In what's being called a "major cybersecurity incident," Beijing-backed adversaries broke into cyber vendor BeyondTrust to access the US Department of the Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.

Source: trekandshoot via Alamy Stock Photo

UPDATE: This story was updated on Dec. 30 to include a statement from a BeyondTrust spokesperson.

The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able to compromise its systems and steal data from workstations earlier this month.

Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a "major cybersecurity incident," the disclosure letter from the Treasury Department said. The letter was sent to the chairman and ranking member of the Senate committee that oversees the agency.

Adversaries broke into the Treasury Department through third-party cybersecurity vendor BeyondTrust and "...gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users," the letter explained. "With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."

BeyondTrust has more than 20,000 customers across more than 100 countries who use its privileged remote access tools, according to its website, which also states that the company is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading's request for comment.

BeyondTrust told the Treasury Department about the issue on Dec. 8; the department, along with the Cybersecurity and Infrastructure Security Agency and the FBI, is investigating the compromise, according to the letter.

A BeyondTrust advisory said the company was alerted on Dec. 5 to a compromised API key, which was immediately revoked. Impacted customers have already been notified, and the company is working with them on remediation, according to a statement from a BeyondTrust spokesperson.

"BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product," the statement said. "No other BeyondTrust products were involved."

**'Epic' Chinese Hack of US Treasury**

The revelation that Beijing was able to strike right at the heart of America's federal capitalist system itself comes as the federal government continues to grapple with the sprawling and coordinated Chinese-backed cyberattacks against telecommunications companies in the US. Once inside, hackers from groups including Salt Typhoon accessed call data and text messages of an unknown number of Americans. So far Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.

While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming Trump administration.

"Beijing's routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there's lack of transparency and accountability/coordination," said Lawrence Pingree, vice president of Dispersive, in a statement provided to Dark Reading.

It's still unclear whether the Chinese hackers were able to crack the application's secrets or a cryptographic key, he added.

"Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer's endpoint, the breach of those secrets and authentication keys can create these types of epic breaches," Pingree said.

The breach also shows that cybersecurity vendors remain a favorite target of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.

"The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust," Dornbush said. "This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese State Hackers Breach US Treasury Department

IN THIS ARTICLE: Hackers have released what they claim to be the second batch of data stolen in…

****IN THIS ARTICLE:****

*   **Hackers’ Claims:** IntelBroker released a second batch of extracted Cisco data, amounting to 4.84 GB, from the October 2024 breach, claiming it is part of a 4.5 TB trove.

*   **Leaked Data Contents:** The data includes sensitive files such as software artifacts, network configurations, testing logs, cloud server images, and cryptographic signatures, exposing intellectual property and operational insights.

*   **Misconfigured Resource Exploitation:** The data originated from a misconfigured, public-facing DevHub resource left exposed without password protection, allowing hackers to download it.

*   **Cisco’s Response:** Cisco acknowledged the incident, stated public access was disabled, and confirmed no servers were breached or sensitive data compromised, though hackers contest this claim.

*   **IntelBroker’s Track Record:** The hacker, known for breaching Apple, AMD, Europol, and others, highlights ongoing exploitation of misconfigured systems, a persistent issue in cybersecurity.

Hackers have released what they claim to be the second batch of data stolen in the alleged Cisco data incident from October 2024. According to **IntelBroker**, the hacker behind the breach, the latest leak, published on Christmas Eve on Breach Forums, contains 4.84 GB of data, part of an allegedly stolen 4.5 TB.

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

As seen by Hackread.com, the leaked data includes a trove of sensitive files, such as proprietary software development artifacts like Java binaries, source code, and application archives; network-related files including Cisco XRv9K virtual router images and configurations; testing logs and scripts; operational data such as Zero Touch Provisioning (ZTP) logs and packages; cloud server disk images; and cryptographic signatures for payment SDKs like Weixin Pay.

Additionally, the leak contains configuration files, internal project archives, and other miscellaneous documents, potentially exposing intellectual property, network configurations, and operational insights.

File tree shared by IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Background****

Notably, the leaked data originates from a misconfigured, public-facing DevHub resource that Cisco reportedly left exposed without password protection or security authentication, enabling the hackers to download the entire dataset **in October 2024.**

IntelBroker who accessed the misconfigured server claims they managed to extract 4.5TB of information. The first part of the data leak, which included 2.9 GB of files, was **published on December 17, 2024**.

****Cisco’s Response****

Cisco **acknowledged** (PDF) the October 2024 incident and stated that public access was disabled. The company also confirmed that none of its servers were breached and no sensitive data was compromised. However, the hackers claim otherwise, particularly regarding the extracted data.

Regarding the latest leak, Cisco noted on its incident response page that it is aware of the claims made by IntelBroker, asserting that the data published this time also stems from the October 14, 2024, incident.

> _“On Wednesday, December 25, 2024, at 17:07 EST, the threat actor IntelBroker posted on X about releasing more data. At 17:40 EST, IntelBroker released 4.45 GB of data for free on BreachForums. We have analyzed the post data, and it aligns with the known data set from October 14, 2024.”_  
> 
> Cisco

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

1.  **IntelBroker Claim Access to Nokia Internal Data, Selling for $20K**
2.  **Europol Hacked: IntelBroker Claims Major Law Enforcement Breach**
3.  **IntelBroker Space-Eyes Breach, Targeting US National Security Data**
4.  **IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access**
5.  **AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info**

Hackers Release Second Batch of Stolen Cisco Data

As organizations on the continent expand their use of digital technologies, they increasingly face many of the same threats that entities in other regions have had to deal with for years.

Source: Golden Dayz via Shutterstock

Rising Internet adoption and digital transformation initiatives are exposing organizations in Africa to a growing range of cyber threats.

One manifestation of the trend is a steady increase in distributed denial-of-service (DDoS) attacks on organizations in a handful of North African countries — which also happen to be the ones with the highest Internet penetration rates in the region.

**Surge in DDoS Activity**

A recent analysis of threat activity data during the first half of 2024 by Netscout showed a 30% increase in DDoS attacks in the Middle East and Africa overall compared with the previous quarter. Countries that experienced the largest growth in DDoS attacks included Algeria, Morocco, Tunisia, and Egypt.

Morocco, which has a 90% Internet penetration rate, reported 61,000 DDoS attacks during the first half of 2024, which was the highest number of DDoS attacks in the region during the period. A plurality of the attacks — 16,461 — targeted wireless telecom producers in the region; more than 6,000 were directed at wired telecom companies; and the rest affected organizations across multiple industry sectors.

Organizations in Egypt, another country in the region with a high Internet penetration rate, collectively experienced some 45,108 DDoS attacks in the first half of the year, with wired telecom carriers being the most frequently targeted entities, followed by wireless carriers and educational institutions. Netscout found some of the highest bandwidth attacks during the time period in Egypt, with the biggest one clocking in at a hefty 332.96 Gbit/s.

Related:China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

The story with Tunisia, which experienced 4,511 DDoS attacks in the first six months, was similar in terms of victimology: most victims were wired or wireless telecom providers. However, Netscout found threat actors deploying a larger number of DDoS attacks against Tunisian organizations than organizations in other countries. The largest such attack type involved a startling 27 vectors, including Apple Remote Management Service, Connection-less Lightweight Directory Access Protocol (CLDAP) , Constrained Application Protocol (COAP), and Domain Name System (DNS) amplification techniques for significantly increasing the power of an attack.

**Geopolitical Tensions, "Online-Ness" Drive Cyber Activity**

"These attacks can be attributed in part to businesses in countries such as Morocco, Tunisia, Egypt, Libya, and Algeria increasing their online presence over the past year," says Richard Hummel, director of threat intelligence at Netscout. "While digital transformation is generally a cause for celebration, unfortunately, it also means that more devices and services can be disrupted by attacks."

Related:'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

A larger attack surface, however, is not the only reason for the increased DDoS activity in Africa and the Middle East, Hummel says. "Geopolitical tensions in these regions are also fueling a surge in hacktivist activity as real-world political disputes spill over into the digital world," he says. "Unfortunately, hacktivists often target critical infrastructure like government services, utilities, and banks to cause maximum disruption."

And DDoS attacks are by no means the only manifestation of the new threats that organizations in Africa are having to contend with as they broaden their digital footprint.

**Growing Cyber-Espionage, Cybercrime Risks**

The Africa Center for Strategic Studies in a recent report assessed that the increasing spread of IT, communications, and related technologies in the region is rapidly amplifying and altering threats against organizations — and raising national security challenges in the process. The center, which is a US Department of Defense institution, expects that over the next few years organizations in Africa will have to contend with a many of the same cyber threats that entities in other regions of the world have had to contend with for years.

Related:IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

One of them is cyber espionage. "Cyberspace has fundamentally changed the methods and means through which states gather information on one another and their citizens," the Africa Center report noted. "Though the most significant cyberespionage concerns in Africa have centered around China, espionage and surveillance capabilities are rapidly diffusing across the continent."

Attacks on critical infrastructure and financially motived attacks by organized crime are other looming concerns. In the center's assessment, Africa's government networks and networks belonging to the military, banking, and telecom sectors are all vulnerable to disruptive cyberattacks. Exacerbating the concern is the relatively high potential for cyber incidents resulting from negligence and accidents.

Organized crime gangs — the scourge of organizations in the US, Europe, and other parts of the world, present an emerging threat to organizations in Africa, the Center has assessed.  "Growing internet penetration rates in Africa has both led to new kinds of cyber-dependent criminal activities, such as business email compromise or romance scams, as well transformed the financing and market dynamics of more traditional organized crime networks." Supply chain attacks are another major and emerging concern, especially given the high reliance on foreign suppliers among organizations in Africa.

Agnidipta Sarkar, vice president and CISO advisory at ColorToken, says organizations in Africa are going to come under growing pressure to implement defenses against new cyber threats, even as they embark on their digital transformation journey.

"The ability to continue business operations, despite cyberattacks, will encourage investments in the region," he predicts. "Effectively reporting breaches will emerge as a highly sought-after capability for CISOs, especially \[for\] those who can."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DDoS Attacks Surge as Africa Expands Its Digital Footprint

A US court ruled against NSO Group, an Israeli spyware maker, finding them liable for hacking WhatsApp users. The ruling has major implications for the surveillance technology industry."

****SUMMARY****

*   **NSO Group Held Accountable:** A U.S. court ruled against NSO Group for hacking WhatsApp accounts, violating U.S. law and its terms of service.

*   **Pegasus Spyware Abuse:** NSO exploited a WhatsApp flaw to install Pegasus spyware on 1,400 devices, targeting activists, journalists, and officials.

*   **WhatsApp Lawsuit Victory:** WhatsApp sued NSO in 2019 after discovering the spyware attack, marking a major win for privacy rights.

*   **Court Rejects NSO’s Defense:** The court dismissed NSO’s claims of immunity, holding it liable despite its stated anti-terrorism purpose.

*   **Spyware Industry Implications:** The ruling sets a precedent for accountability, boosting privacy advocacy efforts against invasive technologies.

The Israeli spyware company NSO Group has been held liable for compromising the accounts of hundreds of WhatsApp users, marking a significant legal victory for Meta Platforms.

****The Ruling****

In a landmark ruling, U.S. District Judge Phyllis Hamilton found the NSO Group responsible for hacking and breaching the world’s leading messaging app WhatsApp’s terms of service, compromising the accounts of hundreds of its users. 

According to court documents (PDF), the NSO Group exploited a vulnerability in the messaging app to install its powerful Pegasus spyware on at least 1,400 devices. This spyware, known for its ability to infiltrate phones and extract sensitive data, was allegedly used to target journalists, human rights activists, political dissidents, and government officials, raising serious concerns about privacy and human rights.

****Background Details****

For your information, WhatsApp filed the lawsuit in 2019, accusing NSO Group of accessing its servers without authorization to deploy Pegasus. It was reported by Hackread.com that the NSO Group was suspected of exploiting a new “MMS Fingerprint” attack on WhatsApp, exposing device information without user interaction. 

Hackread.com also reported earlier this year that WhatsApp discovered the vulnerability in May 2019, which let attackers install Pegasus spyware on users’ devices. The flaw was then used to target government officials and activists globally. WhatsApp sued NSO Group for the exploitation 

The Israeli firm, which claims its technology is used to combat terrorism and crime, argued that its actions were justified and that it should be shielded from liability. However, the court rejected these arguments, finding that it was responsible for the breach and that its actions violated US law.

This ruling has major implications for the spyware industry, which operates in a legal gray area. It establishes a precedent that companies like NSO Group can be held accountable for the misuse of their technology, even if they claim to be providing services to legitimate government agencies. The decision is also a major victory for privacy advocates, who have long warned about the dangers of invasive surveillance technologies.

WhatsApp hailed the ruling as a “huge win for privacy,” emphasizing that it would continue to work to protect user communications from such attacks. 

“We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions,” Will Cathcart, the head of WhatsApp stated.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Apple loses lawsuit against cyber security startup Corellium**
3.  **Amazon Files Lawsuits Against Fraudsters Over Fake Reviews**
4.  **YouTube MP3 Converter Site Shut Down After Labels Win Lawsuit**
5.  **Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data**

WhatsApp Wins Lawsuit Against Israeli Spyware Maker NSO Group

Explore how Ethereum revolutionizes industries with smart contracts, DeFi, NFTs, gaming, DAOs, and sustainability, shaping the future of…

Explore how Ethereum revolutionizes industries with smart contracts, DeFi, NFTs, gaming, DAOs, and sustainability, shaping the future of business innovation and blockchain technology.

Vitalik Buterin developed Ethereum in 2014 after taking inspiration from Bitcoin. However, he envisioned an open-source blockchain through which users could access smart contracts and trade cryptocurrency by excluding third parties. The reasons were clear: traditional financial companies risk compromising users’ data and exposing them to cybersecurity threats, which are less likely to occur on the blockchain, where users can maintain anonymity. Decentralization ensures robust maintenance through a network of global nodes and validators.

Since the blockchain offered developers many perspectives and tools, cryptocurrency has also become popular, reaching second place after Bitcoin. Now, you can buy Ethereum with a debit card or credit through Google Pay or Apple Pay, making it highly accessible globally.  Hence, one can say Ethereum’s future is bright, especially since the blockchain might become an innovative solution to modern problems. Here’s how. 

****Ethereum will promote the DeFi market** **

Decentralized Finance (DeFi) is expected to be the future of the financial industry, as it will merge features of decentralization, transparency and immutability into financial service companies like banks. This will be possible as security protocols, software, and hardware advancements will replace our current outdated systems. The financial sector of the future will ensure high accessibility to all communities, low fees for interest rates and autonomy due to decentralization. 

DeFi will be helpful for: 

*   Liquidity pools;
*   Prediction markets;
*   Non-fungible tokens;
*   Decentralized exchanges;

Developing DeFi apps might seem time-consuming at the moment. Moreover, we’re currently navigating uncertainty in regulations for crypto and blockchain, as well as in security measures, so it might take some time until DeFi apps can be safely used worldwide. 

****Ethereum will ensure access to smart contracts** **

Smart contracts are what made Ethereum so demanded by companies. They automatically seal contracts when the parties involved accomplish the predetermined instructions. Therefore, smart contracts could save companies a lot of time and money by employing automation, so there’s no need for third parties to be involved. 

Smart contracts can be useful in DeFi, for example, as they can allow fast and easy landing and borrowing. They can also help the supply chain management sector by automating the process of verifying product origin and tracing their history. Due to their benefits of interoperability and scalability, smart contracts can be applied to real estate, healthcare, and every other type of business. 

****Ethereum will innovate gaming** **

The gaming industry is one of the most successful ones, being one of the few sectors that flourished during the pandemic and continued growing after. Some of the most recent innovations in gaming include cloud gaming, AI-based development, and Virtual Reality, so it’s constantly changing to meet customer demands and expectations. 

Luckily, the Ethereum blockchain has already hopped on the trends, which is why blockchain P2E (play-to-earn) games are now widespread. Axie Infinity, the Sandbox, and Decentraland have already amassed millions of plays worldwide, allowing gamers to earn crypto while playing fun games. Most of these games are already based on the Ethereum blockchain as the network offers developers plenty of tools and mediums, so we expect it to innovate the gaming industry further. 

****Ethereum will enhance governance through DAOs****

In centralized networks, governance is based on a single central entity that makes all the critical decisions and manages businesses. While this system can be efficient because it ensures security and compliance, it can make it difficult for networks to scale and expose organizations to resistance to change. 

That’s why many are excited about working through DAOs (decentralized autonomous organizations) on Ethereum. Decisions here are made by multiple individuals, so participants are empowered to contribute to the group’s well-being. At the same time, participants’ votes are visible on the public blockchain, encouraging users to work together in building a safe space for investors and developers. 

****Ethereum can navigate business sustainability** **

Business sustainability is the latest industry trend, as companies must keep up with customer demand for green and ethical products. However, there are various challenges along the way, especially when it comes to holding companies accountable for their impact on nature. 

That’s where the Ethereum blockchain could help bring more transparency into the business area by tracking how much energy a business consumes and the carbon emissions resulting from various manufacturing or waste management actions. Ethereum is already equipped with such technology that can help assess external information through blockchain oracles. This technology would allow smart contracts to receive and send information on energy reports from the weather, for example. 

****Ethereum will power up non-fungible tokens** **

NFTs have been trending for a while as they offer investors new opportunities to expand their portfolios in a fun way. At the same time, the underlying technology allows for tokenizing real-world assets, from parcels of land to vehicles. 

The Ethereum blockchain allowed NFTs to grow and flourish, as artists had all the tools necessary to create and share them with communities. But in the future, we expect the blockchain to make it convenient for anyone to mint and trade NFTs, as the number of users that use NFTs is expected to grow to 11.64m by 2025, according to Statista. 

****Ethereum can ensure self-sovereign identity** **

Centralized systems expose users to cybersecurity vulnerabilities, leading to identity theft and unauthorized access. Luckily, with Ethereum blockchains, users will be able to store data on the network and choose who they’re sharing it with. 

This is called self-sovereign identity (SSI), which uses blockchain technology to make data more private and offer users control over their personal information. However, this would require them to use multiple identity platforms and keep track of their data alone. 

****Is Ethereum the perfect tool for future business innovation?** **

The Ethereum blockchain is an advanced network through which developers can learn to create NFTs, dApps, DAOs, and much more. The infrastructure uses smart contracts to deploy anything on the blockchain. Therefore, we expect Ethereum to become the driving force of future decentralization and efficiency. Users on the blockchain can promote DeFi, benefit from DAO governance, and make businesses more sustainable, which will ensure empowerment and high accessibility at the same time. 

1.  Could Bitcoin Be The Future Of DeFi?
2.  Is the Blockchain Secure? Yes, and Here’s Why
3.  Accepting Ethereum (ETH) for Businesses, An Overview
4.  Exploring the Phenomenal Rise of Ethereum as a Digital Asset
5.  Ethereum’s Layer 2 Solutions Could Outrun the Main Blockchain

_Editor’s Note: The information provided in this article is for informational purposes only and should not be considered financial advice. Please conduct your own research and consult a professional advisor before making any financial decisions, including buying or investing in cryptocurrency._

Why Ethereum Will Be a Key Platform for Businesses in the Future

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

Source: ZUMA Press, Inc. via Alamy Stock Photo

A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.

Struts 2 is an open source framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch. 

"The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline," explains Chris Wysopal, chief security evangelist at Veracode. "As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness."

Wysopal assesses, "It is likely that we will see the exploitation of this vulnerability for weeks, as organizations find and fix all instances of Struts 2 usage."

Related:Delinea Joins CVE Numbering Authority Program

**RCE Bug in Apache Struts 2**

This same time last year, nearly to the day, a Struts 2 vulnerability with a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers' ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.

CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2's File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest déjà vu.

He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading "a one-liner script that is supposed to return 'Apache Struts.' Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository," he wrote.

Related:Does Desktop AI Come With a Side of Risk?

Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn't quite as simple.

Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn't backward compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.

"It's not a simple version bump," warns Saeed Abbasi, manager of vulnerability research at Qualys. "It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plug-in chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing."

**The Potential Scope of Impact for CVE-2024-53677**

The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.

Related:Citizen Development Moves Too Fast for Its Own Good

In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits; even its newsletter had thousands of subscribers. Today, Wysopal says, "It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity."

"Its 'kingdom' is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize," he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.

Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys "observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge."

To his view, "The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Source: CPA Media Pte Ltd via Alamy Stock Photo

Unknown hackers are targeting individuals associated with Thailand's government, using a new and unwieldy backdoor dubbed "Yokai," potentially named after a type of ghost found in the video game Phasmophobia, or after spirits in Japanese folklore.

Researchers from Netskope recently came across two shortcut (LNK) files disguised as .pdf and .docx files, unsubtly named as if they pertained to official US government business with Thailand. The attack chain tied to these fake documents cleverly used legitimate Windows binaries to deliver the previously unknown backdoor, which appears to be a hastily developed program designed to run shell commands. It carries a risk of unintended system crashes, the researchers noted.

**Ghost in the Machine: US-Themed Lures in Phishing Attack**

From Thai, the lure documents translate to "United States Department of Justice.pdf" and “Urgently, United States authorities ask for international cooperation in criminal matters.docx." Specifically, they made reference to Woravit "Kim" Mektrakarn, a former factory owner in California tied to the disappearance and suspected murder of an employee in 1996. Mektrakarn was never apprehended and is believed to have fled to Bangkok.

"The lures also suggest they are addressed to the Thai police," notes Nikhil Hegde, senior engineer for Netskope. "Considering the capabilities of the backdoor, we can speculate that the attacker's motive was to get access to the systems of the Thai police."

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

Like any other phishing attack, opening either of these documents would cause a victim to download malware. But the path from A to B wasn't so jejune as that might suggest.

**Abusing Legitimate Windows Utilities**

To begin their attack chain, the attackers made use of "esentutl," a legitimate Windows command line tool used to manage Extensible Storage Engine (ESE) databases. Specifically, they abused its ability to access and write to alternate data streams (ADS).

In Windows' New Technology File System (NTFS), files commonly contain more than just their primary content — their main "stream." An image or text document, for example, will also come packed with metadata — even hidden data — which won't be visible in the normal listing of the file, because it is not so pertinent to users. An unscrutinized channel for appending hidden data to a seemingly harmless file, however, is a luxury to a cyberattacker.

"ADS is often used by attackers to conceal malicious payloads within seemingly benign files," Hegde explains. "When data is hidden in an ADS, it does not alter the visible size or properties of the primary file. This allows attackers to evade basic file scanners that only inspect the primary stream of a file."

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Opening the shortcut files associated with this campaign would trigger a hidden process, during which Esentutl would be used to pull decoy government documents, and a malicious dropper, from two alternate data streams. The dropper would carry with it a legitimate copy of the iTop Data Recovery tool, used as a gateway for sideloading the Yokai backdoor.

**Inside the Yokai Backdoor Malware**

Upon entering a new system, Yokai checks in with its command-and-control (C2) base, arranges an encrypted channel for communication, then waits for its orders. It can run any ordinary shell commands in order to steal data, download additional malware, etc.

“There are some sophisticated elements in Yokai," Hegde says. For example, "Its C2 communications, when decrypted, are very structured." In other ways, though, it proves rough around the edges.

If run using administrator privileges, Yokai creates a second copy of itself, and its copy creates a third copy, ad infinitum. On the other hand, to prevent itself from running multiple times on the same machine, it checks for the presence of a mutex file — if the file exists, it terminates itself, and if it doesn't, it creates it. This check occurs after the self-replication step, however, only after the malware has begun spawning out of control. "This leads to repetitive, rapid duplicate executions that immediately terminate upon finding the mutex. This behavior would be clearly visible to an EDR, diminishing the stealth aspect of the backdoor," Hegde says.

Related:China's Elite Cyber Corps Hone Skills on Virtual Battlefields

Even a regular user might notice the strange effects to their machine. "The rapid spawning creates a noticeable slowdown. If the system is already under heavy load, process creation and execution might already be slower due to resource contention, further exacerbating the system's performance issues," he says.

In all, Hegde adds, "This juxtaposition of sophistication and amateurism stands out the most to me, almost as if two different individuals were involved in its development. Given the version strings found in the backdoor and its variants, it is likely still being continuously developed."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Thai Police Systems Under Fire From 'Yokai' Backdoor

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

Source: 'Who is Danny' via Shutterstock

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

"It's the combinatorics here that actually should make everyone concerned," he says. "These categorical risks exist in the larger \[native language\] model-based technology, and when you combine them with the sort of runtime security risks that we've been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk."

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner's "The State of Microsoft 365 Copilot: Survey Results." The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven't even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

**Bringing Security to the AI Assistant**

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria's Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

"If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else," Alkove says. "You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything."

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

**Cyber-Risk: Social Engineering Both Users & AI**

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It's unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

"An LLM gives them the ability to do things on your behalf without any specific consent or control," he says. "So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human."

**Visibility Into AI's Black Box**

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

"These are all things that the organization needs to control, not the agentic platform," he says. "You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms."

The first step to evaluating the risk of Microsoft 365 Copilot, Google's purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant's access on a granular level, says Oleria's Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

"How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?" Alkove asks. "You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical."

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

"AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources," a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#apple