Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being **Kiberphant0m**, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from **AT&T** and **Verizon**. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

One of several selfies on the Facebook page of Cameron Wagenius.

**Cameron John Wagenius** was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.

The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native **Alicia Roen** — filled in the gaps.

Roen said that prior to her son’s arrest he’d acknowledged being associated with **Connor Riley Moucka**, a.k.a. “**Judische**,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service **Snowflake**.

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.

On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.

“I never was aware he was into hacking,” Roen said. “It was definitely a shock to me when we found this stuff out.”

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother’s footsteps.

“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” food rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”

Immediately after news broke of Moucka’s arrest, Kiberphant0m posted on the hacker community **BreachForums** what they claimed were the AT&T call logs for **President-elect** **Donald J. Trump** and for **Vice President Kamala Harris**.

“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”

Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.

On that same day, Kiberphant0m posted what they claimed was the “data schema” from the **U.S. National Security Agency**.

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.

The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.

Several profile photos visible on the Facebook page of Cameron Wagenius.

November’s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.

**Allison Nixon,** chief research officer at the New York-based cybersecurity firm Unit 221B, helped track down Kiberphant0m’s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon told KrebsOnSecurity. She said the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals — especially those who are actually living in the United States.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can’t be found and arrested.

“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…

****SUMMARY:****

*   **Vulnerability**: CVE-2024-12856 impacts Four-Faith routers (models F3x24 and F3x36), allowing remote code execution.

*   **Exploit Path**: Attackers use the /apply.cgi endpoint to exploit the adj_time_year parameter.

*   **Risk**: Over 15,000 devices with default credentials are at high risk.

*   **Impact**: Exploits enable malware installation, data theft, and network disruption.

*   **Fix**: Update firmware, change default credentials, and use Suricata rules for detection.

VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild. This, as per the company, is a post-authentication flaw vulnerability that allows attackers to remotely execute commands on vulnerable devices by exploiting a weakness in the router’s system time adjustment functionality.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices,” VulnCheck researcher Jacob Baines wrote in the blog post shared with Hackread.com.

As per the investigation from the VulnCheck Initial Access team, the attack specifically targets the /apply.cgi endpoint, which allows for system configuration changes. By manipulating the adj\_time\_year parameter (responsible for modifying the router’s system time) within a POST request, attackers can inject malicious commands.

This bypasses authentication as the attack leverages the router’s default credentials. However, this vulnerability should not be confused with CVE-2019-12168 even though both flow through the same apply.cgi endpoint, Baines noted.

In addition, VulnCheck observed exploitation attempts originating from the IP address 178.215.23891. The firmware version’s default credentials could potentially escalate the vulnerability into an unauthenticated and remote OS command execution issue if not altered.

Furthermore, another research blog published in November 2024 also documented the exploitation of this vulnerability, with the observed User-Agent matching the User-Agent VulnCheck observed, although with a different payload, corroborating VulnCheck’s findings.

Successful exploitation allows attackers to execute remote code on a router, install malware, steal sensitive data, disrupt network operations, and use the router as a launch point for further attacks.

To mitigate this threat, VulnCheck has provided a Suricata rule to detect exploitation attempts on the network. This rule monitors HTTP traffic, specifically looking for POST requests to /apply.cgi with the adjust\_sys\_time parameter and suspicious patterns in the adj\_time\_year field.

VulnCheck has also responsibly disclosed this vulnerability to Four-Faith and its customers. Users are advised to contact Four-Faith directly for information on patches, affected models, and firmware versions.

Routers, responsible for directing internet traffic, are often overlooked in security measures, making them easy targets for cybercriminals. The prevalence of default passwords and outdated firmware creates a significant security risk, as they often contain unpatched vulnerabilities. 

Recently, Censys uncovered 14 critical vulnerabilities in DrayTek Vigor routers, including a buffer overflow and OS command injection flaw. Now the discovery of vulnerability in Four-Faith routers further shows the need for improved security measures to protect routers and their users.

1.  **New Botnets Exploit Old D-Link Router for DDoS Attacks**
2.  **Condi DDoS Botnet Targets Vulnerable TP-Link AX21 Routers**
3.  **FBI: Hackers Target Ubiquiti Routers for Data, Botnet Creation**
4.  **ASUS, NordVPN Partner to Integrate VPN Service into Routers**
5.  **6,000 Asus Routers Hacked in 72 Hours by** **TheMoon Malware**

Critical Flaw Exposes Four-Faith Routers to Remote Exploitation

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions,…

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions, use secure downloads, and trust verified tools to enjoy safe, uninterrupted gameplay.

The holiday season is a time of joy for gamers, with more free time to play, exciting events, and in-game promotions. However, this festive period comes with higher risks of cyberattacks than any other period of the year.

Studies by Wowvendor, a company dealing in WoW services, indicate that hackers increase their activity by 50% during the holidays and especially prey on gamers via malware and phishing. This article will detail these risks and give some useful advice on how to enjoy gaming without compromising your account security.

****The Rise of Cyber Threats During Holidays****

The gaming community gets busy during the holidays. Unfortunately, cybercriminals find this an attractive target. The key reasons for increased risks are as follows:

*   **Increased player traffic** – A large consumer base of online gaming creates, in turn, more opportunities for hackers to exploit vulnerabilities.
*   **Attractive holiday promotions** – Many players get tricked into fake giveaways and deals, without knowing it compromises their data security.
*   **Malware in pirated games** – Most of the time, hackers put harmful software inside cracked versions of popular titles.

For instance, cybersecurity companies have informed that the number of phishing emails with “in-game rewards notifications” and “discount offers” have spiked around the times of past holiday seasons. These examples of threats put the importance of vigilance during peak gaming hours deeper into focus.

****Common Cyber Threats to Gamers****

Cyber threats range from gaming cyber attacks and data security incidents to DDoS attacks. This will likely impact some players more and possibly their performance during peak gaming periods. Understanding these dangers can help players stay protected:

****Fake add-ons, mods and Phishing schemes** **

Hacks through counterfeit mods are common in games such as World of Warcraft. Hackers distribute these infected mods using counterfeit mods and give the malware the chance to steal login credentials or infect the device they’re playing on. Additionally, fraudulent links and websites trick people into providing personal information or downloading malicious software.

****DDoS attacks** **

The gaming industry is seeing a lot of DDoS attacks (distributed denial of service attacks), wherein hacker group gets a network of infected devices (botnet) that perform a network DDoS attack to inundate a game server or a group of players with a massive amount of traffic. This overload disrupts the server or network connection and has broken the game so that normal users can’t even get in.

These attacks send many requests and place a heavy load onto the server. Hackers aim at certain players’ IP addresses and try to degrade their connection, or that of the player behind it, to give themselves an in-game advantage. This type of targeted interference disrupts competitive gameplay and can negatively impact a game’s experience for the player.

Additionally, the number of ransomware attacks against gaming accounts has risen as well. They involve locking players out of their accounts and asking for payment to access them. When you are faced with unfamiliar software or links, it’s best to stay awake and alert to risks.

****Best Practices for Secure Gaming****

A large number of cyber attacks on gamers can stem from unauthorized downloads, according to leading cyber security firm Kaspersky. To enjoy your games safely during the holidays, follow these cybersecurity tips:

*   **Download software from official sources** — Do not download games or updates from untrusted websites — they can hide malware.
*   **Use two-factor authentication (2FA)** — It simply gives you extra protection for your gaming accounts.
*   **Verify promotional offers** — Don’t accept offers that are simply too good even to be true. There are always official channels for you to confirm their legitimacy.
*   **Avoid cracked games** — First and foremost pirated games are illegal, and they’re dangerous for security reasons too.

Working with your use of strong, unique passwords across all your accounts, these measures can go a long way toward mitigating your risk of being victimized in this way.

****The Role of Gaming Companies****

Leading gaming companies have stepped up their efforts to combat cyber threats. Their initiatives include:

*   **Enhanced security systems** – AI detecting and blocking unusual activity on gaming networks.
*   **Regular updates and patches** – Time and time again, developers release updates to patch vulnerabilities, and protect players with updates.
*   **Player education** – Many platforms offer users a way of recognizing and preventing scammers.

For instance, World of Warcraft’s creators, Blizzard Entertainment, is constantly monitoring its ecosystem for threats and expelling them while at the same time urging players to use solutions, for example, 2FA. Machine learning has been introduced into other companies, such as Valve and Riot Games, in an attempt to detect possible hacking through in-game behaviours.

****Advanced Cybersecurity Tools for Gamers****

Gamers now have access to cutting-edge cybersecurity solutions tailored to safeguard their online experience:

*   **Gaming-optimized VPNs** – VPN services will make sure that you have safe, encrypted connections while reducing latency and optimizing the routing of the server. It shields against DDoS attacks and keeps the gameplay smooth.
*   **Anti-phishing extensions** – Google Safe Browsing and Microsoft Defender SmartScreen are tools that actively block malicious sites and alert players that a phishing page is attempting to lure them into a trick.
*   **Behavioural analytics and anti-cheat systems** – Dedicated platforms use machine learning to analyze login patterns and in-game behaviour, detecting anomalies like hacking or unauthorized access.
*   **DDoS mitigation services** – Distribution denial-of-service attacks that cause gaming servers to stop working are identified and neutralized by Cloudflare, Akamai Prolexic, and other companies that protect gaming servers so that gamers can continue enjoying online sessions uninterrupted.

With these state-of-the-art tools, gamers will be protected from changing threats, which will protect gaming for the holidays and beyond.

****Stay on the Safe Side****

The holiday season is a wonderful opportunity to connect with your favourite games and communities. While cyber threats do increase during this period, staying informed and adopting secure practices can protect your gaming experience. From using official platforms to enabling two-factor authentication, every step you take helps reduce risks.

Gaming companies are also playing their part by providing services and insights that enhance player safety. By working together and staying alert, gamers can fully embrace the holiday spirit, free from cybersecurity concerns.

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Winos4.0 Malware Targeting Windows via Fake Gaming Apps
5.  Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Company

Secure Gaming During the Holidays

Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks.

****In This Article, You Will Read About:****

*   **Increased Botnet Activity**: Surge in the activity of new “FICORA” and “CAPSAICIN” botnets, variants of Mirai and Kaiten.

*   **Exploited Vulnerabilities**: Attackers exploit known D-Link router vulnerabilities (e.g., CVE-2015-2051, CVE-2024-33112) to execute malicious commands.

*   **Botnet Capabilities**: Both botnets use shell scripts, target Linux systems, kill malware processes, and conduct DDoS attacks.

*   **Global Impact**: FICORA targeted multiple countries, while CAPSAICIN focused on East Asia, which had intense activity for over two days.

*   **Mitigation Measures**: Regular firmware updates and robust network monitoring are recommended to prevent exploitation.

FortiGuard Labs has observed a surge in the activity of two botnets, “FICORA” and “CAPSAICIN,” in October and November 2024. In its blog post, shared exclusively with Hackread.com, FortiGuard Labs’ Threat Research team explained that these botnets are variants of the well-known Mirai and Kaiten botnets and can execute malicious commands.

Further probing revealed that the distribution of these botnets involves exploiting D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the Home Network Administration Protocol (HNAP) interface. 

These vulnerabilities include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. These CVEs represent specific instances of vulnerabilities within D-Link routers that attackers have exploited. They often involve flaws in how HNAP handles user input and authentication. Attackers use the HNAP interface to deliver the malware, and this weakness was first exposed almost a decade ago.

The affected platforms include D-Link DIR-645 Wired/Wireless Router Rev. Ax, D-Link DIR-806 devices, and D-Link GO-RT-AC750 GORTAC750\_revA\_v101b03 and GO-RT-AC750\_revB\_FWv200b02. According to FortiGuard Labs IPS telemetry, the botnets have a high severity level and are spread through older attacks.

The FICORA botnet is malicious software that targets multiple Linux architectures and encodes its configuration using the ChaCha20 encryption algorithm. Furthermore, its functionalities also include a brute force attack feature, embedding a shell script with hexadecimal ASCII characters to identify and kill other malware processes, and DDoS attack functionalities using protocols like UDP, TCP, and DNS.

This botnet, according to to FortiGuard Labs Threat Research team’s blog post, downloads a shell script named ‘multi’ that uses various methods including wget, ftpget, curl, and tftp to download the actual malware.

Downloader script “multi” using the “curl” command (Via FortiGuard Labs)

The FICORA botnet attack, which targeted many countries worldwide, was triggered by attackers from Netherlands servers. On the other hand, the CAPSAICIN attack, unlike FICORA, was only intensely active over two days between October 21 and 22, 2024, and targeted East Asian countries. 

However, like FICORA it also exhibits diverse functionalities, including downloading a shell script called ‘bins.sh’, targeting multiple Linux architectures, killing known botnet processes, establishing a connection with its C2 server, sending victim host information, and offering DDoS attack functions.

Although the vulnerabilities exploited in this attack have been known for almost a decade, these attacks are still prevalent, which is concerning. Nevertheless, to reduce the risk of D-Link devices being compromised by botnets, it is recommended to regularly update firmware and maintain comprehensive network monitoring.

“FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this weakness. Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring,” FortiGuard Lab’s researcher Vincent Li concluded.

1.  **Mirai-Inspired Gorilla Botnet Hits 0.3m Targets in 100 Countries**
2.  **OracleIV DDoS Botnet Malware Hits Docker Engine API Instances**
3.  **Androxgh0st Botnet Hits IoT Devices, Exploiting 27 Vulnerabilities**
4.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
5.  **Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks**

FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks

From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.

In 2024, we at Dark Reading covered a variety of attacks, exploits, and, of course, vulnerabilities across the board. Here, we recount 10 emerging threats organizations should be prepared for — as detailed by Dr. Jason Clark in "10 Emerging Vulnerabilities Every Enterprise Should Know," a Dark Reading webinar — as they continuously rise and develop in 2025.

**Zero-Day Exploits**

Zero-days and their increase in volume across the cybersecurity landscape is a particularly concerning trend, as there is no patch for these bugs when they're discovered. Attackers are also able to exploit systems using these vulnerabilities undetected, as safeguards have not been put in place by organizations or enterprises yet.

High-profile zero-day vulnerabilities include Log4Shell, tracked as CVE-2021-44228, a critical RCE bug within Log4j's Java Naming and Directory Interface (JNDI). By exploiting the vulnerability, attackers were able to easily take control of vulnerable systems, a considerable threat as Log4j is used in nearly every Java application.

Other vulnerabilities include PrintNightmare and Proxyshell, both remote execution flaws that were exploited quickly and widely, according to Clark.

"The rise in zero-day exploits is partly driven by just more sophisticated threat actors," Clark said in the Dark Reading webinar. "This can include things like nation-states and also using them in targeted attacks."

Chad Graham, cyber incident response team (CIRT) manager at Critical Start, however, believes that advancements with AI will change the landscape in 2025.

"Both attackers and defenders will rely on AI-driven tools to automate the search for hidden software flaws," Graham says. "This shift will likely result in a more dynamic cybersecurity landscape, where continuous innovation and adaptation become the norm."

**Supply Chain Attacks**

Supply chain attacks remain an active threat and tend toward the severe as their impact cascades on to multiple parties: customers, suppliers, and other third parties. Attackers exploit a trusted resource and ultimately gain access to not just one organization, but multiple. These kinds of threats remain concerning as organizations depend more and more on outsourcing services.

The best known example is the SolarWinds breach, which impacted the SolarWinds Orion system, at the hands of a group known as Nobelium. More than 30,000 organizations — including state and federal agencies — used the Orion network management system, resulting in the backdoor malware compromising thousands of data, network, and systems.

Tracked as CVE-2020-10148 with a CVSS score of 9.8, the authentication bypass bug allowed an unauthenticated attacker to execute API commands. The attackers in question were advanced persistent threat (APT) actors who infiltrated into the SolarWinds’ supply chain to insert a backdoor.

"The complexity of modern supply chains makes it challenging to secure all the dependencies," Clark said in the webinar. "This underscores the need for rigorous third-party risk management."

In the year ahead, Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, believes that there will be a sharpened focus on supply chains and third-party risk management.

"The CrowdStrike incident wasn't just a wake-up call — it was a stark reminder that in our interconnected ecosystem, one weak link can trigger a catastrophic chain reaction," Simberkoff says.

**Remote Work Infrastructure Exploits**

Since 2020 and the COVID-19 pandemic, organizations have leaned into remote and hybrid work offerings, increasing the risk of cybersecurity threats and becoming a significant concern. Attackers focus on vulnerabilities that allow users to engage in remote work such as VPNs, remote desktop protocols (RDPs), and phishing attacks through platforms such as Zoom and Microsoft Teams.

There have been several notable incidents in which VPNs and RDPs were leveraged, allowing threat actors to gain access to enterprise systems and networks. In addition, remote workers are often operating from less secure environments, causing an uptick in phishing attacks as the threat actors try to take advantage of these blind spots.

"The shift to remote work has expanded the overall attack surface, Clark said in the webinar. "Remote workers often need more security controls than those that are working \[onsite\], which can lead to significant vulnerabilities."

Recent examples of vulnerabilities remote and hybrid work vulnerabilities include CVE-2024-38199, a remote code execution vulnerability (RCE) in the Windows or Line Printer Deamon (LPD) Service, and CVE-2024-21433, a Windows Print Spooler elevation of privilege vulnerability.

"Remote work infrastructure will continue to be a prime target for cybercriminals in 2025, with an increase in sophisticated attacks on cloud services, VPNs, and collaboration tools," says Stephen Kowski, field CTO at SlashNext Email Security+. "We'll likely see more AI-powered threats designed to bypass traditional security measures, exploiting vulnerabilities in interconnected devices and home networks."

**Exploitation of AI and Machine Learning Systems**

With the rise of AI and its increasing use amid the public, comes widespread risk of exploitation from attackers. Clark noted of adversarial attacks, data poisoning, and model inversion attacks that are at the forefront of emerging threats for AI and machine learning (ML) systems in particular. 

The nature of some ML systems requires feeding a system information for the best results, the system becoming more familiar with the user over time. When attacks target these systems, it can lead to unauthorized access to sensitive data stored and processed within these tools, as well as incorrect predictions or biased decisions.

"AI models will be key areas of exploitation in 2025," says Rom Carmel, co-founder and CEO at Apono. "As AI and machine learning become integral to identity verification systems, attackers will find ways to poison AI models or bypass them."

AI can also simply be manipulated for malicious ends, as seen when an AI deepfake robocall was created to impersonate US President Joe Biden to encourage individuals not to vote in the New Hampshire's Democratic primary, an event that could have had severe consequences on the US electoral process.

"The threat landscape is evolving with the rapid adoption of AI and ML," Clark said in the webinar. "Attackers increasingly focus on these systems to undermine their reliability and exploit vulnerability."

**Cloud Misconfigurations**

As organizations continue to shift their operations to the cloud, it will continue to emerge as a space for threat actors to thrive, often due to the cloud simply not being set up correctly.

Common examples of threats that circulate within the cloud are publicly accessible S3 buckets, misconfigured security groups in AWS, and exposed databases.

"Cloud misconfigurations can have severe impacts related to data breaches, unauthorized access to critical systems, financial loss, and reputational damage," Clark said. He added that the complexity of these environments is going to increase leading to more frequent configuration errors.

In the past, Amazon and Microsoft cloud environments have exposed customer data, such as viewing habits, names, email addresses, email content, and phone numbers. The leaks aren't due to vulnerabilities but misconfigurations ranging from insecure read-and-write permissions to inaccurate access lists and misconfigured policies.

"To successfully prevent cloud breaches in 2025, companies need to focus on three key areas: visibility, access control, and continuous monitoring," says Jason Soroko, senior fellow at Sectigo. "Cloud environments are dynamic, so your security needs to be dynamic too."

**IoT Device Vulnerabilities**

IoT devices are allowing for emerging threats to thrive, being easy targets for threat actors to exploit, whether it be due to weak default passwords, lack of encryption, or insecure firmware.

Common attacks that IoT devices face are data theft, network breaches, and distributed denial-of-service (DDoS) attacks. A recent example emerged in the Common Unix Printing System (CUPS) for managing printers and print jobs. The series of vulnerabilities, tracked as CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 could allow bad actors to stage DDoS attacks within seconds for less than 1 cent while using an available cloud platform.

"Just the sheer volume of connected devices really exacerbates the threat," Clark noted in the webinar. "Securing these devices becomes really challenging due to their diversity and often limited processing power for adding security features."

And as the use of IoT, OT, and 5G networks continues to rise, organizations will need cyber threat intelligence (CTI) to extend beyond traditional IT environments, says Callie Guenther, senior manager, cyber threat research at Critical Start. "This expansion, which will continue throughout 2025, will add complexity to CTI, requiring more granular insights and specific intelligence data."

**Cryptographic Weaknesses**

According to Clark, cryptographic weaknesses continue to pose a significant threat because these kinds of vulnerabilities undermine the foundation of secure communication and data protection. These weaknesses often manifest in one of two ways: flaws in encryption algorithms, or how the algorithms are implemented.

"The rising threat is kind of compounded by the fact that as computational capability advances, that previously secure crypto standard now becomes increasingly more vulnerable," Clark said in the webinar.

He recommended regularly updating cryptographic libraries, and enforcing strong encryption protocols to avoid exploitation attempts like man-in-the middle attacks, data integrity issues, and the exposed sensitive information.

Just recently, Acros Security discovered a vulnerability, similar to CVE-2024-38030, that enables an attack in which a vulnerable device is coerced into sending NTLM hashes, which is the cryptographic version of a user's password, to a threat actor.

"We have never before required from \[cloud service providers\] such granular and detailed information on the type of encryption in use, but customers (government and non-government customers alike) will require this level of detail to ensure their encryption standards are being met," says Philip George, executive technical strategist at InfoSec Global Federal.

**API Security Gaps**

More organizations are relying on APIs to connect systems; however, these APIs are at risk when they have flaws in the design or the implementation of the APIs. Attackers are able to breach systems through unauthorized access, allowing them to manipulate certain restricted actions.

A notable example of this is the exposure of user data through Facebook’s API, though these flaws are also abundant in other sectors such as healthcare or financial services. 

Gaps in API security ultimately serve as a launchpad, often for data breaches which can lead to the loss of sensitive information, unauthorized transactions, reputational damage, and significant financial loss.

"The threat is escalating as API is becoming more prevalent, increasing the number of potential attack surfaces," Clark said. "To mitigate these risks, it's essential to secure your API endpoints, enforce robust authentication mechanisms, and regularly update and audit API access."

A Docusign API was recently used in a wide-scale phishing campaign due to its "API-friendly environment," which is beneficial for businesses but also provides a way for bad actors to conduct malicious operations. The flaw could ultimately could have led to instances of fraud, though there are ways for users to avoid and detect such API abuse.

In the coming year, the cyber landscape will continue to evolve, API being in the forefront of these changes.

"We anticipate a rise in sophisticated API attacks using automation, artificial intelligence, and advanced evasion techniques to exploit vulnerabilities and bypass traditional security measures," says Eric Schwake, director of cybersecurity strategy at Salt Security. "One significant risk will stem from the exploitation of API misconfigurations, which often occur due to the fast pace of development and deployment. This situation will challenge organizations to adopt a more proactive and comprehensive approach to API security."

**Ransomware Evolution**

"We could do a whole webinar on ransomware," Clark said in the webinar, which raises the question: Can ransomware even be considered an emerging threat? 

The answer is yes, though ransomware attacks have become one of the most disruptive and costly cyberattacks out there largely due to their rapid evolution.

One of the most notable ransomware attacks occurred on Colonial Pipeline, which shut down its entire operations for the first time, leading to fuel shortages and four states on the East Coast declaring a state of emergency. The ransomware attack prompted action from national security and the executive branch and forced a reevaluation of the nation's critical infrastructure security.

Threat actors know they can win big when demanding ransoms from organizations, such as those in the healthcare sector, which will pay these high prices in order to help patients in need.

"As these attacks are becoming more targeted and, frankly, aggressive, it's crucial to start to implement backup strategies that are robust, strengthen your overall incident response plans, and continuously educate your employees on recognizing and avoiding things like phishing attempts that can often serve as an entry point for ransomware," Clark said in the webinar.

Backups may not always be an option, according to Brandon Williams, chief technology officer at Conversant Group.

"Some threat actors have moved to deleting data as part of their normal motions," he says. "If this gains traction in 2025, organizations will not have a method to recover by simply paying a ransom and hoping to get a working decryption tool. The only method of recovery will be backups; however, data shows that backups do not typically survive these breaches."

**5G Network Vulnerabilities**

5G networks are being rapidly deployed, and with them come threat actors' awareness and exploitation of its vulnerabilities. Attackers are increasingly able to target 5G infrastructure with ease, and these open the door for even bigger threats such as large-scale DDoS attacks, unauthorized data access, and disruption of our critical services.

"As we consider the rising threat, the global rollout of 5G brings an increasing number of connected devices," Clark said in the webinar. "The rising number amplifies their attack risk, particularly given their reliance on cloud-native infrastructures."

At Black Hat 2024 in Las Vegas, seven Penn State University researchers detailed how mobile devices are at risk of data theft and denial of service due to 5G technology vulnerabilities. Threat actors use these resources simply by providing someone with an Internet connection, allowing easy access to spying, phishing, and more. 

"Vulnerabilities such as lack of initial broadcast message authentication, spectrum slicing, silent downgrade, and unsecured DNS paging currently affect 5G networks," says Mayuresh Dani, manager, security research, at Qualys Threat Research Unit. "In the year to come, these will continue affecting 5G networks and vulnerabilities in unsecured base stations will multiply snooping attacks."

Emerging Threats &amp; Vulnerabilities to Prepare for in 2025

As organizations on the continent expand their use of digital technologies, they increasingly face many of the same threats that entities in other regions have had to deal with for years.

Source: Golden Dayz via Shutterstock

Rising Internet adoption and digital transformation initiatives are exposing organizations in Africa to a growing range of cyber threats.

One manifestation of the trend is a steady increase in distributed denial-of-service (DDoS) attacks on organizations in a handful of North African countries — which also happen to be the ones with the highest Internet penetration rates in the region.

**Surge in DDoS Activity**

A recent analysis of threat activity data during the first half of 2024 by Netscout showed a 30% increase in DDoS attacks in the Middle East and Africa overall compared with the previous quarter. Countries that experienced the largest growth in DDoS attacks included Algeria, Morocco, Tunisia, and Egypt.

Morocco, which has a 90% Internet penetration rate, reported 61,000 DDoS attacks during the first half of 2024, which was the highest number of DDoS attacks in the region during the period. A plurality of the attacks — 16,461 — targeted wireless telecom producers in the region; more than 6,000 were directed at wired telecom companies; and the rest affected organizations across multiple industry sectors.

Organizations in Egypt, another country in the region with a high Internet penetration rate, collectively experienced some 45,108 DDoS attacks in the first half of the year, with wired telecom carriers being the most frequently targeted entities, followed by wireless carriers and educational institutions. Netscout found some of the highest bandwidth attacks during the time period in Egypt, with the biggest one clocking in at a hefty 332.96 Gbit/s.

Related:China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking

The story with Tunisia, which experienced 4,511 DDoS attacks in the first six months, was similar in terms of victimology: most victims were wired or wireless telecom providers. However, Netscout found threat actors deploying a larger number of DDoS attacks against Tunisian organizations than organizations in other countries. The largest such attack type involved a startling 27 vectors, including Apple Remote Management Service, Connection-less Lightweight Directory Access Protocol (CLDAP) , Constrained Application Protocol (COAP), and Domain Name System (DNS) amplification techniques for significantly increasing the power of an attack.

**Geopolitical Tensions, "Online-Ness" Drive Cyber Activity**

"These attacks can be attributed in part to businesses in countries such as Morocco, Tunisia, Egypt, Libya, and Algeria increasing their online presence over the past year," says Richard Hummel, director of threat intelligence at Netscout. "While digital transformation is generally a cause for celebration, unfortunately, it also means that more devices and services can be disrupted by attacks."

Related:'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

A larger attack surface, however, is not the only reason for the increased DDoS activity in Africa and the Middle East, Hummel says. "Geopolitical tensions in these regions are also fueling a surge in hacktivist activity as real-world political disputes spill over into the digital world," he says. "Unfortunately, hacktivists often target critical infrastructure like government services, utilities, and banks to cause maximum disruption."

And DDoS attacks are by no means the only manifestation of the new threats that organizations in Africa are having to contend with as they broaden their digital footprint.

**Growing Cyber-Espionage, Cybercrime Risks**

The Africa Center for Strategic Studies in a recent report assessed that the increasing spread of IT, communications, and related technologies in the region is rapidly amplifying and altering threats against organizations — and raising national security challenges in the process. The center, which is a US Department of Defense institution, expects that over the next few years organizations in Africa will have to contend with a many of the same cyber threats that entities in other regions of the world have had to contend with for years.

Related:IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

One of them is cyber espionage. "Cyberspace has fundamentally changed the methods and means through which states gather information on one another and their citizens," the Africa Center report noted. "Though the most significant cyberespionage concerns in Africa have centered around China, espionage and surveillance capabilities are rapidly diffusing across the continent."

Attacks on critical infrastructure and financially motived attacks by organized crime are other looming concerns. In the center's assessment, Africa's government networks and networks belonging to the military, banking, and telecom sectors are all vulnerable to disruptive cyberattacks. Exacerbating the concern is the relatively high potential for cyber incidents resulting from negligence and accidents.

Organized crime gangs — the scourge of organizations in the US, Europe, and other parts of the world, present an emerging threat to organizations in Africa, the Center has assessed.  "Growing internet penetration rates in Africa has both led to new kinds of cyber-dependent criminal activities, such as business email compromise or romance scams, as well transformed the financing and market dynamics of more traditional organized crime networks." Supply chain attacks are another major and emerging concern, especially given the high reliance on foreign suppliers among organizations in Africa.

Agnidipta Sarkar, vice president and CISO advisory at ColorToken, says organizations in Africa are going to come under growing pressure to implement defenses against new cyber threats, even as they embark on their digital transformation journey.

"The ability to continue business operations, despite cyberattacks, will encourage investments in the region," he predicts. "Effectively reporting breaches will emerge as a highly sought-after capability for CISOs, especially \[for\] those who can."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DDoS Attacks Surge as Africa Expands Its Digital Footprint

Fintech thrives on innovation, but cybersecurity requires a proactive approach. AI, predictive intelligence, and tailored strategies safeguard against…

Fintech thrives on innovation, but cybersecurity requires a proactive approach. AI, predictive intelligence, and tailored strategies safeguard against risks, ensuring trust, resilience, and growth.

Let’s be honest, there are moments when the fintech industry seems like the Wild West. Risk is rising along with innovation. We’re creating amazing things like smooth mobile payments, blazing-fast cryptocurrency transactions, and AI-powered lending systems. Still, hackers are just as creative and are always using new methods to take advantage of weaknesses.

Furthermore, reactive cybersecurity, which involves rushing to address issues after they arise, is just insufficient in this digital gold rush. Riding a bucking bronco and attempting to herd cats is like that. Even while you may capture a few, most will undoubtedly escape, leaving you pummeled and injured.

“In the fintech world, reactive cybersecurity is like trying to outrun a wildfire with a garden hose,” says Maksym Ishchenko, Founder/CEO of Azerux. “It’s simply not sustainable. Proactive security is about building a firebreak preventing the fire from ever starting in the first place.”

****The High Cost of Playing Catch-Up****

Remember Equifax? The significant data breach in 2017 was an avoidable failure brought on by a known vulnerability that was not fixed, not an unanticipated act of God. The outcome was billions in penalties, legal action, and a permanently damaged reputation.

The list of businesses hampered by reactive security measures is endless and includes Target, Yahoo, and Marriott. The absence of aggressive defences drove these titans to their knees; they were not little players.

These breaches have consequences that go beyond financial ones. It has to do with trust. It’s very hard to get back once that’s gone. Investors pause, customers go away, and regulatory scrutiny increases. This vicious loop has the potential to swiftly derail even the most promising fintech endeavors.

“It’s a fundamental shift in mindset,” says Azerux CEO. “We’re not just talking about technology; we’re talking about building a culture of proactive security. It’s about anticipating problems before they arise, and that requires more than just software.”

****Azerux: Building a Fortress, Not Patching Holes****

Azerux gets it. By offering complete, individualized cybersecurity solutions designed to prevent, not just respond to, cybersecurity threats, they specialize in building that stronghold. Their emphasis on preventing DDoS attacks is especially important for finance since a single, well-planned assault has the potential to knock down a whole business.

How do they do it? It’s not a magic bullet, but a multi-layered strategy:

*   **Predictive threat intelligence**: Azerux uses sophisticated threat intelligence to foresee assaults rather than passively waiting for them to occur. Imagine having a spy network that continuously scans the digital underworld to spot new dangers and weaknesses before they ever propagate.

*   **AI-powered threat detection**: Forget clunky, outdated antivirus software. Azerux uses artificial intelligence (AI) to evaluate vast volumes of data in real-time, spotting suspicious patterns and minute irregularities that conventional systems often miss. This makes it possible to identify and react to even the most complex threats quickly. It’s similar to having a highly skilled security guard who can identify problems before they become serious crises.

*   **Multi-layered DDoS mitigation**: Azerux doesn’t rely on a single solution to protect against DDoS attacks. To successfully neutralize assaults of any size, they use a layered defense that combines application-level security, sophisticated filtering algorithms, and automated response systems. Massive volumes of harmful traffic may be absorbed by them, protecting genuine users in the process. It is very difficult for attackers to get past the defenses, much like having many overlapping security checkpoints.

*   **Customized security architectures**: Azerux recognizes that one size doesn’t fit all. They provide a custom-fit security solution that tackles vulnerabilities particular to their operations by customizing their solutions to each client’s demands and risk profile. It’s comparable to creating a custom suit of armor, offering optimal defense where it’s most required.

*   **Expert support & training**: Azerux offers more than simply technology; they also provide knowledge. Working directly with customers, their team of seasoned cybersecurity experts offers continuing assistance, instruction, and direction to guarantee that security procedures are successfully put into place and kept up to date. 

****Beyond the Technology: A Culture of Proactive Security****

Azerux’s strategy focuses on creating a culture of security rather than simply technology. This includes thorough training for staff members on optimal security procedures and phishing awareness, which helps lower the possibility of human error, a startlingly frequent source of breaches.

“Proactive cyber security is a marathon, not a sprint,” adds Ishchenko. “It requires constant vigilance, adaptation, and a commitment to continuous improvement.”

Reactive security is a risk you cannot afford in the high-stakes, fast-paced world of fintech. The cost of a single major breach, financial losses, reputational damage, legal battles; far outweighs the investment in a proactive approach. One sturdy castle at a time, businesses like Azerux are constructing the financial security of the future.

1.  **Fortifying FinTech: Building Resilient APIs for Security**
2.  **Biggest Crypto Scam Tactics in 2024 and How to Avoid Them**
3.  **Navigating the Complex World of Capital Markets with Technology**
4.  **Digital Transformation in the Financial Industry: The Role of Fintech**
5.  **Role of Blockchain, Smart Contracts in Securing Digital Transactions**

The Fintech Wild West: Why Preventive Cybersecurity Is Essential for Survival

Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale.

Source: Skorzewiak via Alamy Stock Photo

It's been more than a year since the conflict between Hamas and Israel began, and the cyber battle between the two entities rages on, involving a variety of perpetrators and using playbooks of other global conflicts.

Here are some of the top developments over the duration of this cyberwar and what we can expect to see in 2025.

**Beginning Stages**

Soon after Hamas launched its strikes against Israel, more than a dozen threat groups declared their intent to begin cyberattacks against Palestine, Israel, and their respective supporters. Some of these groups include Killnet, Anonymous Sudan, Team insane, Mysterious Team Bangladesh, and Indian Cyber Force.

In the initial days, the first cyberattack victims were the Jerusalem Post at the hands of Anonymous Sudan, and the Tel Aviv Sourasky Medical Center, which was attacked by Sylhet Gang, ultimately leading to operational disruption.

As the cyberattacks continued, Krypton network offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists interested in targeting Israeli organizations. But attacks flew from the other side as well when ThreatSec reportedly attacked AlfaNet, a Palestinian Internet service provider, causing the company's servers to shut down and gaining control of more than 5,000 servers in Gaza in the process.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Then, in its first post on X, Predatory Sparrow, a pro-Israeli hacktivist group, reappeared on the scene. 

The group said to its followers, "You think this is scary? We're back. We hope you're following the events in Gaza" — and included a link to a report on the US sending fighter planes and warships to support Israel.

**Cyberwar on a Global Scale**

Roughly a month after the conflict began, FBI Director Christopher Wray warned that the war in the Middle East raised the threat of cyberattacks against the US, citing an increase in attacks on US military bases overseas, anticipating both physical and cyberattacks.

The FBI once more issued warnings, this time regarding cybercriminals masquerading as fundraisers and charities, reaching out to individuals via email, social media, phone calls, and crowdfunding websites, all to convince victims that their cryptocurrency funds would go to Israeli or Palestinian victims. A Netcraft report traced $1.6 million of crypto to these fake accounts, a grand show of their influence.

By the end of 2023, Israeli company CyTaka hired a network of cyber hackers from around the world to counter anti-Israel online activity, while cyberattackers known as Gaza Cybergang used a variation of the Pierogi++ backdoor malware against both Palestinian and Israeli targets.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**A Year in Review**

This past year began with Turkish hacktivists projecting political, violent messages about the conflict between Israel and Gaza at a highly frequented movie theater in Tel Aviv. 

In July, an Israeli army chief reported thwarting some 3 billion cyberattacks since the conflict began. Cyberattacks against the Israeli Defense Forces (IDF) included targeting operation systems necessary for the military's functioning, though details were not provided on the nature of the attacks.

Then in October, security firm ESET reported a "security incident" affecting its partner company in Israel. It cited a malicious email campaign that was blocked and ultimately denied any true compromise over its systems. 

Just last month, "Wirte," an advanced persistent threat (APT) supporting Hamas and its agenda, was reported to be conducting espionage against governments in the Middle East and wiper attacks against Israel. The APT uses phishing attacks containing documents, legitimate resources, and malware, sometimes using the IronWind loader, which employs a multistage infection chain to drop its malicious payload.

**Next on the Horizon**

Observers and industry experts expect more of the same in 2025. The conflict has intensified cyber threats, with state-sponsored actors and hacktivist groups continuing to exploit global tensions.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

"We can expect an escalation in sophisticated phishing campaigns, disinformation efforts, and attacks on critical infrastructure," said Stephen Kowski, field CTO at SlashNext Email Security+, in an emailed statement to Dark Reading. "Organizations should prioritize real-time threat intelligence and advanced AI-powered detection systems to stay ahead of evolving tactics."

In addition, he recommended that organizations prepare themselves with robust employee training and implement multilayered security measures to mitigate against future attacks.

"\[This\] will be crucial in defending against the anticipated surge in social engineering and targeted malware attacks," Kowski added.

John Bambenek, president of Bambenek Consulting, offered a different take. "At this point, with the loses endured by Hamas, they are more focused on survival and have significantly reduced capabilities even in the cyber realm," Bambenek said in an emailed statement to Dark Reading.

In 2025, he believes attention should be focused on Iran, a country that has been a major power player in this conflict.

"If recent reports are true and Israel is considering military strikes in the short term against Iran, that likely could easily escalate into a 'weapons-free' mindset with cyberattacks," he said. "Recent research by Team82 indicates the Iranian government has already decided to field test and preplace capability to launch ICS/OT attacks broadly, should such an escalation occur and those attacks likely will include the US and Europe."

Middle East Cyberwar Rages On, With No End in Sight

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Welcome to the party, pal!

Cybercriminals are using advanced techniques to target executives with mobile-specific phishing attacks.

****KEY SUMMARY POINTS****

*   **Targeted Attacks:** Sophisticated spear phishing campaigns are increasingly targeting corporate executives via mobile devices, using social engineering tactics.

*   **Exploitation of Trust:** Attackers mimic legitimate services like DocuSign and Google, leveraging urgency and credibility to deceive victims.

*   **Advanced Techniques:** Campaigns use CAPTCHAs, mobile-specific fake login pages, and compromised domains to bypass detection mechanisms.

*   **Infrastructure Abuse:** Attackers utilize platforms like Cloudflare for SSL encryption and DDoS protection, complicating detection efforts.

*   **Proactive Defense:** Regular employee training, advanced mobile device management (MDM) solutions, and automated incident response platforms are critical to mitigating these threats.

Mobile devices have become a prime target for sophisticated phishing attacks, particularly those aimed at corporate executives. These targeted attacks, known as spear phishing, leverage social engineering tactics to steal valuable credentials and gain access to sensitive information.

The Phishing and Data Analytics Team at Zimperium uncovered a recent spear phishing campaign targeting executives. The attack involves using a mimicked legitimate DocuSign document requiring immediate review, a common tactic that exploits urgency and authority.

Spear phishing is a popular attack vector against corporate executives, compromising high-value credentials that grant access to sensitive data and systems. The attack begins with a seemingly innocent link disguised as a DocuSign document. The link used a legitimate domain (clickmethryvcom) to mask its origin, and once clicked initiates a series of redirects. First, it redirects to a compromised university website, leveraging its credibility to bypass detection. 

Screenshot of the DocuSign phishing email and the university’s landing page (Via Zimperium)

Researchers noted that attackers have used CAPTCHAs to prevent automated detection and implemented mobile-specific targeting. Moreover, if the link is accessed via a mobile device, the attack presents a fake Google sign-in page to steal credentials whereas desktops are redirected to legitimate Google sites. Another observation is that the phishing site (diitalwaveru) and its SSL certificate were created just days before the attack, highlighting the attackers’ focus on rapid deployment.

Further probing as per Zimperium’s blog post, revealed that the attackers had utilized Cloudflare’s infrastructure for DDoS protection, SSL encryption, and fast content delivery, making it harder to detect. And, in addition to email-based attacks, the campaign also used PDF documents containing embedded phishing URLs. These PDFs mimicked legitimate DocuSign workflows, bypassing traditional URL scanning and exploiting trust in business documents.

The incident highlights the evolving nature of mobile phishing attacks, with attackers investing heavily in infrastructure to bypass security controls, targeting mobile devices often overlooked in security strategies, and exploiting compromised domains for credibility. 

Therefore, it has become essential to conduct regular security awareness training programs to educate employees about the latest phishing tactics and best practices for identifying and avoiding such attacks. Organizations must also deploy advanced Mobile Device Management (MDM) solutions to enforce security policies, such as password complexity, screen lock timeouts, and remote wipe capabilities.

Mika Aalto, Co-Founder and CEO at Hoxhunt weighed in on the situation emphasizing the importance of proactive training for employees and management to identify and report phishing attacks, as technical tools alone may not catch all threats.

_“_The most important thing that companies can do is to shift left and equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing (mishing) attack. We can hope that technical filters and endpoint detection and response technologies quickly develop to be able to pick up these highly obfuscated, native code-based Malware attacks and pinpoint irregular signals and traffic,_“_ said Mika.

_“_Ultimately, it comes down to people. Attackers will launch a complex attack with what might just be a simple phishing message. It’s up to people to be able to listen to that little voice in their head that is telling them that something is wrong and report suspicious messages as a matter of habit. From there, you want to have a platform that will automatically categorize and escalate their reports to the SOC for accelerated response,_“_ he explained.

1.  99% of UAE’s .ae Domains Exposed to Phishing and Spoofing
2.  Scammers Exploit Fake Domains in Dubai Police Phishing Scams
3.  Ongoing Phishing Attack Targets Employees Across 12 Industries
4.  Rockstar 2FA Phishing-as-a-Service Kit Hits Microsoft 365 Accounts
5.  Xiū gǒu Phishing Kit Hits UK, US, Japan, Australia Across Key Sectors

Tag

#ddos