A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

This VPN Lets Anyone Use Your Internet Connection. What Could Go Wrong?

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Source: Anatolii Babii via Alamy Stock Photo

Attackers are spoofing Google Calendar invites in a fast-spreading phishing campaign that can bypass email protections and aims to steal credentials, ultimately to defraud users for financial gain.

The campaign, discovered by researchers at Check Point Software, relies on modified "sender" headings to make emails appear as if they were sent via Google Calendar on behalf of a legitimate entity, such as a trusted brand or individual, they revealed in a blog post published Dec. 17.

Initially, messages included malicious Google Calendar .ics files that would lead to a phishing attack, the threat hunters wrote. However, "after observing that security products could flag malicious Calendar invites," attackers began aligning those files with links to Google Drawings and Google Forms to better disguise their activity.

**Mass-Scale Financial Scamming Is the Goal**

Given that Google Calendar is used by more than 500 million people and is available in 41 different languages, the campaign provides a massive attack surface, so "it is no wonder it has become a target for cybercriminals" seeking to compromise online accounts for financial gain, the team noted.

"After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities," the researchers wrote in the post. Stolen data also can be used to bypass security measures on other victim accounts to lead to further compromise, they added.

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Attackers also are moving fast with the campaign, with researchers observing more than 4,000 emails associated it in a four-week period. In those messages, attackers used references to about 300 brands in their fake invites to make them appear authentic, they wrote.

**What a Google Calendar Phish Looks Like**

A message associated with the campaign looks like a typical invite from Google Calendar in which someone known to or trusted by the individual targeted shares a calendar invite with them. The appearances of the messages vary, with some that really look almost identical to typical Google Calendar notifications, "while others use a custom format," the team wrote.

As noted previously, the emails include a calendar link or file (.ics) that includes a link to Google Forms or Google Drawings in an attempt to bypass email-scanning tools. Once a user takes the bait, they are then asked to click on another link, "which is often disguised as a fake reCAPTCHA or support button," that forwards them to a page "that looks like a cryptocurrency mining landing page or bitcoin support page," according to the post.

Related:Wallarm Releases API Honeypot Report Highlighting API Attack Trends

"These pages are actually intended to perpetrate financial scams," the team wrote. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."

**How to Avoid Becoming a "Google" Phishing Cyber Victim**

Check Point contacted Google about the campaign, which recommended that Google Calendar users enable the "known senders" setting in the app to help defend against this type of phishing. This setting will alert a user when they receive an invitation from someone not in their contact list or someone with whom they have not interacted with from their email address in the past, the company said.

Corporate defenders can used advanced email security solutions that can identify and block phishing attacks that manipulate trusted platforms with the inclusion of attachment scanning, URL reputation checks, and AI-driven anomaly detection, the Check Point team wrote.

Organizations also should monitor the use of third-party Google Apps and use cybersecurity tools that can specifically detect and warn its security teams about suspicious activity on third-party apps.

Related:Texas Tech Fumbles Medical Data in Massive Breach

Finally, two often-cited pieces advice for organizations when recommending phishing defense — the use of multifactor authentication (MFA) across business accounts and employee training on sophisticated phishing tactics — also can work in cases like this to shore up security.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)--Wallarm, the leader in real-time blocking of API attacks, on Dec. 17 unveiled a comprehensive security research report based on data collected from the world's first globally distributed API honeypot network. The findings reveal critical insights into the growing threat landscape for APIs, showcasing their increasing vulnerability to rapid discovery and exploitation.

APIs have surpassed web applications as the primary targets of attackers, underscoring the urgency for businesses to implement robust API security measures. Organizations are plagued by uncontrolled API sprawl and lack of API governance, leading to significant breaches from exposed APIs. Wallarm’s study highlights several alarming trends that demand immediate attention from organizations deploying APIs.

Key Findings from the Report:

*   APIs Are the Prime Target: APIs now attract more attacks than traditional web applications.
    
*   Rapid Discovery: Newly deployed APIs are discovered by attackers in as little as 29 seconds.
    
*   Immediate Exploitation: Unprotected APIs are exploited within one minute of discovery.
    
*   High Velocity Data Theft: Attackers using batched API requests can exfiltrate millions of user records in seconds.
    
*   Targeting Well-Known Products: Recognizable and widely used API products face heightened targeting by attackers.
    

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Wallarm’s globally distributed honeypot, spanning 14 locations, captures data from diverse geographies and providers, revealing critical trends. The honeypot provides targeted responses to API requests across multiple protocols, including REST, XML-RPC, GraphQL, and others. Over half (54%) of observed request types were API-specific, demonstrating that APIs are the preferred vector for attackers. Among these, 40% of requests targeted known vulnerabilities (CVEs). While port 80 emerged as the most commonly discovered entry point, interactions were distributed across many ports, demonstrating that protecting only common ports is insufficient.

“This report sheds light on a rapidly evolving attack surface and represents a groundbreaking effort in API security research,” said Ivan Novikov, CEO and founder at Wallarm. “APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers. We hope this research helps organizations invest in strong protection for their APIs.”

Wallarm’s full report offers actionable insights and recommendations to safeguard APIs. To access the full research report and learn more about securing your APIs, visit http://www.wallarm.com/resources/api-honeypot-report.

Related:Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Wallarm Releases API Honeypot Report Highlighting API Attack Trends

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

****KEY POINTS****

*   **Rapid Vulnerability Exploitation**: The Androxgh0st botnet has expanded its arsenal, exploiting 27 vulnerabilities across web servers, IoT devices, and various technologies, including Cisco ASA, Atlassian JIRA, and TP-Link routers.

*   **Integration with Mozi Botnet**: The botnet incorporates Mozi payloads, targeting IoT devices and potentially sharing command-and-control infrastructure, signaling increased coordination and sophistication.

*   **Focus on Weak Security Practices**: Androxgh0st employs brute-force attacks, credential stuffing, and exploitation of devices with default or weak passwords to gain administrative access and maintain persistence.

*   **Global and Chinese-Specific Targets**: The botnet exploits vulnerabilities in both global systems and Chinese-specific technologies, with evidence pointing to links to Chinese CTF communities and Mandarin-based phishing tactics.

*   **Urgent Call for Patching**: Researchers recommend immediate patching of all affected systems to mitigate risks, including remote code execution, data breaches, and ransomware attacks.

CloudSEK’s contextual AI digital risk platform Xvigil has uncovered a significant evolution in the Androxgh0st botnet, revealing its exploitation of over 20 vulnerabilities and operational **integration with the Mozi botnet** with expected rise of, at least, 75% more web-application vulnerabilities by mid- 2025.This indicates a significant increase in Androxgh0st’s initial attack vector arsenal from 11 in November 2024 to around 27 within a month.

For your information, CISA **issued** an advisory earlier this year regarding Androxgh0st’s expanding attack surface, including Cisco ASA, Atlassian JIRA, and PHP frameworks, allowing unauthorized access and remote code execution.

CloudSEK’s research highlights Androxgh0st’s expansion beyond its initial focus on web servers, now incorporating IoT-focused Mozi payloads. It is actively exploiting 27 vulnerabilities across various technologies.

These include exploiting a web script injection vulnerability (**CVE-2014-2120**) in Cisco ASA, leveraging a path traversal vulnerability (**CVE-2021-26086**) for remote file reading, exploiting a local file inclusion vulnerability (**CVE-2021-41277**) for arbitrary file downloads, and targeting vulnerabilities in PHPUnit, Laravel, PHP-CGI, TP-Link routers, Netgear devices, and GPON routers.

Numerous other vulnerabilities are exploited now, including those in Sophos Firewall, Oracle EBS, OptiLink ONT1GEW, Spring Cloud Gateway, and various Chinese-specific software. The Sophos Authentication bypass vulnerability leads to Remote Code Execution (RCE) in the firewall’s User Portal and Webadmin web interfaces, allowing an unauthenticated attacker to execute arbitrary code.

This vulnerability is also present in Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload, which can be exploited to gain remote code execution as an Oracle user. OptiLink ONT1GEW GPON 2.1.11\_X101 Build 1127.190306 also allows remote code execution (authenticated). Finally, PHP CGI argument injection issue (**CVE-2024-4577**) is another issue affecting PHP-CGI.

This exploitation enables unauthorized access and remote code execution, posing significant risks to global web servers and IoT networks. Moreover, the botnet’s growing sophistication is evident in its shared infrastructure, persistent backdoor tactics, and the incorporation of Mozi payloads, the **report** read.

The research indicates a significant operational overlap between Androxgh0st and the Mozi botnet, with Androxgh0st deploying Mozi payloads to infect IoT devices and potentially sharing command and control infrastructure, suggesting a high level of coordination or unified control structure.

Further probing revealed that Androxgh0st **employs sophisticated tactics** such as code injection and file appending to maintain persistent access to compromised systems. It targets WordPress installations using brute-force attacks and **credential stuffing** to gain administrative access, and frequently exploits devices with default, weak or easily guessable passwords.

Although definitive attribution is complex, the research suggests links to Chinese CTF communities due to targeting of Chinese-specific technologies and software. This includes the use of the “PWN\_IT” string in injected payloads and command infrastructure, using Mandarin in phishing baits and source code, and potential connections to Chinese Kanxue-hosted CTF events. Successful exploitation can lead to data breaches, theft, system disruption, ransomware attacks, botnet amplification, and espionage and surveillance activities.

Screenshot shoes countries where devices have been most impacted for and the Chinese connection detailed by researchers in their blog (Via CloudSec)

“CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access,” researchers noted.

1.  **Legion: Credential Harvesting Malware Sold on Telegram**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **Cisco Urges Immediate Patch for Decade-Old WebVPN Flaw**
4.  **Black Basta Uses MS Teams, Email Bombing to Spread Malware**
5.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw  
    **

Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)-- Delinea, a pioneering provider of solutions for securing identities through centralized authorization, today announced it has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA).

The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CNAs are organizations responsible for regularly assigning CVE Identifiers (CVE IDs) to vulnerabilities and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Delinea proudly joins a list of partners, including 420+ organizations from 40 countries, to further expand the community-driven CVE Program.

As a CNA, Delinea is authorized to review and assign CVE IDs to newly discovered zero-day vulnerabilities in the company’s software products. This will allow Delinea to directly establish new CVEs, streamline the reporting process, and continue to foster collaboration with the industry as a whole.

“Joining the CVE Program as a CNA reinforces our commitment and dedication to collaborating with the global cybersecurity community to identify and address emerging threats and shape the future of cybersecurity,” said Phil Calvin, Chief Product Officer at Delinea. “As identity security becomes the new frontline in cyber defense, safeguarding identities and governing their interactions is more critical than ever. Delinea’s involvement in this program will ensure our identity security solutions continue to be the most reliable in the market.”

Delinea provides the only identity security platform that enables organizations to seamlessly govern interactions across the modern enterprise through intelligent authorization. It applies context and intelligence throughout the identity lifecycle, eliminating threats while boosting productivity.

**A community-based approach to strengthening cybersecurity**

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders. It is an international, community-based effort to discover vulnerabilities and then assign and publish them to the CVE List, which CNAs build.

Use of CVE Records enables information technology and cybersecurity professionals to ensure they are discussing the same issue and coordinate their efforts to prioritize and address vulnerabilities, resulting in significant time and cost savings.

For more information on Delinea’s responsible disclosure program, visit its Trust Center: https://trust.delinea.com

Delinea Joins CVE Numbering Authority Program

Three vulnerabilities in the service's Apache Airflow integration could have allowed attackers to take shadow administrative control over an enterprise cloud infrastructure, gain access to and exfiltrate data, and deploy malware.

Source: Aleksia via Alamy Stock Photo

Three flaws discovered in the way Microsoft's Azure-based data integration service leverages an open source workflow orchestration platform could have allowed an attacker to achieve administrative control over companies' Azure cloud infrastructures, exposing enterprises to data exfiltration, malware deployment, and unauthorized data access.

Researchers at Palo Alto Networks' Unit 42 discovered the vulnerabilities — two of which were misconfigurations and the third involved weak authentication — in Azure Data Factory's Apache Airflow integration. Data Factory enables users to manage data pipelines when moving information between different sources, while Apache Airflow facilitates the scheduling and orchestration of complex workflows.

While Microsoft classified the flaws as low-severity vulnerabilities, Unit 42 researchers found that exploiting them successfully could allow an attacker to gain persistent access as a shadow administrator over the entire Airflow Azure Kubernetes Service (AKS) cluster, they revealed in a blog post published Dec. 17.

Specifically, the flaws discovered in Data Factory were: a misconfigured Kubernetes role-based access control (RBAC) in Airflow cluster; a misconfigured secret handling of the Azure's internal Geneva service, which is responsible for managing critical logs and metrics; and weak authentication for Geneva.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

The Airflow instance's use of default, unchangeable configurations combined with the cluster admin role's attachment to the Airflow runner "caused a security issue" that could be manipulated "to control the Airflow cluster and related infrastructure," the researchers explained.

If an attacker was able to breach the cluster, they also could manipulate Geneva, allowing attackers "to potentially tamper with log data or access other sensitive Azure resources," Unit 42 AI and security research manager Ofir Balassiano and senior security researcher David Orlovsky wrote in the post.

Overall, the flaws highlight the importance of managing service permissions and monitoring the operations of critical third-party services within a cloud environment to prevent unauthorized access to a cluster.

Unit 42 informed Microsoft Azure of the flaws, which ultimately were resolved by the Microsoft Security Response Center. The researchers did not specify what fixes were made to mitigate the vulnerabilities, and Microsoft did not immediately respond to request for comment.

**How Cyberattackers Gain Initial Administrative Access**

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

An initial exploit scenario lies in an attacker's ability to gain unauthorized write permissions to a directed acyclic graph (DAG) file used by Apache Airflow. DAG files define the workflow structure as Python code; they specify the sequence in which tasks should be executed, the dependencies between tasks, and scheduling rules.

Attackers have two ways to gain access to and tamper with DAG files. They could gain write permissions to the storage account containing DAG files by leveraging a principal account with write permissions; or they could use a shared access signature (SAS) token, which grants temporary and limited access to a DAG file.

In this scenario, once a DAG file is tampered with, "it lies dormant until the DAG files are imported by the victim," the researchers explained.

The second way is to gain access to a Git repository using leaked credentials or a misconfigured repository. Once this occurs, the attacker can create a malicious DAG file or modify an existing one, and the directory containing the malicious DAG file is imported automatically.

In their attack flow, Unit 42 researchers used the Git repository leaked credentials scenario to access a DAG file. "In this case, once the attacker manipulates the compromised DAG file, Airflow executes it, and the attacker gets a reverse shell," they explained in the post.

Related:336K Prometheus Instances Exposed to DoS, 'Repojacking'

The basic exploit workflow, then, involves an attacker first crafting a DAG file that opens a reverse shell to a remote server and runs automatically when imported. The malicious DAG file is then uploaded to a private GitHub repository connected to the Airflow cluster.

"Airflow imports and runs the DAG file automatically from the connected Git repository, opening a reverse shell on an Airflow worker," the researchers explained. "At this point, we gained cluster admin privileges due to a Kubernetes service account that was attached to an Airflow worker."

The attack can then escalate from there to take over a cluster; use the shadow admin access to create shadow workloads for cryptomining or running other malware; exfiltrate data from the enterprise cloud; and exploit Geneva to reach other Azure endpoints for further malicious activity, the researchers wrote.

**Cloud Security Should Extend Beyond the Cluster**

Cloud-based attacks often begin with attackers pouncing on local misconfigurations, and the exploit flow again highlights how an entire cloud environment can be exposed to risk due to flaws exploited within a single node or cluster.

The scenario demonstrates the importance of going beyond merely securing the perimeter of a cloud cluster to a more comprehensive approach to cloud security that takes into consideration what happens if attackers break this boundary, according to Unit 42.

This strategy should include "securing permissions and configurations within the environment itself, and using policy and audit engines to help detect and prevent future incidents both within the cluster and in the cloud," the researchers wrote.

Enterprises also should safeguard sensitive data assets that interact with different services in the cloud to understand which data is being processed with which data service, they added. This will ensure that service dependencies are taken into consideration when securing the cloud.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Azure Data Factory Bugs Expose Cloud Infrastructure

SUMMARY Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…

****SUMMARY****

*   **Fake PoCs on GitHub**: Cybercriminals used trojanized proof-of-concept (PoC) code on GitHub to deliver malicious payloads to unsuspecting users, including researchers and security professionals.

*   **Credential Theft**: The attackers stole over 390,000 WordPress credentials, AWS access keys, SSH private keys, and other sensitive data from compromised systems.

*   **Stealth Techniques**: The campaign employed methods like backdoored configuration files, malicious PDFs, Python dropper scripts, and hidden npm packages to deploy the malware.

*   **Phishing Campaigns**: The attackers also targeted academics through phishing emails, tricking them into installing malware disguised as a fake kernel upgrade.

*   **Supply Chain Impact**: By leveraging trusted platforms like GitHub and popular tools, the attackers exploited the software supply chain, posing risks to professionals trusting these resources.

Datadog Security Labs’ cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified as MUT-1244, which resulted in the theft of over 390,000 WordPress credentials.

According to Datadog Security Labs’ research, the actor used a trojanized WordPress credentials checker to steal data. SSH private and AWS access keys were also stolen from the compromised systems of hundreds of victims. The attackers’ key targets included red teamers, penetration testers, security researchers, and even other malicious actors.

****Use of Phishing and Trojan****

Researchers observed that MUT-1244 has employed two main methods to gain initial access to victim systems including phishing and trojanized GitHub repositories.

**Phishing Campaign:** The campaign targeted academics, specifically those researching high-performance computing (HPC). The email urged them to install a fake kernel upgrade, leading to the download of malicious code.

**Trojanized GitHub Repositories:** MUT-1244 created numerous fake repositories on GitHub. These repositories disguised themselves as **proof-of-concept (PoC)** codes for known vulnerabilities. However, they contained hidden malicious code that infected victims who downloaded and ran them. 

****Fake PoCs: A New Yet Familiar Weapon****

It is worth noting that the use of fake PoCs has emerged as a new weapon for cybercriminals to target cybersecurity researchers and unsuspecting users. **In June 2023**, scammers were caught impersonating real cybersecurity researchers to spread malware disguised as PoCs on GitHub and X (formerly Twitter).

**In July 2023**, a similar campaign was discovered in which fake GitHub repositories were used to distribute malware posing as PoCs. Interestingly, the stolen identity used in that attack belonged to Shakhriyar Mamedyarov, an Azerbaijani chess grandmaster.

**By September 2023**, another malicious campaign surfaced, utilizing a fake proof-of-concept script to trick researchers into downloading and executing a VenomRAT payload. This attack exploited the WinRAR vulnerability (CVE-2023-40477).

****Techniques used in the trojanized repositories:****

The techniques used in the trojanized repositories included multiple methods to hide and deliver malicious payloads. Some repositories contained legitimate exploits but hid malicious code within lengthy, backdoored configuration files.

In other cases, the malicious code was embedded inside PDF files; once opened, the fake exploit would extract and execute the hidden payload. A few repositories employed Python dropper scripts to decode base64-encoded payloads, write them to disk and execute them.

Additionally, some repositories indirectly infected victims by incorporating malicious npm packages into their code, which then downloaded and executed the attacker’s payload.

The ultimate goal of these attacks was to steal sensitive information from victims, including private SSH keys, **AWS credentials**, and command history.  Moreover, research revealed the malicious code contained hardcoded credentials for Dropbox and file.io services. These credentials allowed the attacker to access and download the stolen data from infected machines.

****390,000 WordPress Credentials****

Another shocking disclosure was the attacker’s ability to access over 390,000 WordPress credentials. Researchers believe these credentials were originally obtained by other malicious actors and subsequently compromised when the attackers used a trojanized tool called “yawpp” to validate them. 

The attack flow and one of the profiles used in the scam (Credit: Datadog Security Labs)

“We assess with high confidence that before these credentials were exfiltrated to Dropbox, they were in the hands of offensive actors, who likely acquired them through illicit means,” Datadog’s **report** read.

Yawpp was advertised as a legitimate WordPress credentials checker, making it a perfect lure for attackers unaware of its malicious nature. Nevertheless, the MUT-1244 campaign shows that cybercriminals are finding new ways to trick users, making it vital for individuals to improve their skills. This is especially true for **employees with cybersecurity training**, as staying alert can help prevent risks to themselves and their organizations.

**Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity commented on the issue stating, _“_Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself, however, as this attack demonstrates, it can also be an effective approach to watering-hole attacks._“_ Casey added, _“_This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply-chain, and that malicious attackers know this._“_

1.  **Researcher release PoC exploit for 0-day in Chrome**
2.  **Facial DNA provider leaks biometric data via WordPress folder**
3.  **Thousands of WordPress Websites Hacked with Sign1 Malware**
4.  **Lazarus Targets Blockchain Pros with Fake Video Conferencing**
5.  **Hackers Publish PoC of 0-day Vulnerability in Windows on Twitter**

Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft Teams Vishing Spreads DarkGate RAT

Its mid-December, if you’re on-call or working to defend networks, this newsletter is for you. Martin discusses the widening gap between threat and defences as well as the growing problem of home devices being recruited to act as proxy servers for criminals.

Thursday, December 12, 2024 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “_clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us._”

To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.

Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.

If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.

Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.

If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.

This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.

**The one big thing **

Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.

Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.

**Why do I care?**

Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.

**So now what?**

Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.

**Top security headlines of the week ****Presidential Elections in Romania hit by Cyber Campaign**

The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.

(BBC News 1 & 2)

**Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement**

The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.

(The Register)

**Wanted Russian Suspected Ransomware Actor Arrested**

Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.

(SecurityWeek)

**Can’t get enough Talos? **

**Upcoming events where you can find Talos**

Cisco Live EMEA (February 9-14, 2025)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week  ****SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Win.Worm.Bitmin-9847045-0

**SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341**

MD5: b6bc3353a164b35f5b815fc1c429eaab

VirusTotal:

https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi

Claimed Product: n/a 

Detection Name: Simple\_Custom\_Detection

**SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**

MD5: 71fea034b422e4a17ebb06022532fdde

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

Typical Filename: VID001.exe

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos

**SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: img001.exe

Claimed Product: n/a 

Detection Name: Win.Trojan.Miner-9835871-0

**SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   **

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Tag

#cisco