The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Will 2025 See a Rise of NHI Attacks?

The advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country's intelligence community.

Source: SROOLOVE via Shutterstock

Advanced persistent threat group "DONOT Team" is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

The "Tanzeem" and "Tanzeem Update" apps purport to be chat apps but do not work as advertised. Instead, once installed on a system they prompt the user to turn on the device's accessibility feature and grant access to several easily misused permissions. The apps then shut down and proceed to stealthily harvest information from the compromised device, according to researchers at Cyfirma, who recently spotted the new DONOT campaign.

**Intelligence Gathering and Beyond**

"The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia," Cyfirma noted in a blog post on Jan. 17. The goal appears to be to collect intelligence of strategic importance to India, the security vendor said.

Cyfirma's analysis of Tanzeem and Tanzeem Update showed the apps using OneSignal, a popular customer engagement platform, to send push notifications to users who install either app on their devices. OneSignal basically allows developers and businesses to send in-app messages, emails, and SMS messages to users across mobile devices, Web browsers, desktop apps, and other platforms.

When a user installs Tanzeem or Tanzeem Update on their device, they receive a push notification via OneSignal that prompts them to start a fake chat. Users tricked into clicking on the "Start Chat" prompt receive a subsequent prompt asking them to enable Android accessibility services to use the app. The victim is then directed to the accessibility settings page from which the app accesses several dangerous permissions. These include permissions that allow the two malicious Android apps to read and fetch call logs from the compromised device; to read and fetch contact information; and to search for and fetch data from the file manager.

Researchers at Cyfirma also found the apps to access several other permissions such as those that allow the threat actor to delete and read both incoming and outgoing text messages. They also can access the Android device's internal storage to extract its exact location and monitor its movement on a real-time basis.

Significantly, Cyfirma found the malicious apps using push notifications to try and get victims to install additional malicious payloads on compromised devices to ensure persistence. "This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma noted.

**A Persistent South Asian Threat**

DONOT Team, which some vendors track as APT-C-35, SectorE02, and Viceroy Tiger, is a threat group with a likely nexus to India that has been operational since at least 2016. Several vendors have associated the group with attacks and data theft campaigns targeting entities in South Asia. In November 2024, Cyble linked DONOT Team to a campaign targeting manufacturing companies in Pakistan associated with the country's defense and maritime industries.

Others, such as ESET have reported on DONOT Team using sophisticated Windows and Android malware in espionage campaigns targeting organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported finding three malicious Android apps on Google's Play store that the threat actor used against targeted individuals in Kashmir and Pakistan.

DONOT Team is one of several APT groups believed to be operating out of India that is engaged in a range of malicious activities, including online extortion scams, hacktivism, and increasingly, cyber espionage and surveillance. Security experts believe that at least some of the activity is tied to geopolitical tensions in the region and to a broader growth in all kinds of cybercrime in South Asia in recent years.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DONOT Group Deploys Malicious Android Apps in India

Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.

Source: Aleksey Funtap via Alamy Stock Photo

Separate spinoffs of the infamous Mirai botnet are responsible for a fresh wave of distributed denial-of-service (DDoS) attacks globally. One is exploiting specific vulnerabilities in Internet of Things (IoT) devices to establish "expansive" botnet networks, while the other has been targeting organizations in North America, Europe, and Asia with DDoS attacks since the end of 2024, researchers have found.

An ongoing operation within Mirai dubbed "Murdoc\_Botnet" (which began in July and has more than 1,300 active IPs) is targeting Avtech cameras and Huawei HG532 routers, researchers from Qualys revealed in a report posted today.

The researchers uncovered more than 100 distinct sets of servers associated with the Murdoc botnet, "each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign," Qualys lead security researcher Shilpesh Trivedi wrote in the post.

Meanwhile, a botnet that comprises malware variants derived from both Mirai and Bashlite is exploiting security flaws and weak credentials in IoT devices in DDoS attacks spanning the globe, according to separate research from Trend Micro. "The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host," the researchers said.

Related:Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

The two campaigns demonstrate the ongoing impact of Mirai, a botnet that has spawned myriad variants since its source code was leaked in 2016 and which remains a significant security threat 10+ years after first appearing on the cyberattack scene.

**Murdoc Botnet Exploits Specific Flaws**

The Murdoc botnet delivering Mirai malware uses existing exploits, including CVE-2024-7029 and CVE-2017-17215, to download next-stage payloads. The former is an Avtech camera flaw that allows for commands to be injected over the network and executed without authentication, while the latter is a remote code execution (RCE) flaw found in Huawei routers.

Most of the IP addresses associated with the Murdoc botnet campaign are found in Malaysia, followed by Thailand, Mexico, and Indonesia.

Qualys researchers discovered more than 500 samples containing ELF files and shell script files associated with the Murdoc botnet. Each shell script "is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc\_Botnet, into the devices," Trivedi wrote in the post.

**An Expansive DDoS Campaign Targets US**

Related:DONOT Group Deploys Malicious Android Apps in India

Meanwhile, researchers at Trend Micro initially detected "large-scale" DDoS botnet attacks against Japanese organizations, including major corporations and banks, starting at the end of 2024, but then tracked the activity to a larger global campaign. Organizations in the US were most affected by the attacks, followed by companies in Bahrain, Poland, and Spain, among various other countries.

The primary devices targeted in the attacks have been wireless routers and IP cameras from well-known brands, including TP-Link and Zyxel routers, and Hikvision IP cameras. As with the Murdoc botnet activity, cyberattackers here targeted flaws in the devices to compromise them, but they also used weak passwords to gain access.

In terms of attack vector, the researchers found two different types of DDoS attacks related to the activity, they said. One type overloads the network by sending a large number of packets, while the other exhausts server resources by establishing a large number of sessions.

"In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously," according to the post.

**How to Defend Against DDoS Cyberattacks**

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

With Mirai variants continuing to spawn new botnets for mounting new and widespread DDoS attacks, it's important that organizations can identify and protect their networks from floods of unwanted traffic, the researchers said.

Qualys researchers recommended that organizations regularly monitor the suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts, as well as exercise caution in executing shell scripts from unknown and untrusted sources.

Meanwhile, Trend Micro analysts recommended different mitigation efforts for the two types of DDoS attacks that they observed. For attacks that flood the network with packets, the researchers recommended organizations use a firewall or router to block specific IP addresses or protocols and restrict traffic; collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network; and strengthen router hardware to increase the number of packets that can be processed.

For attacks that exhaust resources by establishing a large number of sessions, Trend Micro recommended that organizations limit the number of requests that can be sent by a specific IP address within a certain period of time; use third-party services to separate attack traffic and process clean traffic; and perform real-time monitoring and block IP addresses with a high number of connections, among other mitigations and preventions.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks

The Threat actor known as DoNot Team has been linked to a new Android malware as part of highly targeted cyber attacks.
The artifacts in question, named Tanzeem (meaning "organization" in Urdu) and Tanzeem Update, were spotted in October and December 2024 by cybersecurity company Cyfirma. The apps in question have been found to incorporate identical functions, barring minor modifications to the

DoNot Team Linked to New Tanzeem Android Malware Targeting Intelligence Collection

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft.

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in—or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs,” as is claimed in one of the cybercriminal lures.

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL to a website that displays another QR code.

_Screenshot courtesy of Microsoft_

> “I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group  
> It should work without any issues.

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.

**How to stay safe**

These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.

There are a few simple rules that will help you avoid this kind of phishing.

*   Always hover over links before clicking them.
*   When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination?
*   When still in doubt, unshorten the URL.
*   When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
*   Double-check whether the sender is who they claim to be through another method of contact.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp spear phishing campaign uses QR codes to add device 

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

Residents across the United States are being inundated with text messages purporting to come from toll road operators like **E-ZPass**, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

Last week, the **Massachusetts Department of Transportation** (MassDOT) warned residents to be on the lookout for a new SMS phishing or “smishing” scam targeting users of **EZDriveMA**, MassDOT’s all electronic tolling program. Those who fall for the scam are asked to provide payment card data, and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app.

Reports of similar SMS phishing attacks against customers of other U.S. state-run toll facilities surfaced around the same time as the MassDOT alert. People in Florida reported receiving SMS phishing that spoofed **Sunpass**, Florida’s prepaid toll program.

This phishing module for spoofing MassDOT’s EZDrive toll system was offered on Jan. 10, 2025 by a China-based SMS phishing service called “Lighthouse.”

In Texas, residents said they received text messages about unpaid tolls with the **North Texas Toll Authority**. Similar reports came from readers in California, Colorado, Connecticut, Minnesota, and Washington. This is by no means a comprehensive list.

A new module from the Lighthouse SMS phishing kit released Jan. 14 targets customers of the North Texas Toll Authority (NTTA).

In each case, the emergence of these SMS phishing attacks coincided with the release of new phishing kit capabilities that closely mimic these toll operator websites as they appear on mobile devices. Notably, none of the phishing pages will even load unless the website detects that the visitor is coming from a mobile device.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year, when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various U.S. states.

According to Merrill, multiple China-based cybercriminals are selling distinct SMS-based phishing kits that each have hundreds or thousands of customers. The ultimate goal of these kits, he said, is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies.

A component of the Chinese SMS phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.

Merrill said the different purveyors of these SMS phishing tools traditionally have impersonated shipping companies, customs authorities, and even governments with tax refund lures and visa or immigration renewal scams targeting people who may be living abroad or new to a country.

“What we’re seeing with these tolls scams is just a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams,” Merrill said. “Every one of us by now is sick and tired of receiving these package smishing attacks, so now it’s a new twist on an existing scam.”

In October 2023, KrebsOnSecurity wrote about a massive uptick in SMS phishing scams targeting **U.S. Postal Service** customers. That story revealed the surge was tied to innovations introduced by “**Chenlun**,” a mainland China-based proprietor of a popular phishing kit and service. At the time, Chenlun had just introduced new phishing pages made to impersonate postal services in the United States and at least a dozen other countries.

SMS phishing kits are hardly new, but Merrill said Chinese smishing groups recently have introduced innovations in deliverability, by more seamlessly integrating their spam messages with Apple’s **iMessage** technology, and with RCS, the equivalent “rich text” messaging capability built into **Android** devices.

“While traditional smishing kits relied heavily on SMS for delivery, nowadays the actors make heavy use of iMessage and RCS because telecom operators can’t filter them and they likely have a higher success rate with these delivery channels,” he said.

It remains unclear how the phishers have selected their targets, or from where their data may be sourced. A notice from MassDOT cautions that “the targeted phone numbers seem to be chosen at random and are not uniquely associated with an account or usage of toll roads.”

Indeed, one reader shared on Mastodon yesterday that they’d received one of these SMS phishing attacks spoofing a local toll operator, when they didn’t even own a vehicle.

Targeted or not, these phishing websites are dangerous because they are operated dynamically in real-time by criminals. If you receive one of these messages, just ignore it or delete it, but please do not visit the phishing site. The FBI asks that before you bin the missives, consider filing a complaint with the agency’s Internet Crime Complaint Center (IC3), including the phone number where the text originated, and the website listed within the text.

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection…

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection (SIP). Learn how this vulnerability can be exploited and how to protect your devices from this threat.

A recently discovered macOS vulnerability tracked as CVE-2024-44243, has raised alarms for jeopardizing the security of Apple devices. This vulnerability, uncovered by Microsoft Threat Intelligence, allows attackers to circumvent Apple’s robust System Integrity Protection (SIP) mechanism.

****How Does It Work?****

The flaw is found in the Storage Kit daemon, allowing local attackers with root privileges to exploit low-complexity attacks. According to Microsoft’s technical blog, shared with Hackread.com, CVE-2024-44243 exploits a weakness in the macOS storage management system. By leveraging the “storagekitd” daemon, attackers can potentially load third-party kernel extensions, bypassing the strict controls imposed by SIP.  

****What are the Implications?****

System Integrity Protection (SIP) is a crucial cybersecurity measure for macOS systems, protecting against malware and attackers. Bypassing it can significantly compromise the system’s security, Microsoft noted. Such as, attackers can install malicious software at the kernel level, and gain deep access to the system and data.

Moreover, malicious software can establish a persistent presence on the system, making it difficult to remove and potentially enabling future attacks. Also, attackers could bypass TCC (Transparency, Consent, and Control), Apple’s privacy framework, allowing unauthorized access to user data and sensitive information.  The vulnerability creates a wider attack surface, enabling attackers to exploit other vulnerabilities and escalate their privileges.

****Mitigating the Threat****

Apple has released security updates to address CVE-2024-44243. All macOS users must update their systems to the latest version to patch this vulnerability.

Microsoft’s responsible disclosure to Apple and their joint efforts to address this threat highlights the importance of shared knowledge and coordinated action in safeguarding user security. 

While we focus on patching vulnerabilities to protect ourselves from cyberattacks, it is important to remember that social engineering scams remain a prevalent threat. 

A recent campaign discovered by Group-IB targeted Apple iOS and Android users with fake trading apps. These apps were designed to steal from unsuspecting cryptocurrency investors. Therefore, staying informed about the latest threats, practicing safe online habits, and keeping software updated, are essential to minimize cybersecurity risks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) commented on this stating, _“_This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls._“_ 

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behaviour, and implement endpoint detection tools that watch for unsigned kernel extensions,“ Jason explained. _“_Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat._“_

Microsoft Discovers macOS Flaw CVE-2024-44243, Bypassing SIP

An insurance company is accused of unlawfully collecting, using, and selling location data from millions of people's cell phones.

Insurance company Allstate and its subsidiary Arity unlawfully collected, used, and sold data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, according to Texas Attorney General Ken Paxton.

Attorney General Paxton says the companies didn’t give consumers notice or get their consent, which violates Texas’ new Data Privacy and Security Act.

Arity would pay app developers to incorporate software that tracks consumers’ driving data in their apps. When consumers installed these apps they unwittingly downloaded that software, which allowed Arity to monitor the consumer’s location and movement in real-time.

Using this method, the company collected trillions of miles worth of location data from over 45 million people across the US, and used the data to create the “world’s largest driving behavior database.”

Allstate then used the covertly obtained data to justify raising insurance rates, according to Attorney General Paxton. Allstate is accused of not just using the data for its own business, but also for selling it on to third parties, including other car insurance carriers.

Location and movement data is valuable for insurance companies when they are preparing a quote. By having insight in the driver’s behavior, they can offer a rate that covers the risk better.

Car manufacturers are known to be selling similar data on to insurance companies. Last year, Attorney General Paxton sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies, also without their knowledge or consent.

Privacy violation aside, these companies don’t always keep the data safe. Just last week we spoke about a breach at data broker Gravy Analytics, which is said to have led to the loss of millions of people’s sensitive location data.

Back to the Allstate case, the Texas Data Privacy and Security Act (TDPSA) requires clear notice and informed consent regarding how a company will use Texans’ sensitive data. That is something which Allstate allegedly failed to do.

In the press release, Paxton states:

> “Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software. The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

**Protect your location data**

Sometimes apps ask permission to use your location data and you find yourself wondering, why does this app need to know where my phone is?

This is one possible reason.

Whenever you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission.

If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Insurance company accused of using secret software to illegally collect and sell location data on millions of Americans 

Data WIRED collected during the 2024 Democratic National Convention strongly suggests the use of a cell-site simulator, a controversial spy device that intercepts sensitive data from every phone in its range.

A device capable of intercepting phone signals was likely deployed during the 2024 Democratic National Convention (DNC) in Chicago, WIRED has learned, raising critical questions about who authorized its use and for what purpose.

The device, known as a cell-site simulator, was identified by the Electronic Frontier Foundation (EFF), a digital rights advocacy organization, after analyzing wireless signal data collected by WIRED during the August event.

Cell-site simulators mimic cell towers to intercept communications, indiscriminately collecting sensitive data such as call metadata, location information, and app traffic from all phones within their range. Their use has drawn widespread criticism from privacy advocates and activists, who argue that such technology can be exploited to covertly monitor protesters and suppress dissent.

The DNC convened amid widespread protests over Israel’s assault on Gaza. While credentialed influencers attended exclusive yacht parties and VIP events, thousands of demonstrators faced a heavy law enforcement presence, including officers from the US Capitol Police, the Secret Service, Homeland Security Investigations, local sheriff’s offices, and Chicago police.

Concerns over potential surveillance prompted WIRED to conduct a first-of-its-kind wireless survey to investigate whether cell-site simulators were being deployed. Reporters, equipped with two rooted Android phones and Wi-Fi hot spots running detection software, used Rayhunter—a tool developed by the EFF to detect data anomalies associated with these devices. WIRED’s reporters monitored signals at protests and event locations across Chicago, collecting extensive data during the political convention.

Initial tests conducted during the DNC revealed no conclusive evidence of cell-site simulator activity. However, months later, EFF technologists reanalyzed the raw data using improved detection methods. According to Cooper Quintin, a senior technologist at the EFF, the Rayhunter tool stores all interactions between devices and cell towers, allowing for deeper analysis as detection techniques evolve.

A breakthrough came when EFF technologists applied a new heuristic to examine situations where cell towers requested IMSI (international mobile subscriber identity) numbers from devices. According to the EFF’s analysis, on August 18—the day before the convention officially began—a device carried by WIRED reporters en route a hotel housing Democratic delegates from states in the US Midwest abruptly switched to a new tower. That tower asked for the device’s IMSI and then immediately disconnected—a sequence consistent with the operation of a cell-site simulator.

“This is extremely suspicious behavior that normal towers do not exhibit,” Quintin says. He notes that the EFF typically observed similar patterns only during simulated and controlled attacks. “This is not 100 percent incontrovertible truth, but it’s strong evidence suggesting a cell-site simulator was deployed. We don’t know who was responsible—it could have been the US government, foreign actors, or another entity.”

Under Illinois law, law enforcement agencies must obtain a warrant to deploy cell-site simulators. Similarly, federal agents—including those from the Department of Homeland Security—are required to secure warrants unless an immediate national security threat exists. However, a 2023 DHS Inspector General report found that both the Secret Service and Homeland Security Investigations did not always comply with these requirements.

The Chicago Police Department tells WIRED it did not deploy a cell-site simulator during the DNC, while the Secret Service tells WIRED in a statement that, “as a matter of practice,” it does not discuss the “means and methods” of its operations for “National Special Security Events.”

Other components of DHS as well as the DNC have not responded to requests for comment.

Quintin notes that the EFF detected similar anomalous behavior in a previous test conducted in Washington, DC’s Embassy Row, an area known for its high concentration of embassies and diplomatic offices. It wouldn’t be the first time that cell-site simulators were found in the nation's capitol. In 2019, the FBI accused Israel’s government of deploying a cell-site simulator near the White House—a claim Israel denied.

While the possible deployment of a cell-site simulator at the DNC has raised more questions than answers, for privacy and civil liberties advocates the implications are troubling nonetheless.

Nate Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, says, “It would be a big deal if the digital artifacts you found were in fact due to the presence of a cell-site simulator deployed to identify people at a protest.” However, Wessler adds, “it is also entirely possible that law enforcement was using a cell-site simulator in the area for a lawful purpose.”

For Wessler, the lack of clarity around their use is itself a cause for concern. “The ambiguity is really chilling,” he says. “The uncertainty around their use undermines people’s ability to express themselves.”

Tag

#android