Yet another spinoff of the infamous DDoS botnet is exploiting a known vulnerability in active attacks, while its threat actors are promoting it on Telegram for other attackers to use as well, in a DDoS-as-a-service model.

Source: Kirill Ivanov via Alamy Stock Photo

Yet another Mirai botnet variant is making the rounds, this time offering distributed denial-of-service (DDoS) as-a-service by exploiting flaws in Mitel SIP phones. It also features a unique capability to communicate with attacker command-and-control (C2).

Researchers at the Akamai Security Intelligence and Response Team (SIRT) identified the variant of the infamous botnet, dubbed Aquabot, that actively exploits CVE-2024-41710, a command-injection vulnerability that affects various Mitel models that are used in corporate environments, they revealed in a blog post published Jan. 29. The vulnerability relies on an input sanitization flaw, and exploitation can lead to root access of the device, SIRT researchers Kyle Lefton and Larry Cashdollar wrote in the post.

The variant is the third version of Aquabot (Akamai calls it Aquabotv3) to appear on the scene; the first version was built off the Mirai framework with the ultimate goal of DDoS, discovered in November 2023, and it was first reported by Antiy Labs. The second version of the bot "tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart" that remain present in v3, the researchers wrote.

The new variant is distinct from the previous versions for a couple of reasons, the researchers said. One is a unique feature appearing first in Aquabotv3: a function named "report\_kill" that reports back to the C2 when a kill signal is caught on the infected device. So far, however, researchers have not seen any response to the function from the attacker C2.

Related:Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

Another notable aspect of v3 of Aquabot is that the threat actors behind it have been advertising the botnet as DDoS as-a-service through platforms such as Telegram. The bot is advertised under several different names — including Cursinq Firewall, The Eye Services, and The Eye Botnet — offering Layer 4 and Layer 7 DDoS, the researchers noted.

**Active Exploitation of Mitel Phone Security Flaw**

Akamai SIRT detected exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January using a payload almost identical to a proof-of-concept (PoC) developed and released on GitHub in mid-August by Packetlabs' researcher Kyle Burns.

Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, with multiple endpoints vulnerable to the flaw. His PoC demonstrated that an attacker could smuggle in entries otherwise blocked by the application's sanitization checks by sending a specially crafted HTTP POST request.

Related:Super Bowl LIX Could Be a Magnet for Cyberattacks

The exploitation activity that Akamai SIRT observed delivered a payload that attempts to fetch and execute a shell script called :bin.sh, which will in turn fetch and execute Mirai malware on the target system, the researchers wrote. The malware has support for a variety of different architectures, including x86 and ARM.

"Based on our analysis of the malware samples, we determined that this is a version of the Aquabot Mirai variant," specifically the latest evolution of the malware, Aquabotv3, the researchers wrote in the post.

In addition to being used in DDoS attacks, threat actors also are hawking Aquabot for DDoS-as-a-service, though they are trying to disguise the activity as "purely testing" for DDoS mitigation. However, the same domain featured in the ad promoting testing is actively spreading Mirai malware, the researchers noted.

"Threat actors will claim it's just a \[proof of concept\] or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram," they wrote in the post.

**Mirai Botnet Remains Key Conduit for DDoS**

As the majority of botnets responsible for DDoS attacks are based on Mirai, "they predominantly target Internet of Things (IoT) devices, which makes spreading the malware relatively easy to do," the researchers noted in the post. Indeed, a recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers aiming to leverage Mirai show no signs of slowing down.

Related:Apple Patches Actively Exploited Zero-Day Vulnerability

That's likely because "the \[return on investment\] of Mirai for an aspiring botnet author is high," because it's not only one of the most successful botnet families in the world, it's also one of the more simple ones to modify, the researchers noted.

Moreover, many IoT devices often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers, making them low-hanging fruit for Mirai and its variants, the researchers wrote.

No matter what an attacker's intentions are, the researchers recommended that organizations take action to secure IoT devices through discovery or changing default credentials to protect against DDoS threats.

"Many of these botnets rely on common password libraries for authentication," they wrote in the post. "Find out where your known IoT devices are, and check for rogue ones, too. Check the login credentials and change them if they are default or easy to guess."

Akamai SIRT also included a list of indicators of compromise (IoCs) as well as Snort and Yara rules in the post to aid defenders.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Variant 'Aquabot' Exploits Mitel Device Flaws

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome.
The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the

New SLAP & FLOP Attacks Expose Apple M-Series Chips to Speculative Execution Exploits

Apple has released a host of security updates for iOS, iPadOS, Mac, Apple Watch, and Apple TV. Update as soon as you can.

Apple has released a host of security updates across many devices, including for a zero-day bug which is being actively exploited in iOS.

Apple said:

> “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.”

Devices affected are those that run:

*   iPhone XS and later
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
*   macOS Sequoia
*   Apple Watch Series 6 and later
*   All models of Apple TV HD and Apple TV 4K

If you use any of these then you should install updates as soon as you can. To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

**Technical details about the zero-day**

The zero-day vulnerability patched in this update is tracked as CVE-2025-24085. It is described as a use after free (UAF) issue in Apple’s Core Media framework that would allow an attacker to elevate privileges.

The Core Media framework handles multimedia applications like photos, videos, and real-time communication applications. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, successful exploitation could provide a malicious app with privileges on the affected device that it shouldn’t have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple users: Update your devices now to patch zero-day vulnerability 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild.
The vulnerability, tracked as CVE-2025-24085, has been described as a use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges.
"Apple is

Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More

The Apple iOS 18.3 update fixes 28 other vulnerabilities identified by the tech company, though there is little information on them.

Source: Shahid Jamil via Alamy Stock Photo

NEWS BRIEF

In its latest security update for users, Apple has released a patch for a zero-day vulnerability tracked as CVE-2025-24085 (no CVSS score assigned yet).

The vulnerability, not yet added to the National Vulnerability Database (NVD), can be found in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. As a privileged escalation security flaw, it is located in Apple's Core Media framework. The bug is being actively exploited in the wild.

The Core Media framework, according to Apple, is "the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." It allows users to process media samples as well as manage queues of media data.

This patch comes in the form of iOS 18.3, which fixes 28 other vulnerabilities as well. Apple has yet to divulge many details about any of the issues that have been patched by this update, likely to prevent attackers from exploiting them before users can apply the necessary fix.

Impacted devices from this bug include:

*   Apple Watch Series 6 and later
    

*   Apple TV HD and Apple TV 4K (all models)
    
*   iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
    

Though the tech giant has disclosed that "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," it has not published any details of the attacks nor attributed its discovery to a researcher.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Patches Actively Exploited Zero-Day Vulnerability

One of the largest data breaches in history was apparently twice as impactful as previously thought, with PII belonging to hundreds of millions of people sitting in the hands of cybercriminals.

Source: Pavel Kapish via Alamy Stock Photo

New evidence suggests that more than half of the US population was touched by the ransomware attack(s) against UnitedHealth subsidiary Change Healthcare.

One of the largest data breaches ever recorded struck Change Healthcare last year. Change's technology services reach hundreds of vendors and laboratories, thousands of hospitals, tens of thousands of pharmacies, and hundreds of thousands of physicians and dentists, including "nearly all government and commercial payers," according to company documentation. These services necessarily sweep up loads of patients' personally identifying information (PII), which ended up in the hands of multiple ransomware actors.

Later last year, it was reported that the incident affected around 100 million Americans. Now, UnitedHealth has updated that number to approximately 190 million. A company spokesperson confirmed this in an emailed statement to Dark Reading, adding, "the vast majority of those people have already been provided individual or substitute notice."

**Change's Changing Cyberattack Story**

Last February, in concert, pharmacies around the US experienced significant delays to prescription orders. Behind it all was Change Healthcare, which processes billions of transactions every year, representing trillions of dollars worth of medical claims.

Related:Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges

The company first stated that it had suffered a nation-state cyber intrusion. In fact, it was a regular old ransomware attack (for which it would later pay a whopping $22 million ransom). And this wasn't the only crucial detail it got wrong.

In June, Change Healthcare finally sent out notices of data compromise, revealing that affected customers totaled around 100 million. On Friday, however, UnitedHealth Group publicly adjusted that figure to include 90 million more.

In its updated online notice of data breach, the company admitted that hackers may have obtained a variety of personally identifying information (PII) about patients and guarantors, including their first and last names, dates of birth, phone numbers, home addresses, and email addresses. Social security numbers, it noted, were only lost in "rare instances," and in an email to Dark Reading, a spokesperson claimed that Change Healthcare "has not seen electronic medical record databases appear in the data during the analysis."

The spokesperson also emphasized that "Change Healthcare is not aware of any misuse of individuals' information as a result of this incident."

However, Paul Bischoff, consumer privacy advocate at Comparitech, warns that "every press release I ever see about a data release says 'there's no evidence that your information has been abused or misused in any way.' But, obviously, they're not really looking for that for those instances of abuse, and they would never know if it actually happened. And the people that it happens to can't attribute the identity theft that they're suffering back to the data breach that caused it."

Related:For $50, Cyberattackers Can Use GhostGPT to Write Malicious Code

**When Data Breach Disclosures Go Wrong**

The Securities and Exchange Commission (SEC) data breach disclosure rules require that publicly traded companies disclose "material" cybersecurity incidents within four days of becoming alerted to them. The same rule applies to material updates to breach disclosures, such as when an attack is found to have affected nearly twice as many victims as once thought.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. For instance, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Bischoff hesitates, though, before suggesting that what's needed is even stricter regulation. "It's a complicated subject, because it gets to a point where you put such a burden on companies. Companies are also victims in these situations, so I don't want to penalize them for reporting things incorrectly," he says.

Related:The Case for Proactive, Scalable Data Protection

At the same time, he adds, "What we see a lot is that these companies take way too long to finish their investigations and notify victims. Sometimes it's up to a year or more before we're notified that people's data is out there on the Dark Web, being used for who knows what. And that's after they're most likely to get hit with identity fraud, and other sorts of fraud, because cybercriminals want that information when it's as fresh as possible. That's when it's most valuable. So I think we do need more strict standards about the timeliness of these notifications."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Change Healthcare Breach Impact Doubles to 190M People

Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.

The United States’ recent regulatory action against the Chinese-owned social video platform TikTok prompted mass migration to another Chinese app, the social platform “Rednote.” Now, a generative artificial intelligence platform from the Chinese developer DeepSeek is exploding in popularity, posing a potential threat to US AI dominance and offering the latest evidence that moratoriums like the TikTok ban will not stop Americans from using Chinese-owned digital services.

DeepSeek, an AI research lab created by a prominent Chinese hedge fund, recently gained popularity after releasing its latest open source generative AI model that easily competes with top US platforms like those developed by OpenAI. However, to help avoid US sanctions on hardware and software, DeepSeek created some clever workarounds when building its models. On Monday, DeepSeek’s creators limited new sign-ups after claiming the app had been overrun with a “large-scale malicious attack.”

While DeepSeek has several AI models, some of which can be downloaded and run locally on your laptop, the majority of people will likely access the service through its iOS or Android apps or its web chat interface. Like with other generative AI models, you can ask it questions and get answers; it can search the web; or it can alternatively use a reasoning model to elaborate on answers.

DeepSeek, which does not appear to have established a communications department or press contact yet, did not return a request for comment from WIRED about its user data protections and the extent to which it prioritizes data privacy initiatives.

As people clamor to test out the AI platform, though, the demand brings into focus how the Chinese startup collects user data and sends it home. Users have already reported several examples of DeepSeek censoring content that is critical of China or its policies. The AI setup appears to collect a lot of information—including all your chat messages—and send it back to China. In many ways, it’s likely sending more data back to China than TikTok has in recent years, since the social media company moved to US cloud hosting to try to deflect US security concerns

“It shouldn’t take a panic over Chinese AI to remind people that most companies in the business set the terms for how they use your private data” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. “And that when you use their services, you’re doing work for them, not the other way around.”

**What DeepSeek Collects About You**

To be clear, DeepSeek is sending your data to China. The English-language DeepSeek privacy policy, which lays out how the company handles user data, is unequivocal: “We store the information we collect in secure servers located in the People's Republic of China.”

In other words, all the conversations and questions you send to DeepSeek, along with the answers that it generates, are being sent to China or can be. DeepSeek’s privacy policies also outline the information it collects about you, which falls into three sweeping categories: information that you share with DeepSeek, information that it automatically collects, and information that it can get from other sources.

The first of these areas includes “user input,” a broad category likely to cover your chats with DeepSeek via its app or website. “We may collect your text or audio input, prompt, uploaded files, feedback, chat history, or other content that you provide to our model and Services,” the privacy policy states. Within DeepSeek’s settings, it is possible to delete your chat history. On mobile, go to the left-hand navigation bar, tap your account name at the bottom of the menu to open settings, and then click “Delete all chats.”

This collection is similar to that of other generative AI platforms that take in user prompts to answer questions. OpenAI’s ChatGPT, for example, has been criticized for its data collection although the company has increased the ways data can be deleted over time. Regardless of these types of protections, privacy advocates emphasize that you should not disclose any sensitive or personal information to AI chat bots.

“I would not input personal or private data in any such an AI assistant,” says Lukasz Olejnik, independent researcher and consultant, affiliated with King's College London Institute for AI. Olejnik notes, though, that if you install models like DeepSeek’s locally and run them on your computer, you can interact with them privately without your data going to the company that made them. Additionally, AI search company Perplexity says it has added DeepSeek to its platforms but claims it is hosting the model in US and EU data centers.

Other personal information that goes to DeepSeek includes data that you use to set up your account, including your email address, phone number, date of birth, username, and more. Likewise, if you get in touch with the company, you’ll be sharing information with it.

Bart Willemsen, a VP analyst focusing on international privacy at Gartner, says that, generally, the construction and operations of generative AI models is not transparent to consumers and other groups. People don’t know exactly how they work or the exact data they have been built upon. For individuals, DeepSeek is largely free, although it has costs for developers using its APIs. “So what do we pay with? What do we usually pay with: data, knowledge, content, information,” Willemsen says.

As with all digital platforms—from websites to apps—there can also be a large amount of data that is collected automatically and silently when you use the services. DeepSeek says it will collect information about what device you are using, your operating system, IP address, and information such as crash reports. It can also record your “keystroke patterns or rhythms,” a type of data more widely collected in software built for character-based languages. Additionally, if you purchase DeepSeek’s premium services, the platform will collect that information. It also uses cookies and other tracking technology to “measure and analyze how you use our services.”

A WIRED review of the DeepSeek website's underlying activity shows the company also appears to send data to Baidu Tongji, Chinese tech giant Baidu's popular web analytics tool, as well as Volces, a Chinese cloud infrastructure firm. In a social media post, Sean O'Brien, founder of Yale Law School's Privacy Lab, said that DeepSeek is also sending “basic” network data and “device profile” to TikTok owner ByteDance “and its intermediaries.

The final category of information DeepSeek reserves the right to collect is data from other sources. If you create a DeepSeek account using Google or Apple sign-on, for instance, it will receive some information from those companies. Advertisers also share information with DeepSeek, its policies say, and this can include “mobile identifiers for advertising, hashed email addresses and phone numbers, and cookie identifiers, which we use to help match you and your actions outside of the service.”

**How DeepSeek Uses Information**

Huge volumes of data may flow to China from DeepSeek’s international user base, but the company still has power over how it uses the information. DeepSeek’s privacy policy says the company will use data in many typical ways, including keeping its service running, enforcing its terms and conditions, and making improvements.

Crucially, though, the company’s privacy policy suggests that it may harness user prompts in developing new models. The company will “review, improve, and develop the service, including by monitoring interactions and usage across your devices, analyzing how people are using it, and by training and improving our technology,” its policies say.

DeepSeek’s privacy policy also says the company will also use information to “comply with \[its\] legal obligations”—a blanket clause many companies include in their policies. DeepSeek’s privacy policy says data can be accessed by its “corporate group,” and it will share information with law enforcement agencies, public authorities, and more when it is required to do so.

While all companies have legal obligations, those based in China do have notable responsibilities. Over the past decade, Chinese officials have passed a series of cybersecurity and privacy laws meant to allow state officials to demand data from tech companies. One 2017 law, for instance, says that organizations and citizens should “cooperate with national intelligence efforts.”

These laws, alongside growing trade tensions between the US and China and other geopolitical factors, fueled security fears about TikTok. The app could harvest huge amounts of data and send it back to China, those in favor of the TikTok ban argued, and the app could also be used to push Chinese propaganda. (TikTok has denied sending US user data to China’s government.) Meanwhile, several DeepSeek users have already pointed out that the platform does not provide answers for questions about the 1989 Tiananmen Square massacre, and it answers some questions in ways that sound like propaganda.

Willemsen says that, compared to users on a social media platform like TikTok, people messaging with a generative AI system are more actively engaged and the content can feel more personal. In short, any influence could be larger. “Risks of subliminal content alteration, conversation direction steering, in active engagement ought by that logic to lead to more concern, not less,” he says, “especially given how the inner workings of the model are widely unknown, its thresholds, borders, controls, censorship rules, and intent/personae largely left unscrutinized, and it being already so popular in its infancy stage.”

Olejnik, of King's College London, says that while the TikTok ban was a specific situation, US law makers or those in other countries could act again on a similar premise. “We can’t rule out that 2025 will bring an expansion: direct action against AI firms,” Olejnik says. “Of course, data collection may again be named as the reason.”

_Updated 5:27 pm EST, January 27, 2025: Added additional details about the DeepSeek website's activity._

_Updated 10:05 am EST, January 29, 2025: Added additional details about DeepSeek's network activity._

DeepSeek’s Popular AI App Is Explicitly Sending US Data to China

DeepSeek, a new China-backed AI platform, faces a cyberattack disrupting new user registrations. Learn about its rapid growth,…

DeepSeek, a new China-backed AI platform, faces a cyberattack disrupting new user registrations. Learn about its rapid growth, challenges, and the importance of cybersecurity.

DeepSeek, a rising star in the world of artificial intelligence, has confirmed it is facing a large-scale cyberattack that has disrupted its services. The company released a statement on its website, informing users:

_“_Due to large-scale malicious attacks on DeepSeek’s services, registration may be busy. Please wait and try again. Registered users can log in normally. Thank you for your understanding and support._“_

Screenshot: Hackread.com

**What is DeepSeek?**

DeepSeek, a Chinese AI startup, has quickly gained prominence as an AI assistant designed to rival established names like **OpenAI’s ChatGPT**. The platform has been lauded for its intuitive features and user-friendly design, which have captured the attention of millions worldwide.

In just days, it climbed to the top spot in the free application section of Apple’s App Store in the United States, overtaking ChatGPT. This rapid surge in popularity has placed DeepSeek squarely in the spotlight, making it a tempting target for cybercriminals.

**The Attack and Its Impact**

The large-scale attack has primarily impacted new user registrations, leaving prospective users unable to join the platform. Current users, however, can still log in and use the service without interruption. Despite the disruption, DeepSeek remains optimistic, thanking users for their patience and support as they work to resolve the situation.

**Cybersecurity Expert’s Perspective**

Commenting on the incident, Jake Moore, Global Cyber Security Advisor at ESET, highlighted the risks associated with DeepSeek’s rapid rise: _“_DeepSeek has certainly been in the limelight in recent days, which can act as a huge honeypot for cybercriminals. This is typical for any new platform which contentiously dominates the media for multiple reasons and can attract multiple groups of threat actors looking for any potential vulnerability to exploit._“_

_“_Irrespective of who is behind DeepSeek and its values, such attacks act as a reminder to bolster existing defences and to expect the unexpected; especially when attention grows quickly,” Jake told Hackread.com.

**Growing Pains of Rapid Success**

The cyberattack shows the challenges faced by platforms experiencing rapid growth. As new platforms gain popularity, they often become targets for threat actors seeking to exploit vulnerabilities. This incident is a wake-up call for DeepSeek, highlighting the importance of strong cybersecurity measures, especially as its user base grows so rapidly.

This story is developing. Stay Tuned!

1.  **Sora and ChatGPT Currently Down Worldwide**
2.  **GhostGPT: Malicious AI Chatbot Fueling Cybercrime**
3.  **Cyberattack on American Water Shuts Down Customer Portal**

DeepSeek Faces Large-scale Cyberattack, Halts New User Registrations

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Source: Sean Hawkey via Alamy Stock Photo

Two Americans, two North Koreans, and a Mexican man have been indicted for their roles in an IT worker scam.

According to the Department of Justice (DoJ), Pak Jin-Song, Jin Sung-Il, and other North Korean co-conspirators secured IT jobs with at least 64 different American companies. They managed it using fake identities facilitated by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen living in Sweden, and carried out their jobs with the help of laptop farms maintained by US citizens Emanuel Ashtor and Erick Ntekereze Prince.

The ruse lasted from April 2018 to last August. For a sense of how lucrative it was, the DoJ noted that earnings from just 10 of the 64 affected companies yielded the scammers $866,255.

**Breakdown of a North Korean IT Scam**

The IT worker scam, now tried and true, developed as a workaround for trade and economic sanctions imposed by the US on the Democratic People's Republic of Korea (DPRK). North Koreans under the employ of sanctioned DPRK government ministries, under assumed identities and relocated in places like China and Russia, apply for remote jobs in America's lucrative tech industry. They perform their jobs adequately enough, but funnel their earnings back to their shriveled government. And some portion of that money, inevitably, ends up funding its notorious nuclear and missile development programs.

Related:CISOs Are Gaining C-Suite Swagger, but Has It Come With a Cost?

But getting a high-paying tech job is no simple, overnight process. To facilitate these scams, by trick or by trade, North Korea recruits Americans and other foreign nationals to help them implement the plan. In this case, the help came from a few central individuals.

In some cases, Alonso lent the hungry job seekers his identity, which they presented as their own in job applications and interview processes. In other cases, the North Koreans stole real US citizens' government identification documents, then superimposed their own headshots on them. In other cases, they solicited help with forgeries from the Web.

After securing sometimes six-figure gigs, the North Korean workers would have company laptops delivered to Ashtor or Prince. By a certain point, the Americans were running full-on laptop farms from their homes in North Carolina. To enable North Koreans in China to work from laptops on the US East Coast, they covertly downloaded and installed remote access software onto these corporate devices. And to conceal where the salaries were actually going, they used their own registered companies to invoice employers. Payments would then be laundered through Chinese bank accounts.

Related:War Game Pits China Against Taiwan in All-Out Cyberwar

Ashtor and Prince were arrested in North Carolina, and Alonso in the Netherlands. All five men are now charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The two named North Koreans have earned a bonus charge of conspiracy to violate the International Emergency Economic Powers Act. Convictions could entail prison sentences of up to 20 years.

**Are Recent Arrests Having an Impact on Cybercrime?**

Last March, the DoJ launched its DPRK RevGen: Domestic Enabler Initiative, focused on shutting down the laptop farms crucial to facilitating North Korean IT worker scams. In the time since, authorities have made notable arrests and seizures on four separate occasions.

"They've been warned about this for two years, and we're finally just now starting to see the United States government starting to form a defensive policy, \[with\] routine arrests and sanctions," says Roger Grimes, data-driven defense evangelist at KnowBe4, a company that accidentally hired a North Korean employee last year.

Grimes hasn't yet observed any noticeable decline in these scams since the DoJ initiative began. In fact, he reports, KnowBe4 has received applications from fake IT workers even since its first, widely publicized incident. Any Americans joined up with Kim might consider, though, that besides the threat of arrest, the gig isn't always as lucrative as it seems.

Related:84% of Healthcare Organizations Spotted a Cyberattack in the Late Year

"A lot of them have been cheated," Grimes notes. While cases have varied widely, he claims, "Many \[Americans have been\] promised a lot more, and either only got paid partially, or some of them didn't get paid at all. So they were really cheated."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Tag

#apple