K, Wi-Fi capable “hidden camera powerbank” on Amazon. (It’s marketed as a “nanny camera” for surveilling your child’s babysitter, naturally.) Even smaller options exist, like a “spy camera pen” or a pinhole camera that could easily be inserted into various items. And that’s just a fraction of the true marketplace, says Coles: “If that’s what you know about publicly, the stuff that exists behind closed doors is like 10 times what you’re aware of.”

“You could probably build that into a lighter,” Coles says of a typical tiny camera rig. “There are lighters and pens that have modules integrated that still work as those items so they’re less conspicuous.”

For bad actors at traditional poker tables that feature “pitch”-style dealing instead of a more secure casino shoe, the video quality demands are even lower. Card faces are visible for exponentially longer when pitched from a dealer’s hand situated a foot or so above the card table.

The transmission element of the scheme is similarly attainable using today’s technology. You can buy a “mini spy earpiece” from Amazon that receives signals from an inductive coil for just $18. An entire industry of earpieces appears to exist for exam cheating purposes, from tiny Bluetooth earpieces that connect to a phone to setups contained within glasses and pens. It’s easy to imagine these methods converted for use in cheating at the card table, especially when aided by basic video-calling technology and access to the Wi-Fi networks offered at most casinos. In fact, while police say the suspects in France allegedly used separate devices for capture and transmission, Coles believes it would be simple enough to handle the entire operation with a single device.

“I think it’s kind of surprising that a lot of these things don’t happen sooner, to be perfectly honest,” Coles says, noting that many of these cameras, earpieces, and transmitters have existed for a decade or more.

“You could do it with a very cheap investment,” Piallat says. “You won’t need a lot of money.”

Clearly, these schemes are out there and available. So should poker players everywhere be concerned?

Mini-camera cheating is now an open secret in the poker community, from its references in forums to an entire August episode from Berkey’s _Only Friends_ podcast that covered the alleged methods in detail. And if casinos and law enforcement weren’t aware of it much earlier, they certainly are now; Piallat confirmed to WIRED that his unit dispersed information about the case around the globe through Interpol networks.

What can casinos, players, and law enforcement do about it, though?

The first step is simple vigilance, something all these parties are well-versed in. Policing of suspicious players happens at casino level. WIRED independently confirmed a separate alleged incident at a different casino in June that included an individual reportedly earning seven-figure profits before disappearing. The alleged cheater in this case hasn’t been seen since, and Berkey wonders if he was banned from this and possibly other casinos.

“It would seem as though the Vegas casinos have acted,” Berkey says.

Those are retroactive measures, though; what about stopping this cheating as or before it happens?

Some Vegas casinos, per multiple sources, have begun banning phones from being set down at felt level on tables. Many casinos have long had policies prohibiting phone use during hands, and some have even banned phones entirely in prior years, and now these efforts are growing more widespread. However, with the knowledge that today’s miniature cameras can be built into lighters, pens, and other non-phone devices, is that enough of a safety measure? A true “no items on the table whatsoever” rule feels more prudent, but will casinos view that as too invasive toward their clientele? Then there’s a whole separate conversation about placing devices on the rail, which is where players rest their elbows and which sits slightly higher than the felt itself.

“There will be guys who want to watch the game at the table and have their phone propped up,” Berkey says. “That should just be fine. It’s a fine line; it’s a gray line.”

Berkey even suggested some sort of hybrid arrangement where phones or other devices are allowed so long as they sit behind chips or some other item that blocks their view of the felt. These solutions, though, also fail to account for rings or other jewelry that may contain a concealed camera.

The device removal tactic would have run into another big snag when the arrests in France took place: One of the suspects had nothing on the table at all. He allegedly concealed a camera in his clothing. If that scheme worked to capture card faces out of a dealer’s shoe, it would definitely work for the traditional dealer-pitch style used in Vegas.

The better long-term solution, one Berkey and others in the poker world support, involves retraining the dealers—a process that’s already begun.

The European Poker Tour has introduced a new form of dealer pitch known as slide dealing, where the deck remains on the table and the dealer slides each top card off individually to greatly minimize or eliminate any exposure. EPT tournament director Toby Stone directly cited issues of camera cheating as the impetus behind this change, which took effect within the past couple of months.

Casinos could take it even further; some have been cracking down for years. The Star casinos in Australia, for instance, have long used a modified version of a blackjack shoe meant for a single poker deck, which sits at the center of the table and allows cards to slide out from within it. This ostensibly makes it much harder to capture cards than from the traditional blackjack shoe placed at the very side of the table, closer to potential cameras. Anecdotally, these contraptions also seem to limit or eliminate other common risks like bottom-dealing or cards flipping over while being dealt.

While it might take time to retrain the world’s legion of poker dealers to mitigate these schemes, that could be the eventual outcome here.

“I’ve spoken to a few of the \[casino\] higher-ups, and it seems they’re all open to the idea of retraining dealers,” Berkey says.

Maybe even that eventual move wouldn’t completely eliminate mini camera cheating. As the suspects in France allegedly showed us, today’s video technology is truly amazing. Would you ever have guessed a mini camera could accurately capture which cards are being dealt during the split second they’re exposed as they’re pulled from a blackjack shoe?

Anyone putting their money down at a casino, particularly higher up the stakes spectrum, should at least be aware of the risk of bad actors—particularly in a game like poker, where your opponents are other patrons rather than the casino itself. Whether to combat this or any other potential scheme, a dose of diligence goes a long way.

“As long as there’s a fair game to be offered, there will be people who will try to corrupt it,” Berkey says. “The best we can do is continually work hard to keep the game as fair as possible.”

Poker Cheaters Allegedly Use Tiny Hidden Cameras to Spot Dealt Cards

Summary Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In…

**Summary**

*   **Large-Scale Hacking Operation Uncovered**: Researchers link ShinyHunters and Nemesis to an operation exploiting millions of websites to steal over 2 terabytes of sensitive data.

*   **Sophisticated Tools and Tactics**: Hackers used Python, PHP, AWS IP ranges, and tools like ffuf, httpx, and Shodan to automate and expand their exploitation across regions.

*   **Collaborative Mitigation Efforts**: Researchers worked with the AWS Fraud Team to notify affected users, implement mitigation measures, and identify individuals involved in selling stolen data on Telegram.

*   **Critical Discovery in Misconfigured S3 Bucket**: An open S3 bucket used by the hackers exposed their stolen data, tools, and even potential identities, offering a unique glimpse into their operations.

*   **Call for Stronger Cybersecurity Practices**: The incident shows the need for proper configurations to protect cloud environments and prevent such large-scale breaches.

Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In this operation, hackers exploited vulnerabilities in millions of websites and took advantage of misconfiguration to access sensitive information including customer data, infrastructure credentials, and proprietary source code.

According to Noam Rotem and Ran Locar, two independent researchers who conducted this research, these attacks were carried out from a French-speaking country. It is worth noting that one of the ShinyHunters members Le Français Sébastien Raoult (aka Sezyo Kaizen), a France national, was arrested in Morocco back in July 2022. In January 2024, he was sentenced in the US to three years in prison. However, after spending less than a year, the hacker returned to France just last week.

****Tools and Tricks****

In their report for vpnMentor, researchers explained that the hackers were able to extract critical keys and secrets, which provided them with access to valuable data including application databases. The operation utilised several scripting languages, including Python and PHP, alongside specialized tools like ffuf and httpx, to automate the exploitation process.

Furthermore, the hackers used publicly available AWS IP address ranges to search millions of targets. They also used Shodan, a search engine for internet-connected devices, to perform reverse lookups and identify domain names associated with the discovered IPs. This method especially expanded their reach, allowing them to find and exploit numerous endpoints across different regions.

Researchers then collaborated with the AWS Fraud Team to implement mitigation measures and notify affected customers. The investigation also identified the names and contact information of some individuals behind the incident, assisting in further actions against the culprits who are selling their stolen data in dedicated Telegram channels for hundreds of Euros per breach.

The breach led to the theft of over 2 terabytes of data, including AWS customer keys and secrets that allowed access to various AWS services, as well as database and Git credentials, exposing source code and sensitive databases. SMTP and SMS credentials were also stolen, enabling attackers to send phishing emails and spam messages.

Moreover, cryptocurrency wallets and trading platform credentials were compromised, granting access to digital assets and trading accounts, alongside social media and email accounts, jeopardizing personal and business communications.

****Link to ShinyHunters and Nemesis Groups****

Investigations traced the infrastructure of this operation back to the ShinyHunters and Nemesis hacking groups because the tools and scripts used by the attackers held similarities to those previously associated with ShinyHunters, a group known for breaches at major companies like Ticketmaster, AT&T, Mashable and many more. The group also owned and administrated the notorious cybercrime and data breach forum Breach Forums for a while.

Additionally, the now-seized Nemesis Blackmarket was identified as a marketplace where the stolen credentials and access keys were being sold, often fetching hundreds of Euros per breach on platforms like Telegram.

Attack Flaw (Via: vpnMentor)

****Hackers Exposed Their AWS Bucket While Hunting Exposed Databases****

One critical discovery was an open Amazon S3 bucket used by the attackers to store harvested data. This bucket acted as a shared storage space, mistakenly left unsecured by its owner, facilitating the easy collection and distribution of stolen information.

> _“The discovery provided a glimpse into the operations of a large-scale web-scanning operation, the code used by the attackers, and even the potential identities of the people behind it. Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner. The S3 bucket was being used as a “shared drive” between the attack group members, based on the source code of the tools used by them. These tools are documented in French and signed by “Sezyo Kaizen”._
> 
> Researchers

Jim Routh, Chief Trust Officer at Saviynt, emphasized the scale and technical prowess of these criminal groups stating, “ShinyHunters and Nemesis represent highly organized cybercriminal syndicates operating on a large scale for profit. They exploit vulnerabilities in cloud services, often taking advantage of enterprises that may not fully understand the complexities and security controls of cloud environments. The range of targeted information, from credentials and cryptocurrency wallets to source code and cloud account secrets, shows their broad and opportunistic approach.”

Routh also highlighted the irony that the attackers themselves made a critical mistake by leaving an AWS S3 bucket open, which ultimately led to the detection of their activities.

Nevertheless, this incident shows why proper configuration and implementing cybersecurity practices are important to protect your online infrastructure. It will be interesting to see if the details shared by researchers with authorities lead to arrests or further revelations about the individuals involved in the hacking spree.

1.  **ShinyHunters Leak 33M Twilio Authy Phone Numbers**
2.  **Canada Arrests Hacker Linked to Snowflake Data Breaches**
3.  **ShinyHunters’ Santander Bank Breach: 30M User Data for Sale**
4.  **ALBeast: Misconfiguration Flaw Exposes 15k AWS Load Balancers**
5.  **Hacker in $3 Billion SSN Leak Reveals Himself as Brazilian Citizen**

Tag

#amazon