This week on the Lock and Code podcast, we speak with San Francisco City Attorney David Chiu about his team's fight against deepfake porn.

_This week on the Lock and Code podcast…_

On August 15, the city of San Francisco launched an entirely new fight against the world of deepfake porn—it sued the websites that make the abusive material so easy to create.

“Deepfakes,” as they’re often called, are fake images and videos that utilize artificial intelligence to swap the face of one person onto the body of another. The technology went viral in the late 2010s, as independent film editors would swap the actors of one film for another—replacing, say, Michael J. Fox in Back to the Future with Tom Holland.

But very soon into the technology’s debut, it began being used to create pornographic images of actresses, celebrities, and, more recently, everyday high schoolers and college students. Similar to the threat of “revenge porn,” in which abusive exes extort their past partners with the potential release of sexually explicit photos and videos, “deepfake porn” is sometimes used to tarnish someone’s reputation or to embarrass them amongst friends and family.

But deepfake porn is slightly different from the traditional understanding of “revenge porn” in that it can be created without any real relationship to the victim. Entire groups of strangers can take the image of one person and put it onto the body of a sex worker, or an adult film star, or another person who was filmed having sex or posing nude.

  
The technology to create deepfake porn is more accessible than ever, and it’s led to a global crisis for teenage girls.

In October of 2023, a reported group of more than 30 girls at a high school in New Jersey had their likenesses used by classmates to make sexually explicit and pornographic deepfakes. In March of this year, two teenage boys were arrested in Miami, Florida for allegedly creating deepfake nudes of male and female classmates who were between the ages of 12 and 13. And at the start of September, this month, the BBC reported that police in South Korea were investigating deepfake pornography rings at two major universities.

While individual schools and local police departments in the United States are tackling deepfake porn harassment as it arises—with suspensions, expulsions, and arrests—the process is slow and reactive.

Which is partly why San Francisco City Attorney David Chiu and his team took aim at not the individuals who create and spread deepfake porn, but at the websites that make it so easy to do so.

Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco City Attorney David Chiu about his team’s lawsuit against 16 deepfake porn websites, the city’s history in protecting Californians, and the severity of abuse that these websites offer as a paid service.

> “At least one of these websites specifically promotes the non-consensual nature of this. I’ll just quote: ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.’”
> 
> David Chiu, San Francisco City Attorney

Tune in today for the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 San Francisco’s fight against deepfake porn, with City Attorney David Chiu (Lock and Code S05E20) 

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

**Taskhub 3.0.3 Insecure Settings**

Posted Sep 20, 2024

Authored by indoushka

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7505071b9896db1b7f4f5cd911d9d07b06247bd94dbf46777a4481d4b83f1ddd

Download | Favorite | View

**Taskhub 3.0.3 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v3.0.3 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,862)
*   Arbitrary (17,077)
*   BBS (2,859)
*   Bypass (1,923)
*   CGI (1,047)
*   Code Execution (7,902)
*   Conference (692)
*   Cracker (845)
*   CSRF (3,427)
*   DoS (25,263)
*   Encryption (2,395)
*   Exploit (54,266)
*   File Inclusion (4,274)
*   File Upload (1,017)
*   Firewall (822)
*   Info Disclosure (2,916)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,281)
*   Local (14,850)
*   Magazine (587)
*   Overflow (13,223)
*   Perl (1,435)
*   PHP (5,271)
*   Proof of Concept (2,411)
*   Protocol (3,749)
*   Python (1,660)
*   Remote (31,888)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (642)
*   Scanner (1,658)
*   Security Tool (8,048)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,725)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,092)
*   Web (10,138)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,301)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,114)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,124)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (389)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,237)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,845)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,852)
*   UNIX (9,456)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Taskhub 3.0.3 Insecure Settings

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.
Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.

Google-owned Mandiant is tracking the activity cluster under the moniker **UNC1860**, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively.

"A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that \[...\] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East," the company said.

The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant (aka Cl Wiper), with subsequent intrusions in Albania and Israel leveraging new wipers dubbed No-Justice and BiBi (aka BABYWIPER).

Mandiant described UNC1860 as a "formidable threat actor" that maintains an arsenal of passive backdoors that are designed to obtain footholds into victim networks and set up long-term access without attracting attention.

Among the tools includes two GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN, which are said to provide other MOIS-associated threat actors with remote access to victim environments using remote desktop protocol (RDP).

Specifically, these controllers are designed to provide third-party operators an interface that offers instructions on the ways custom payloads could be deployed and post-exploitation activities such as internal scanning could be carried out within the target network.

Mandiant said it identified overlaps between UNC1860 and APT34 (aka Hazel Sandstorm, Helix Kitten, and OilRig) in that organizations compromised by the latter in 2019 and 2020 were previously infiltrated by UNC1860, and vice versa. Furthermore, both the clusters have been observed pivoting to Iraq-based targets, as recently highlighted by Check Point.

The attack chains involve leveraging initial access gained by opportunistic exploitation of vulnerable internet-facing servers to drop web shells and droppers like STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, that are embedded within it.

"VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604," the researchers said, adding that it controls STAYSHANTE, along with a backdoor referred to as BASEWALK.

"The framework provides post-exploitation capabilities including \[...\] controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.

TEMPLEPLAY (internally named Client Http), for its part, serves as the .NET-based controller for TEMPLEDOOR. It supports backdoor instructions for executing commands via cmd.exe, upload/download files from and to the infected host, and proxy connection to a target server.

It's believed that the adversary has in its possession a diverse collection of passive tools and main-stage backdoors that align with its initial access, lateral movement, and information gathering goals.

Some of the other tools of note documented by Mandiant are listed below -

*   OATBOAT, a loader that loads and executes shellcode payloads
*   TOFUDRV, a malicious Windows driver that overlaps with WINTAPIX
*   TOFULOAD, a passive implant that employs undocumented Input/Output Control (IOCTL) commands for communication
*   TEMPLEDROP, a repurposed version of an Iranian antivirus software Windows file system filter driver named Sheed AV that's used to protect the files it deploys from modification
*   TEMPLELOCK, a .NET defense evasion utility that's capable of killing the Windows Event Log service
*   TUNNELBOI, a network controller capable of establishing a connection with a remote host and managing RDP connections

"As tensions continue to ebb and flow in the Middle East, we believe this actor's adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift," researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik said.

The development comes as the U.S. government revealed Iranian threat actors' ongoing attempts to influence and undermine the upcoming U.S. elections by stealing non-public material from former President Donald Trump's campaign.

"Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden's campaign that contained an excerpt taken from stolen, non-public material from former President Trump's campaign as text in the emails," the government said.

"There is currently no information indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump's campaign to U.S. media organizations."

Iran's ramping up of its cyber operations against its perceived rivals also comes at a time when the country has become increasingly active in the Middle East region.

Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (aka Fox Kitten) has carried out ransomware attacks by clandestinely partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) groups.

Censys' analysis of the hacking group's attack infrastructure has since uncovered other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical patterns of ports and digital certificates.

"Despite attempts at obfuscation, diversion, and randomness, humans still must instantiate, operate, and decommission digital infrastructure," Censys' Matt Lembright said.

"Those humans, even if they rely upon technology to create randomization, almost always will follow some sort of pattern whether it be similar Autonomous Systems, geolocations, hosting providers, software, port distributions or certificate characteristics."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

PRESS RELEASE

SAN FRANCISCO, Calif., September 16, 2024 – c/side, a cybersecurity company with tools for monitoring, optimizing, and securing vulnerable browser-side third-party scripts, today announced $6 million in seed funding. The round is led by Uncork Capital, with participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet. c/side’s total funding is now $7.7 million, following a pre-seed round announced earlier this year. Scribble and Roar also participated in the pre-seed, along with strategic angel investors.

  
As headlines have continued to show since the infamous British Airways breach, the third-party code scripts that businesses add into their websites are often poorly monitored and undersecured. While these scripts are necessary for critical site functions such as analytics, chatbots, and error handling, the scripts change frequently without a business’ knowledge—posing significant risks. Malicious actors exploit vulnerabilities within the scripts to redirect website visitors, steal sensitive information, or manipulate website content. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution—yet most sites have nothing in place to monitor client-side behavior.

  
With an advanced proxy service and an AI-driven detection engine, c/side offers a comprehensive toolkit to identify and neutralize malicious scripts in real-time. The innovative solution not only bolsters website security, but also significantly enhances website performance. Beyond safeguarding organizations from cyberattacks, c/side’s technology also simplifies compliance with stringent industry regulations like PCI DSS 4.0, making it a critical and particularly timely tool for businesses accepting digital payments via their sites.

  
“Even in the few short months since we launched, major browser supply chain attacks like polyfill\[.\]io and regulatory breach incidents like the one at Kaiser Permanente have underscored just how significant and rapidly-escalating this attack vector has become,” said Simon Wijckmans, CEO and founder, c/side. “Security and IT teams cannot take a ‘set it and forget it’ approach to the third-party web scripts that run through their organization’s website. We understand what’s required to ensure ongoing visibility and protection, and offer an end-to-end solution that’s simple to deploy. We’re thrilled to bring on new investors with our seed funding, and look forward to our next stage.”

  
“c/side is addressing client-side app security, one of the most challenging threats to digital organizations and a problem that has been largely overlooked until now,” said Andy McLoughlin, Managing Partner at Uncork Capital. “Their AI-driven solution not only identifies these threats but acts swiftly to neutralize them, ensuring robust client-side web security. We’re thrilled to lead this round and support the c/side team as they develop solutions to protect businesses from costly and damaging browser-executed attacks."

  
“We’re impressed by c/side’s AI-driven approach and its potential to revolutionize client-side security at scale,” said Alex Pall, General Partner, Mantis VC. “This team has the expertise and vision to make a significant and lasting impact across the cybersecurity landscape, making web security more accessible to all. Whether you’re an early-stage grinding entrepreneur or a large established brand, c/side will grow to have your back. Simon and the team will make things rock!”

  
The seed funding will enable c/side to accelerate the development of its flagship product, the powerful proxy solution for securing third-party web scripts. The company will also deepen its vulnerability detection engine’s capabilities and grow its team to support customer service, sales, partnership, and marketing functions.

  
c/side’s free tier is now fully operational and available — anyone can sign up and begin securing their site in minutes. Business, Enterprise, and Partner tiers are in development; those interested can contact c/side here. 

  
About c/side  
c/side is a forward-thinking cybersecurity startup focused on browser-side detection and protection. Led by industry expert Simon Wijckmans, c/side is pioneering technologies to shield against sophisticated cyber threats, ensuring unparalleled security standards for users across the web.

c/side Lands $6M to Combat Rising Browser Supply Chain Attacks

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

What happened to KnowBe4 also has happened to many other organizations, and it's still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.

Source: DD Images via Shutterstock

A postmortem on the accidental hiring of a North Korean threat actor at a security firm reveals a sophisticated, industrial-like network of fake IT workers carefully groomed to fool US companies into giving them employment for the financial gain of the North Korean government.

In July, security awareness training firm KnowBe4 was transparent in revealing how a software engineer the company hired turned out to be a North Korean threat actor who immediately began loading malware onto his company-issued workstation.

Though administrators managed to detect and shut down the malicious operation before any harm was done, the incident served as a wake-up call about the sophistication of a North Korean state-sponsored program that sends operatives posing as credible IT workers out into the workforce.

Within weeks of the company's public revelation, KnowBe4 heard from more than a dozen other organizations that had similar stories of either hiring or being solicited for work by North Korean actors, the company revealed in a white paper (PDF) released this week.

Companies from the size of Fortune 500 organizations to small businesses with only 12 employees accidentally hired North Korean fake employees, with organizations with largely remote workforces being at the highest risk.

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"It turns out that the North Korean fake employee problem is a complex, industrial, scaled nation-state operation, and it is likely that thousands of organizations around the world have or are now involved in accidentally hiring North Korean fake employees," Roger Grimes, KnowBe4 data-driven defense evangelist, wrote in the report.

**Anatomy of a State-Sponsored Fake Employee Program**

The fact that the fake worker scheme is much more widespread than initially believed and that the people taking part in them are "exceptionally skilled" are the greatest lessons learned from KnowBe4's experience, Erich Kron, security awareness advocate at KnowBe4, tells Dark Reading.

"The ability to pass background checks, combined with the willingness and ability to interview on several Zoom calls is indicative of just how polished their program is," he says. "They seem to have processes in place that work exceptionally well on organizations both large and small."

The program takes advantage of a cultural shift in employment among US organizations over the past several years that has made companies more susceptible to placing workers with malicious intent in legitimate positions, Kron says.

This shift is a combination of organizations embracing the remote-work model, and the modern interest in hiring people from around the globe based on their knowledge and abilities rather than geographical location, he says.

Related:FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

"This is extremely challenging when many of the best candidates and people knowledgeable with cutting-edge technology are not US-born and may have strong accents that may have been a barrier to hiring in the past," Kron says. "Multicultural workforces are not only common in the modern business world but are critical if organizations wish to hire the top talent in their fields."

**A Look Behind the Curtain**

KnowBe4 learned much about how the various aspects of the North Korean program operate in the wake of the company's own incident. The company discovered that the chief goal of this program is financial gain, though operatives also to a lesser extent engage in cyber espionage and even corporate sabotage activities, once joining an organization.

Overall, there are four parts that are integral to making the fake employee scheme work: North Korean-based program leaders; North Korean employees and managers based in other countries; non-Korean scheme assisters that are usually based in the country where the job is located; and infrastructure to assist with accepting payments, generating fake identities or stealing real identities, creating fake employee websites and projects, giving references, money laundering, document forgery services, and other supporting activities.

Related:Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

The employees are often skilled IT workers and developers trained at North Korean universities, and are usually located in foreign countries, such as China, in shared living spaces and workspaces. They usually work in busy call-center-like spaces; in fact, organizations that interviewed or hired these fake employees often noted the noisy background, Grimes observed.

KnowBe4 described the employees ensnared in the program as themselves unfortunate victims of a type of human trafficking. They receive very little of the earned revenue, with most of it benefiting the North Korean government. Moreover, close family members stay back in North Korea "to be used as personal leverage to force the employee to toil long hours for very little wages," Grimes wrote.

**How to Spot a North Korean Fake Employee**

KnowBe4 offered substantial guidance for organizations during the hiring process to help them spot a North Korean threat actor before taking that person on board, as well offered after-hiring advice in case an operative makes it onto an IT team.

Some characteristics and behaviors in a candidate to look out for include the person being of Asian decent who is not highly skilled in English, though he or she claims to have always lived in the US. The person will be using a fake identity, a fake ID credential, and a fake work history that will all fail an secondary verification.

The candidate also will supply personal websites, profiles, or GitHub sites that seem overly basic, "often saying something and nothing at the same time, or you can find very similar sites and profiles," Grimes wrote. These sites and profiles also will have been posted only very recently and will have no Internet presence outside of the properties supplied by the candidate.

After hiring, organizations may detect unnecessary logins by the employee on the remote device provided by the company, from an IP address that doesn't match the claimed geographical location, or other unusual behavior. Employees also may work hours inconsistent with the time zone where they claim to be located.

Because the motivation for the threat actors is financial, another red flag after hiring is a request to be paid in unusual or strange payment schemes, including the demand for virtual currency.

**Protecting Your Organization**

If an organization suspects a person is a threat actor during the hiring process, it should be reported immediately to senior management for support in vetting the person's legitimacy. KnowBe4 also advised that organizations "threat model" their hiring process and make updates to mitigate the risk of hiring fake employees, such as sharing the warning signs for these actors with those in the direct hiring process.

Indeed, "reviewing hiring processes and reworking them around lessons learned from the experience has been critical" to KnowBe4's incident recovery, and "well worth the investment" to ensure the scenario doesn't repeat itself, Kron says.

If a company does suspect that one of its employees is a North Korean actor, KnowBe4 advised that any device supplied to the person by the company is immediately locked down to the bare minimum access, and monitored for unusual activity, malware, log modifications, or unexpected language changes. The company also should take further steps to monitor employee activity and, of course, remove the person from the job if suspicions prove true.

In retrospect, KnowBe4 has learned that even though it already had a strong security culture with many controls in place that allowed the company to mitigate the situation quickly, "there is always room for improvement," Kron says.

"Having been through this has allowed us to become even more secure than we were previously," he says, "and by sharing the lessons we learned, we hope it will help others."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm's North Korean Hacker Hire Not an Isolated Incident

Despite security updates to protect data, 45% of total enterprise instances of the cloud-based IT management platform leaked PII, internal system details, and active credentials over the past year.

Source: Rafa Press via Shutterstock

One-thousand instances of enterprise knowledge bases (KBs) hosted by ServiceNow were found to be exposing sensitive corporate data over the past year, despite improvements in data protection that the company put in place last year to avoid such security issues.

Based on security research conducted by software-as-a-service (SaaS) security firm AppOmni, nearly 45% of total enterprise instances of ServiceNow KBs leak sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.

AppOmni chief of SaaS security research Aaron Costello in an analysis published on Sept. 17 attributed the security holes to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning," he wrote.

In fact, in many of the cases, organizations with more than one instance of ServiceNow had consistently misconfigured KB access controls across each one, the researchers found.

ServiceNow is a cloud-based IT service management platform. Last year, the company introduced security updates to its platform to prevent unauthenticated users from getting access to data, including default enhancements to access control lists (ACLs). However, the improvements didn't seem to have a great impact on its KBs, a "treasure trove of sensitive internal data" not meant to be seen by those outside of the organization, Costello noted.

**Why Leaks Despite Security Improvements?**

AppOmni revealed its findings to ServiceNow, which worked with its customers to evaluate the instances of customer data leaks and "appropriately configure the accessibility of KB articles," ServiceNow CISO Ben De Bont said in a statement published with AppOmni's analysis.

"We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products," De Bont said. He thanked Costello and AppOmni not only for identifying the security gap, but also delaying publication of their findings until ServiceNow could coordinate mitigations with customers.

As mentioned, ServiceNow made two key changes to its data protections last year in an effort to improve the security of data hosted on its platform. One was to add properties to prevent select widgets from granting unauthenticated users access to data unless explicitly set to do so, while the second was a new feature called Security Attributes, which is applied to most ACLs by default. It includes specific verifications to ensure unauthenticated users are not allowed access to data.

These updates did not protect data in KBs for two reasons, Costello noted. One is that public widgets that can be used to access the content of KB articles did not receive the update, he wrote. The second reason is that the majority of KBs are secured using a feature called User Criteria as opposed to ACLs, "rendering the addition of the 'UserIsAuthenticated' Security Attribute redundant since it is an ACL-exclusive feature," Costello noted.

Though this may explain the issues found with ServiceNow's KB exposure, it doesn't necessarily explain why organizations in general struggle to lock down KBs. What Costello found in his research is that most enterprise instances — or 60% of the cases he examined — retain an insecure KB security property to "allow public access by default," Costello said.

Moreover, many administrators are unaware that there are various criteria that grant access to unauthenticated users in KB configurations, allowing "external users to slip through the cracks and be granted access," Costello wrote.

**How to Mitigate KB Data Exposure**

Indeed, ServiceNow isn't the only hosting provider to have issues with data leakage from KBs, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Microsoft, too, experienced a similar issue with leaking client data, "including complete memory dumps, exposed in help desk-type data," he says.

However, pointing fingers at SaaS providers when security issues like KB data leaks arise isn't going to help combat the problem, and organizations also need to take responsibility for the security of their own KBs.

"The reality is that we are all learning how to best secure our data in this world of hyper-connectivity and always online accessible content," he says. "Instead of blaming the vendor, let's use this additional instance of the type of problem to examine our own policies and processes."

Costello suggested ways organizations can do that, including running regular diagnostics on KB access controls to keep security configurations updated, and using business rules to deny unauthenticated access to KB content by default.

They also should be aware of the relevant security properties of KBs, which act as important security guardrails affecting how access control is dictated when both internal and external users attempt to access data, he said.

Keeping in contact with ServiceNow (as well as other SaaS providers that are responsible for hosting sensitive corporate data), and ensuring security updates and efforts are up-to-date can help prevent data exposure, Costello added.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Thousands of ServiceNow KB Instances Expose Sensitive Corporate Data

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).

The sophisticated botnet, dubbed **Raptor Train** by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.

"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.

The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -

*   Tier 1: Compromised SOHO/IoT devices
*   Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
*   Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.

Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.

A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.

"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.

"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."

The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.

Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.

These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.

At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -

*   Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
*   Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
*   Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
*   Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains

The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.

The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.

"In fact, the w8510.com C2 domain for \[the Oriole\] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.

"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."

No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.

What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.

The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.

"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.

"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#cisco