Plus: Benjamin Netanyahu gives Donald Trump a golden pager, Hewlett Packard Enterprise blames Russian government hackers for a breach, and more.

As Elon Musk and his so-called Department of Government Efficiency rampage through United States federal institutions, WIRED reported extensively this week on DOGE’s members, activity, and digital access to some of the US government's most delicate and critical software systems. One DOGE technologist, 19-year-old high school graduate Edward Coristine, established at least five different companies in the past four years—including Tesla.Sexy LLC—and briefly worked at a network monitoring company that has hired convicted hackers. Experts question whether Coristine, who has gone by the name “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

Meanwhile, DOGE’s apparent dismantling of USAID coupled with the US State Department's funding freeze have dramatically disrupted efforts to help people escape forced labor camps in Southeast Asia run by criminal scammers.

Outside of US government news, WIRED conducted an investigation into more than 300 cyberattacks in the past five years against US K–12 schools and found that victim schools sometimes withhold critical information about the scale and scope of the breaches from impacted students and parents. In slightly better news, data from the cryptocurrency tracing firm Chainalysis shows that ransomware payments fell precipitously in the second half of 2024. Experts fear, though, that the brief reprieve could be short-lived and may not be easy for defenders to sustain.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**UK Home Secretary Orders Apple Enable Access to Encrypted iCloud Backups**

The Washington Post reported on Friday that Apple has received a secret order from the UK office of the Home Secretary mandating the company to provide a way to access any user data protected by the company’s Advanced Data Protection for iCloud. The feature, which debuted at the end of 2022, is designed with end-to-end encryption so only users themselves, not Apple, have access to their data. As a result, complying with the UK demand would require Apple to break the feature by building a backdoor into it. Sources told the Post that rather than install a backdoor, Apple is likely to withdraw support for Advanced Data Protection for iCloud in the UK. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States,” the Post noted.

The order was issued under the UK’s broad 2016 Investigatory Powers Act. UK law enforcement agencies, not to mention cops in the US and other countries, have championed encryption backdoors for years, and lawmakers have tried at various times to mandate backdoors. The Home Office told the Post in a statement, “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” An Apple spokesperson declined to comment to the Post.

**Israel’s Netanyahu Gave Trump a Golden Pager During Washington Meeting**

Israeli prime minister Benjamin Netanyahu gave President Donald Trump a golden pager when the two met in Washington on Tuesday. The gift references a September attack in Lebanon against the militant group Hezbollah in which booby-trapped pagers (and walkie-talkies) detonated in coordinated explosions around the country. The operation killed at least 42 people, including some civilians, and injured at least 4,000 civilians, according to Lebanese officials. The attack has been widely attributed to Israel, but the country has neither confirmed nor denied its involvement. At the meeting Trump apparently gave Netanyahu a signed photograph of the two of them, which he signed, “To Bibi, a great leader!”

**Hewlett Packard Enterprise Says Russian Government Hackers Stole Some Users’ Sensitive Data**

Hewlett Packard Enterprise has been notifying dozens of users that their personal information was stolen during a 2023 breach. The company is attributing the attack to Russian state-backed hackers. The stolen data included Social Security numbers, driver’s license information, and credit card numbers. The incident began as a system intrusion in May 2023 into HPE’s email mailboxes and Microsoft SharePoint systems. HPE publicly disclosed the incident in January 2024.

**PowerSchool Data Breach Impacted Students Outside the US, Including 16,000 in the UK**

The edtech giant PowerSchool says that at least 16,000 students in the United Kingdom had their data stolen as part of a massive December data breach that may have affected 62 million students and 9.5 million teachers, most of them in the US and Canada. Attackers used compromised credentials to infiltrate the company’s customer support portal and then access user data.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch in a statement that students at four UK schools were affected totaling “approximately 16,000 students.” It is not clear if this is the total number of UK victims. The compromised data includes students’ dates of birth, contact information, some medical data, and “other related information.”

UK Secret Order Demands That Apple Give Access to Users’ Encrypted Data

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk.…

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk. The issue originates from developers using publicly available ASP.NET machine keys in their configurations; keys that hackers are now exploiting to execute ViewState code injection attacks.

A recent attack in December 2024 used this vulnerability to deliver Godzilla, a dangerous post-exploitation framework capable of executing commands, injecting shellcode, and maintaining persistent access to compromised servers. Microsoft warns that over 3,000 publicly disclosed machine keys could be weaponized for similar attacks.

****Why This Matters****

ASP.NET machine keys are meant to protect web applications by encrypting and validating ViewState data, ensuring that attackers cannot tamper with it. However, some developers have mistakenly copied these keys from online resources, unknowingly allowing hackers to generate and inject malicious ViewState data into their servers.

Once a hacker has access to the right machine key, they can craft a malicious payload and send it to a vulnerable website. The server, trusting the key, decrypts and executes the attacker’s code—leading to full remote code execution.

****What Happened in December 2024?****

An unidentified hacker took advantage of a publicly known ASP.NET machine key to deploy Godzilla, a post-exploitation tool that provides remote access to compromised servers. The attack began with injection, where the attacker sent a malicious ViewState payload using a leaked machine key.

Once received, the server decrypted and executed the code, unknowingly running the attacker’s instructions. This led to Godzilla deployment, where the payload triggered the execution of _assembly.dll_, loading the framework and allowing further exploitation.

Injection chain shows ViewState code leading to Godzilla. (Via Microsoft)

****Microsoft’s Response****

According to Microsoft’s **blog post**, the company has removed machine key samples from public documentation to discourage bad security practices. The company has also issued new detection alerts via Microsoft Defender for Endpoint to flag any usage of publicly disclosed machine keys.

If your system is compromised, simply rotating the machine keys may not be enough. Microsoft advises a full forensic investigation, as attackers may have installed backdoors or additional malware.

**Tim Mackey**, Head of Software Supply Chain Risk Strategy at Black Duck commented on the new development stating, _“_This misconfiguration allows attacks by using ViewState payloads encrypted with publicly available keys, often from demo code. Developers should replace sample keys, but some copy them without understanding the risk. Hardcoded keys in production signal poor configuration. Checking against Microsoft’s public key list helps, but DevOps teams should also use tools to detect and remove hardcoded secrets.”

****Protecting Yourself****

To protect your web servers from attacks, start by replacing any publicly available machine keys if they were copied from online sources. Next, rotate and secure your keys by generating new ones and applying them consistently across all servers in your web farm.

Additionally, encrypting machine keys in the web.config file will help prevent exposure. Monitoring for suspicious activity is also essential. Microsoft Defender now detects publicly disclosed ASP.NET machine keys, and enabling attack surface reduction rules can help block web shell attacks.

Upgrading to ASP.NET 4.8 enhances security by incorporating Antimalware Scan Interface (AMSI) support. Finally, conducting a security audit is important. If a machine key has been exposed, assume a breach, investigate thoroughly, and check for unauthorized access.

ASP.NET Vulnerability Lets Hackers Hijack Servers, Inject Malicious Code

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

Title: ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account  
Advisory ID: ZSL-2025-5914  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS, Privilege Escalation  
Risk: (5/5)  
Release Date: 07.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[07.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_bd1.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

**Changelog**

\[07.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account

CISA and the FDA are warning that Contec CMS8000 and Epsimed MN-120 patient monitors are open to meddling and data theft; Claroty Team82 flagged the vulnerability as an avoidable insecure design issue.

Source: BMumin Mutlu via Alamy Stock Photo

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the US Food and Drug Administration (FDA), raised an alert for Contec CMS8000 and Epsimed MN-120 healthcare monitors, warning they potentially put patients at risk once connected to the Internet, due to a malicious, hidden backdoor embedded into the devices. But security researchers say the issue isn't actually intentional malware but, rather, just insecure design.

The devices continuously monitor patient vital signs, such as heart rate, blood oxygen saturation, temperature, respiration rate, and more. CISA and the FDA reported findings for three cybersecurity risks in the gear thanks to the "backdoor": an unauthorized user could remotely control a monitor and cause it to function in an unintended manner; attackers could compromise the device and pivot to a network; and an attacker could exfiltrate the data that the monitor collects. 

From a patient health perspective, if an attacker were able to manipulate the information the monitor gives patients, that could prevent them from realizing that there's something wrong. Though they reported no known cybersecurity incidents, deaths, or injuries related to the findings, the FDA still provided recommendations for patients and caregivers: talking to healthcare providers about evaluating their patient monitoring device and following certain steps if it does rely on an Internet connection.

Related:The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

The FDA also tasked healthcare providers with checking their patients' Contec CMS8000 or Epsimed MN-120 patient monitors to determine if they have been functioning unusually.

**Patient Monitor Cyber Bug: Not Malicious, Just Problematic**

After learning of the alerts, Claroty's Team82 investigated the firmware and reached a different conclusion from CISA and the FDA: It is likely not a hidden backdoor that makes these devices a liability to patients and their medical information, but rather an insecure design that creates a vulnerability open for exploit by threat actors.

The researchers pointed out that the vendors, and any resellers interested in relabeling and selling the monitor publicly, list the IP address on the instruction manuals.

"The CONTEC operator manual specifically mentions this 'hard-coded' IP address as the central management system (CMS) IP address that organizations should use, so it is not hidden functionally as stated by CISA," wrote the Team82 researchers. "This nuance is important because it demonstrates a lack of malicious intent and therefore changes the prioritization of remediation activities."

Related:How Are Modern Fraud Groups Using GenAI and Deepfakes?

The vulnerability still poses real-world consequences, but Noam Moshe, a Team82 researcher, notes that a threat actor would first require knowledge of the device's architecture and protocols. 

"To gain code execution, first the device needs to be put on a system-upgrade process," says Moshe. "From our research, this requires physical access to the device."

After that though, the hardcoded nature of the IP address opens the door to easier exploitation.

"To exploit this vulnerability, an attacker would need to serve devices with malicious binaries on the hardcoded public IP address, giving them code execution on the device," Moshe says. "In the case of the device trying to send personally identifiable information (PII) or personal health information (PHI) to the hardcoded IP address, using the HL7 protocol, this could occur if a certain feature of the device would be enabled."

**Healthcare Devices: Monitoring the Threat**

Perhaps exploitation of this particular vulnerability doesn't seem all that likely, but medical devices have been a point of cyber contention for years.

All the way back in 2011 for instance, Jay Radcliffe took to the Black Hat USA stage to show the audience how insulin pumps like the one he wore could be hacked, in a presentation entitled "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System."

Related:Backline Tackles Enterprise Security Backlogs With AI

And as healthcare institutions are ravaged by ransomware attacks compromising their resources and putting patient lives at risk, many medical devices still haven't caught up when it comes to bolstering cybersecurity guardrails. Specifically, many of them are aging and running legacy software that hasn't been updated in years, offering plenty of holes for attackers.

However, agencies like the FDA are pushing companies to make strides, such as in 2023 when it began to reject medical devices that don't comply with recent cybersecurity regulation.

But there is still a long way to go: In 2024, researchers cited healthcare and the Internet of Medical Things (IoMT) as the riskiest device sector, even it did have the biggest decline overall in the number of risky devices deployed.

As for the patient monitor, Team82 researchers recommend that healthcare organizations take steps to protect patients, such blocking all access to the subnet from their internal network, and blocking devices attempting to upgrade firmware from a WAN server or potentially send PII.

"Hospitals should implement vulnerability detection and patching processes," Moshe says, "alongside network segmentation, driven by high-quality passive visibility that will ensure the most secure network layout."

Agencies Sound Alarm on Patient Monitors With Hardcoded Backdoor

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users into installation.

A new version of North Korean malware called ‘FlexibleFerret’ is making rounds, specifically targeting macOS devices and developers. This malware, linked to the ‘Contagious Interview’ campaign, uses tricky methods to infect systems, even disguising itself as legitimate software.

****The ‘Contagious Interview’ Trick****

The campaign begins with a **social engineering tactic**. Hackers lure their targets, often job seekers, into downloading malware through fake job interview processes. They send a link that appears to require a software update, like a fake virtual meeting application.

It is worth noting that the ‘Ferret’ malware family was originally discovered in September 2024 targeting Blockchain professionals with fake video conferencing and job scams. The latest variant, ‘FlexibleFerret,’ was discovered by SentinelLabs, and shows that hackers constantly change their methods to avoid detection.

Interestingly, Apple recently strengthened its XProtect security tool to deal with threats like “Ferret,” and other macOS malware. However, despite new security protocols, according to SentinelLabs’ **blog post** shared with Hackread.com, FlexibleFerret remained undetected, at least initially.

****How FlexibleFerret Works****

‘FlexibleFerret’ uses a dropper, which is essentially a package that installs the malware onto the system. This particular dropper contains several components, including fake applications and scripts.

After installation, the malware begins executing several malicious actions. It places and runs hidden components in the computer’s temporary folders, ensuring its presence remains unnoticed. At the same time, it creates a **fake Zoom application** that secretly connects to a suspicious domain.

To further trick victims, it displays a fake error message, making it seem like the installation failed while actually continuing to install itself in the background. Once embedded, it establishes persistence, allowing it to automatically run even after the system is restarted.

****A Signed Threat Against Job Seekers and Developers****

Unlike some older versions, ‘FlexibleFerret’ was initially signed with a valid Apple Developer signature. This helped it bypass some security checks, making it appear more legitimate. Security experts used this signature to discover even more related malware samples. That certificate has since been revoked, but a trail of other signed files has turned up.

The hackers behind ‘FlexibleFerret’ aren’t just focusing on job seekers anymore. They’re also targeting developers directly, using **fake bug reports or comments** on websites like GitHub to trick them into downloading the malware.

A threat actor tricking users into installing FlexibleFerret malware (Via SentinelLabs)

****Links to ChromeUpdate Malware****

FlexibleFerret includes a binary labeled “Mac-Installer.InstallerAlert,” which strongly matches code previously spotted in “**ChromeUpdate**,” an older piece of malware involved in these job interview lures. While Apple’s updated rules catch ChromeUpdate, they currently overlook this newer malware, indicating that attackers have changed minor elements to sneak past protections.

> _“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”_
> 
>   
> SentinelLabs

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
6.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
7.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams

Social engineering methods are being put to the test to distribute malware.

During the past several months there have been numerous malware campaigns that use a technique something referred to as “ClickFix”. It often consists of a fake CAPTCHA or similar traffic validation page where visitors are instructed to paste and execute code in order to proceed.

We have started to see ClickFix attacks more and more via malicious Google ads as well. This is in contrast to typical phishing pages where victims download a so-called installer that contains malware.

In a recent malvertising campaign targeting the Notion brand, we observed these two techniques used at play. It’s quite possible the threat actors were collecting metrics to determine which one of the two gave them the most conversions via malware installs.

This blog post details this campaign that ultimately delivered the DarkGate malware loader.

**Overview**

**Web traffic view**

**Delivery #1: PowerShell code via “ClickFix”****Malicious ad and social engineering**

Threat actors created a Google ad for the popular utility application Notion. The first time we clicked on the ad, we were redirected to a site showing a “Verify you are human” page, also known as Cloudflare Turnstile. Except this was not the real Cloudflare, and merely a social engineering trick.

The HTML source code was obfuscated to only show gibberish interlaced with Russian comments, which we later determined was Rot13, a letter substitution cipher. This was likely used to hide the offending code from prying eyes and network rules:

After checking the box to verify we are human, we see new instructions, “Verification steps”, that involve pressing a number of key combinations. _Windows + R_ launches the run dialog while _Ctrl + V_ will paste whatever is in the clipboard. Supposedly this code is part of the verification process, but instead when pressing Enter, the victim will run a malicious command:

**PowerShell and payload**

The code copied into the clipboard is actually a command line that runs PowerShell:

The Base64 encoded string retrieves the following code from _hxxps\[:\]//s2notion\[.\]com/in.php?action=1_:

This downloads a binary from _hxxps\[:\]//s2notion\[.\]com/in.php?action=2_. and runs its. That file contains an AutoIt script that launches from:

"c:\\temp\\test\\Autoit3.exe" c:\\temp\\test\\script.a3x

The following DarkGate configuration was extracted from it:

{'DarkGate': {'C2': \[\['155.138.149.77'\]\], 'unknown\_8': \['No'\], 'name': \['DarkGate'\], 'unknown\_12': \['R0ijS0qCVITtS0e6xeZ'\], 'unknown\_13': \['6'\], 'unknown\_14': \['Yes'\], 'port': \['80'\], 'startup\_persistence': \['Yes'\], 'unknown\_32': \['No'\], 'check\_display': \['Yes'\], 'check\_disk': \['No'\], 'min\_disk\_size': \['100'\], 'check\_ram': \['No'\], 'min\_ram\_size': \['4096'\], 'check\_xeon': \['No'\], 'unknown\_21': \['No'\], 'unknown\_23': \['Yes'\], 'unknown\_31': \['No'\], 'unknown\_24': \['N-traff'\], 'campaign\_id': \['user1'\], 'unknown\_26': \['No'\], 'xor\_key': \['sDcGdADE'\], 'unknown\_28': \['No'\], 'unknown\_29': \['2'\], 'unknown\_35': \['No'\], 'tabla': \['a2THNyA\]7u6Kiv$8k.F\*ZrO"do1wL9P0 3}eCGDY{XVzctg,&EhJfsx=n)mpQUqljIW5SRMb4B(\['\]}}

**Delivery #2: signed executable****Malicious ad and decoy site**

We saw this scenario after revisiting the malicious ad for a second time. Notice how the URL path is now including “/download/”.

This is the more traditional approach to malvertising for software downloads that we’ve seen for a while now. Victims download an executable after being tricked with a lookalike site. The file was found hosted on Github under the user profile _herawtisabela1992_:

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Similar to the other binary mentioned in the first delivery technique, this one also extracts an AutoIt payload, with the same DarkGate configuration.

It’s interesting to note that the same GitHub user account previously distributed a backdoor called Warmcookie (aka Badspace) from:

raw\[.\]\]githubusercontent\[.\]com/herawtisabela1992/check/refs/heads/main/920836164\_x64.exe

**Conclusion**

We were not surprised to see the ClickFix social engineering attack here, but what made this campaign interesting what that it alternated between ClickFix and the typical file download.

It’s quite likely someone is tracking stats and comparing numbers to see which of the two delivery methods yields the most successful installs. If we had to put our money on it, we would bet that ClickFix is ahead. The file download technique remains effective, especially if the payload is digitally signed, but it could be relegated to second place in the near future.

Malwarebytes detects both payloads as Trojan.Dropper and Backdoor.DarkGate.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising infrastructure

notionbox\[.\]org  
s2notion\[.\]com

Payloads

6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea  
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db

 ClickFix vs. traditional download in new DarkGate campaign 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA

Tag

#backdoor