Romance-baiting losses were up 40% last year, as more and more pig-butchering efforts crop up in the wild.

Source: dpa picture alliance via Alamy Stock Photo

NEWS BRIEF

In what appears to be the more sinister side of romance, the amount of money individuals lost in 2024 to love-baiting scams, known to some as pig butchering, increased 40%.

That's according to ChainAnalysis, which said the scams, in which fraudsters approach their victims on dating apps or sites, groom them, and convince them to give them money or invest in a supposed "business venture," are growing in number, too. The number of people losing money this way increased by 210% year-over-year in 2024, probably because more scams are circulating. The operations are increasingly run out of compounds in Southeast Asia with staffers who are being held against their will.

One piece of good news though: The average loss per person declined 55% year-over-year.

"The combination of lower payment amounts and increased deposits could indicate a change in strategy for pig-butchering scams," said the researchers. "Scammers could be spending less time priming targets, and therefore, receiving smaller payments in exchange for targeting more victims."

Overall, with romance baiting comprising a third of total crypto fraud revenue in 2024, signs — or cupid arrows — point to romance scams becoming even bigger this coming year. Users of dating apps should be wary of connections made online, and should avoid sending money, cryptocurrency, wire transfers, or prepaid gift cards to anyone they don't know personally.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Warning: Tunnel of Love Leads to Scams

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-8355-xj3p-hv6q: Apache Ignite: Possible RCE when deserializing incoming messages by the server node

The threat actors behind the RansomHub ransomware-as-a-service (RaaS) scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network's domain controller as part of their post-compromise strategy.
"RansomHub has targeted over 600 organizations globally, spanning sectors

RansomHub Becomes 2024’s Top Ransomware Group, Hitting 600+ Organizations Globally

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-vhxf-7vqr-mrjg: DOMPurify allows Cross-site Scripting (XSS)

CyberArk announces the Zilla deal on the same day leading identity service provider SailPoint returns to the public markets.

Source: Artemis Diana via Alamy Stock Photo

CyberArk has acquired Boston-based startup Zilla as part of its plans to add identity governance and administration (IGA) capabilities to its privilege access management (PAM) platform. The $165 million deal announced Thursday has already closed.

Zella is a small IAG provider that was led by Aveksa founder and CEO Deepak Taneja. CyberArk said it had $5 million in annual recurring revenue last year, 40 employees, and 125 customers. During CyberArk's earnings call with investors, CEO Matt Cohen touted Zilla's "modern" IGA platform.

"In stark contrast to legacy IGA systems, Zilla's modern IGA SaaS \[software-as-a-service\] platform was built from scratch to address today's digital environments characterized by an explosion of staff applications, decentralized management, and identity-based security threats," Cohen said. "Leveraging AI-driven role management, Zilla automates the processes of identity, compliance, and provisioning, making governance easy, intuitive, and all-inclusive for the modern enterprise."

Cohen noted that customers can deploy Zilla five times faster than traditional IGA offerings, resulting in 60% fewer service tickets.

"Legacy IGA are often slow to deploy, difficult to integrate, have limited integration with modern systems, and are reliant on manual processes," Cohen said.

Because CyberArk is integrating Zilla into its platform, Cohen said that in addition to managing entitlements, provisioning, and compliance, the same tool will grant access and provide controls.

"That integrated nature then creates a much more secure footprint across these modern environments," he said.

CyberArk, whose annual revenues topped $1 billion for the first time last year, has aggressively expanded its PAM and identity and access management (IAM) portfolio. Last year, CyberArk acquired nonhuman identity provider Venafi for $1.6 billion.

**Identity and Access Governance Is Vital**

CyberArk's announcement came on the same day that SailPoint returned to the public markets, two years after Thoma Bravo purchased it for $6.9 billion and took it private. Thoma Bravo spun out 60 million shares (roughly 12% of the company, to raise an estimated $1.38 billion in the first major tech IPO of 2025. SailPoint, the largest IGA provider, estimated in its prospectus recurring revenues of $875 million in the fiscal year that ended Jan. 31, a 41% increase over the prior year. Although the company hasn't been profitable, SailPoint reported net loss improved to $235.7 million in the first nine months of 2024, a 23.5% improvement over the previous year.

Just as CyberArk is expanding its IGA offerings, SailPoint has been moving into CyberArk's space with its 2023 acquisition of PAM provider Osirium. In December, SailPoint acquired Imprivata's IGA unit for $10.7 million, plus up to $7.4 million in earnouts.

Alex Bovee, CEO of ConductorOne, another IGA startup that offers an SaaS-based offering to compete with SailPoint and Zilla, says IGA has become an increasingly vital component of cybersecurity posture.

"I think the bull view on this is that every single security company is recognizing that identity and identity governance are critical parts of the stack, and that's why CyberArk made this investment," Bovee said. "CyberArk is traditionally a privileged access management solution, but the future is these converged identity platforms."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CyberArk Makes Identity Security Play With Zilla Acquisition

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

Source: Backyard Productions via Alamy Stock Photo

Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured.

So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters.

The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are more plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government's General Services Administration, called GSAi.

Related:How Public & Private Sectors Can Better Align Cyber Defense

DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. The comments below were gathered from cybersecurity law and policy expert Stewart Baker; Evan Dornbush, former NSA cybersecurity expert; and Willy Leichter, chief marketing officer with AppSOC.

**Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?**

Stewart Baker: Of course DOGE's rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. The rule for software design is "fast, secure, and cheap — pick any two." Elon Musk has achieved enormous success in business by eliminating procedures and organizations and parts that the experts said were essential.

He's running Twitter/X with one-fifth the employees it had before he took over. He has dramatically simplified rocket design, enabling faster manufacturing and turnaround. So it's no surprise he'd want to challenge and ignore a lot of government rules, including those that protect information security. But the security rules protect against active adversaries. Taking shortcuts that seem sensible to smart guys in a hurry could lead to serious problems down the road, and it may take us a while to realize the damage. 

Related:President Trump to Nominate Former RNC Official as National Cyber Director

Musk's impatience is understandable, though. I'm sure that there are employees using the security rules to slow him down or thwart him entirely. It's important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay.

Evan Dornbush: It's quite reasonable for people to be concerned, even alarmed, at how DOGE is currently operating. For any organization, the process of securing data is often developed over years, taking in myriad perspectives to ensure confidential data is minimally accessible, and that logging can recreate a picture of accessed data, or data in transit, when required.

Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. The arrogance, deliberate ignorance, malevolence, and sheer stupidity of this gang of untrained and unaccountable hackers roaming sensitive government networks is staggering. If this type of activity happened in the private sector, with this level of highly sensitive and regulated information, we would be talking about massive fines and personal criminal liability for all the actors involved.

Related:Content Credentials Technology Verifies Image, Video Authenticity

This could not be happening at a more precarious time for government cybersecurity. China and other countries have been ramping up attacks, already targeting many of the same networks, stealing data and planting the tools to cripple our critical infrastructure. Putting this data in inexperienced and reckless hands, while dismantling defense systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will inevitably have disastrous consequences. The only questions are whether this will cost us billions versus trillions in losses, and whether it will take years versus decades to recover.

**Question 2: What has DOGE done specifically that causes you concern?**

Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Given all the other sources of information about individuals, reconstructing full names is something a hostile foreign service would seek to do, so they'll be trying to intercept the list of names. My question is why DOGE thinks that's a risk worth taking? Will the list of names do DOGE any good? I assume the request was tied to possible layoffs at the CIA, but did DOGE really need the names to decide who to lay off? If not, this was an unnecessary risk and irresponsible.

Dornbush: Lack of transparency. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. It is unclear if anyone from DOGE is even replying. Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. Even if it is ultimately determined that DOGE does have authorization to access this data, \[if\] it has physically removed the data from these hardened and professionally monitored networks, how is DOGE ensuring the data is responsibly protected from its own compromise or disclosure? How is it able to certify that the data is destroyed once it is no longer required?

Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one.

These include forcing entry to restricted and classified systems without proper authorization. Officials doing their sworn duty to prevent this were put on administrative leave. DOGE members were also given excessive access to sensitive systems that went far beyond what was necessary for their advisory roles. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.

Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, \[and were provided\] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked.

**Question 3: What do you think needs to happen to secure the data in DOGE custody?**

Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Judicial rulings that try to protect the data by denying DOGE access should be lifted.

Dornbush: DOGE securing the data is an impossibility. DOGE is newly formed. The data it is looking at sat behind years of accumulated people, products, and policy that specialize only in the security of that data set. Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful. If you want to see this data, fine. Work from the office.

Leichter: It's probably impossible to undo this type of damage. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. All of this seems highly unlikely, as the administration is deliberately disabling as much of the federal government as possible and replacing highly trained experts with incompetent political hires.

**Question 4: What are you paying attention to most regarding DOGE and its information security strategy?**

Baker:  I'm still waiting to hear what DOGE's infosec strategy and commitments are.

Dornbush: What DOGE is purportedly doing is important and has merit. I'd love to know what the infosec strategy is. Right now, it seems like sharing the security steps they are taking with the public is not a priority.

Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only discernable strategy of DOGE and the administration is to dismantle as much of the government as quickly as possible, purging experience, which they seem to view as a liability.

The only question is how quickly judicial intervention can kick in and whether it will be ignored. The one thing that might influence this administration is widespread public condemnation after the next major security incident, which is probably lurking right around the corner. That’s a terrible security strategy.

Would you like to weigh in on any of the above four questions? If so, please send a note to \[email protected\] to be included in a follow-up story with reader reactions.

Roundtable: Is DOGE Flouting Cybersecurity for US Data?

With investment in cybersecurity capabilities and proactive measures to address emerging challenges, we can work together to navigate the complexities of combating cybercrime.

Chris Henderson, Senior Director of Threat Operations, Huntress

February 13, 2025

5 Min Read

Source: wsf AL via Alamy Stock Photo

COMMENTARY

Cybercrime isn't just an inconvenience — it's a serious threat capable of disrupting essential infrastructure, endangering public safety, and shaking the foundations of our financial systems and economy.

We've all seen the headlines in recent years — from a cyberattack on an energy pipeline that disrupted the fuel supply across parts of the US to a large-scale ransomware attack on a health insurance provider that led to a massive leak of personal data. Uncovering and combating cybercrime remains a complex challenge for many reasons, but chief among them is the disconnect in data collection, sharing, and collaboration between the public and private sectors.

Critical infrastructure, essential utilities like power and water, local municipalities and services (think 911 and EMS), small and midsize businesses, and healthcare — not one of these is off-limits to cybercriminals. And as threat actors become more aggressive, our defenses must keep up.

**Plenty of Red Tape, but No Clear Defenses**

The US government has a duty to take the lead in defending the nation against cybercrime. But while there's been some progress over the past few decades toward stronger national leadership on cybersecurity, the truth is that there's been a lot of added red tape with no clear responsible party.

Over the past 25 years, organizations like the FBI's Internet Crime Complaint Center (IC3), the National Cyber Investigative Joint Task Force (NCIJTF), and the Cybersecurity and Infrastructure Security Agency (CISA) have been created. They're producing valuable alerts and educational resources on growing cyber threats. That's all great, except for one thing. Despite decades of progress on building federal alignment around cybersecurity as a key priority, there's still no clear voice leading the charge. Meanwhile, cybercriminals are staying one step ahead, moving faster and more strategically than the agencies tasked with safeguarding citizens' cybersecurity.

That brings us to March 2024, when the Foundation for Defense of Democracies (FDD) released a report calling for the creation of a stand-alone military Cyber Force. This team would run Pentagon cyber-defense efforts from within the Department of the Army and help set the stage for a more unified defense strategy over the next five to 10 years. The report is rooted in feedback from over 70 active and retired military cyber experts who all seem to agree on one thing: Cybercrime poses a serious and growing threat to national security, and it's time to do something about it.

**Closing the Gap**

At the highest levels of government, the US has made a strong push to identify, address, and communicate emerging and critical cyber threats. And now, it's on both the public and private sectors to bridge the gap and work together. But the big question we've yet to fully address is whether there's sufficient collaboration between the public and private sectors and if our response times are suffering because of it.

Take March 2021, for example. Microsoft flagged that a hacking group exploited multiple zero-day vulnerabilities targeting Microsoft Exchange Server software. A month later, the Justice Department stepped in with a court-authorized effort to disrupt ongoing exploitation. And the patches? Those finally rolled out another month later, after cybercriminals had plenty of time to exploit the vulnerabilities and infiltrate organizations.

Fast forward to the ConnectWise ScreenConnect vulnerability that surfaced last year. This time, the private sector was ahead of the game, with guidance and fixes hitting the headlines quickly. But, when it came to government action, CISA issued its advisory days after the vulnerability was announced.

Progress has definitely been made over the past two decades — there's no denying that. But there's still room to tighten the partnership between public and private sectors regarding cybersecurity. So, how do we achieve that?

**Building Future Defenses That Command Respect**

To build stronger defenses for the future, we need to respond to these kinds of incidents in minutes and hours — not days, weeks, or months. There has to be a faster, simpler way for leaders from both the public and private sectors to connect, share insights, and issue clear instructions for vulnerabilities, patches, and more.

I've pinpointed five key areas that, in my opinion, need serious attention to improve collaboration between public and private sectors:

1.  Insights: If we unify data collection, analysis, and sharing, we can give policymakers and practitioners a clearer picture of cybercrime — its scope, its patterns, and where to hit back with precision.
    
2.  Data: Taking that one step further and sharing more data between agencies and the private sector would make a tangible difference in how prepared organizations and municipalities are for known and emerging vulnerabilities.
    
3.  Policy and legislation: Here's a practical one — streamline classification processes. Using a common language for cybercrimes would cut down on miscommunication and confusion.
    
4.  Collaboration: Create task forces between government and industry that scale to the highest levels of government and the gravest threats, responding in a coordinated, powerful way.
    
5.  Hacking back: There are pros and cons to this option, but I'd like to see the federal government explore how to build skills to hack the hackers, and somewhat importantly, what the rules of engagement would be for companies and local governments. The notion has been introduced to the government, but to date, no laws have been passed yet to push it forward.
    

The fight against cybercrime is constantly evolving, and keeping up will take all of us working together and thinking creatively. Recent initiatives prove that when we harness technology, coordinate effectively, and build stronger public-private partnerships, we can significantly bolster our defenses, reducing the impact of cybercrime on individuals and institutions. It's no easy task — staying ahead requires vigilance, adaptability, and a willingness to tackle uncharted challenges. But together, through collaboration and determination, we can tackle cybercrime challenges head-on, creating a safer and more secure future for everyone.

**About the Author**

Senior Director of Threat Operations, Huntress

Chris Henderson runs Threat Operations and Internal Security at Huntress. He has been securing MSPs and their clients for more than 10 years through various roles in software quality assurance, business intelligence, and information security.

How Public &amp; Private Sectors Can Better Align Cyber Defense

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Source: KB Photodesign via Shutterstock

NEWS BRIEF

A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.

According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.

The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim's network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.

"The attacker then said administrative credentials were obtained from the company's intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers," added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.

Symantec researchers noted that prior intrusions using the tool set were against the foreign ministry of a Southeastern European country, the government of another, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. Each of these attacks occurred between last July and January, and all were espionage-related, with no ransomware component.

"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," said the researchers in a posting this week.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the United Kingdom, and key sectors since 2021.

A hacking group with links to Russian intelligence has been silently compromising computer networks worldwide, including those in the United States and the United Kingdom, by taking advantage of known security vulnerabilities in widely used software.

This was revealed by Microsoft’s Threat Intelligence team on Wednesday, which has been tracking the activities of a subgroup within “Sandworm,” (aka Seashell Blizzard, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.), a hacking group tied to Russia’s GRU military intelligence unit. This subgroup, which Microsoft calls the “BadPilot campaign,” has been breaching networks since at least 2021 by exploiting vulnerabilities in internet-facing systems.

The hackers have been targeting a variety of sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and even government organizations. Initially, their focus was on Ukraine, Europe, and parts of Asia and the Middle East. However, since early 2024, they have expanded their operations to include the U.S. and the U.K.

Their methods involve exploiting publicly known vulnerabilities in software like ConnectWise ScreenConnect, used for remote IT management, and Fortinet FortiClient EMS, a security software. By gaining an initial foothold through these weaknesses, the hackers can then move deeper into the network, steal credentials, and ultimately gain control of valuable systems. Here are the security vulnerabilities that Microsoft found being exploited by the group:

*   OpenFire (CVE-2023-32315)
*   JBOSS (exact CVE is unknown)
*   Microsoft Outlook (CVE-2023-23397)
*   Microsoft Exchange (CVE-2021-34473)
*   Zimbra Collaboration (CVE-2022-41352)
*   JetBrains TeamCity (CVE-2023-42793)
*   Fortinet FortiClient EMS (CVE-2023-48788)
*   Connectwise ScreenConnect (CVE-2024-1709)

Microsoft believes that while some of the targets seem random, these widespread breaches give Russia options to respond to changing strategic goals. Since the start of the war in Ukraine, Russian-aligned hackers have been increasingly targeting international organizations that provide support to Ukraine or are of geopolitical importance. The subgroup is also thought to be connected to destructive cyberattacks in Ukraine since 2023.

Microsoft’s research reveals that this subgroup is not just about gaining access; it’s about maintaining it. Once inside a network, they deploy tools such as remote management software (RMM) and web shells to ensure long-term control.

For instance, by installing legitimate RMM agents like Atera Agent and Splashtop Remote Services, they can mimic authorized activity, making detection more challenging. The group is also known for web shell deployment, credential harvesting and DNS manipulation

Additionally, the use of custom utilities like ShadowLink, a tool that configures compromised systems as hidden services on the Tor network, further complicates efforts to trace their activities.

Seashell Blizzard’s attack chart (Via Microsoft)

****Who Is Sandworm?****

Linked to Russia’s military intelligence agency GRU, specifically Unit 74455, Sandworm is notorious for conducting disruptive cyberattacks. Their history includes incidents like the NotPetya attack in 2017, which caused billions in damages worldwide, and the FoxBlade operation in 2022, targeting Ukraine’s infrastructure.

Industry experts are raising alarms about the implications of these findings. “This discovery is alarming for UK organisations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks,” warns Simon Phillips, CTO of SecureAck.

Even though the subgroup exploits publicly known vulnerabilities, their post-compromise tactics are becoming more advanced. The emergence of BadPilot only makes it harder to detect the activities of these already well-equipped and highly skilled Russian hackers.

That’s why organizations of all sizes must stay alert and aware of this and other cybersecurity threats. Employee training and additional security measures can help prevent breaches, even if they can’t completely stop Seashell Blizzard.

Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK

Scammers are once again using AI to take over Gmail accounts.

In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.

At the time, FBI Special Agent in Charge Robert Tripp said:

> “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.

The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.

None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.

In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.

Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.

With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.

When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.

The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.

As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.

**How to avoid AI Gmail phishing**

*   Never click on links or download files from unexpected emails or messages.
*   Don’t enter personal information on a website unless you are certain it is legitimate.
*   Use a password manager to autofill credentials only on trusted sites.
*   Monitor your accounts for signs of unauthorized access or data leaks.
*   Verify security alerts by visiting your Google Account page directly instead of using links in emails.
*   Use multi-factor authentication (MFA) for all accounts
*   Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#auth