All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

Source: sofiacorte via Shutterstock

It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.

The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.

**Large Number of Potential DDoS Attack Systems**

Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.

"Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario," researchers at Akamai said this week after discovering the new attack vector.

CUPS is an Internet Printing Protocol (IPP)-based open source printing system for Unix-like operating systems, including Linux and macOS. It provides a standard way for computers to manage printers and print jobs.

Independent security researcher Simone Margaritelli last week disclosed a serious flaw in CUPS that could allow an attacker to remotely execute malicious commands by manipulating URLs using a combination of four different vulnerabilities. The vulnerabilities are CVE-2024-47176 in "cups-browsed," a component for simplifying printer discovery and management in a network; CVE-2024-47076 in the "libcupsfilters" software library; CVE-2024-47175 in the "libppd" library; and CVE-2024-47177 in the "cups-filters" package.

Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, potentially Google Chrome OS and Chromium, and other operating systems. "The short version of this exploit is that certain configurations of cups-browsed as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system" and potentially gain control of it, open source and software bill of materials management vendor Fossa said in an analysis.

**All It Takes is a Single Packet**

Margaritelli's research focused on how attackers could leverage the vulnerabilities to take control of CUPS hosts. What Akamai discovered is that a threat actor could also use them for DDoS attacks. "The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added," Akamai said. "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a single maliciously crafted packet to a vulnerable CUPS service with Internet connectivity.

Kyle Lefton, security researcher at Akamai, says that while the previously reported RCE exploit is more dangerous, the DDoS vulnerability is much easier for a threat actor to exploit. "It is likely that organizations may start seeing attacks leveraging this vulnerability, which causes issues for not just the targets of these DDoS attacks, but those running the vulnerable CUPS servers as well," he says. "The key takeaway here is to stress the importance of patching outdated CUPS systems, or applying other mitigation techniques, such as removing CUPS if deemed unnecessary, or applying firewall rules for UDP port 631 and keeping them from accessing the public Internet."

Akamai researchers discovered a total of 198,000 vulnerable CUPS hosts that are Internet accessible. Of those, 34%, or more than 58,000, are vulnerable to corralling for DDoS attacks. Akamai found that a threat actor could get these systems to start spewing out attack traffic by using a simple script to send a single malicious UDP packet to a vulnerable CUPS host. They found they could substantially amplify attack traffic volumes by padding — or adding extra and often irrelevant characters or data — to the URL payload.

Larry Cashdollar, principal security researcher at Akamai, says the vulnerability of a CUPS host to the DDoS attack really depends on its configuration. "It's possible that network administrators might have additional firewalls in place to block outbound traffic from the printers or that system administrators have done their hardening of the printer servers," on the other vulnerable hosts, Cashdollar says.

**Strain on Server Hardware**

Troublingly, although organizations running vulnerable CUPS systems may not be the target of DDoS attacks, the attacks themselves can put strain on the server hardware, Lefton adds. "We confirmed that some of these CUPS systems complete TLS handshakes to HTTPS protected websites, which creates further strain on server hardware and resource consumption overhead due to the handshake and encryption/decryption processing."

DDoS attacks, though well understood, continue to present a challenge for many organizations. Though many companies have implemented robust measures for protecting against DDoS attacks and mitigating fallout, the number of these attacks have only increased. Recent numbers from Cloudflare showed a 20% year-over-year increase in DDoS attacks; the company said it mitigated 8.5 million DDoS attacks just in the first six months of this year. Cloudflare attributed the trend at least partly to more threat actors gaining access to capabilities that once were available only to nation-state actors, thanks to the rise in generative AI (GenAI) tools and autopilot systems for writing attack code better and faster.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently **reported** a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka **evilsocket**), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

****Uptycs Research****

Uptycs threat research team **identified** vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

****Akamai Research****

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s **blog post** published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

****The Scope of the Problem:****

*   Akamai identified over 198,000 internet-connected devices running CUPS.
*   Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
*   Outdated CUPS versions (released as far back as 2007) were the most susceptible.
*   Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including **CVE-2024-47175** (libppd), **CVE-2024-47176** (cups-browsed), **CVE-2024-47177** (cups-filters), and **CVE-2024-47076** (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**
5.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

AFP news agency suffers a cyberattack disrupting its content delivery systems. News coverage continues as experts investigate, with…

AFP news agency suffers a cyberattack disrupting its content delivery systems. News coverage continues as experts investigate, with AFP urging partners to secure credentials and mitigate risks.

Agence France-Presse (AFP), one of the world’s leading news agencies, suffered a cyberattack that disrupted parts of its news delivery infrastructure. The attack, which took place on September 27, impacted AFP’s ability to distribute content to some of its clients. However, the agency assures that its core news reporting remains uninterrupted.

****The Cyberattack and Immediate Response****

The attack specifically targeted AFP’s IT systems, affecting some of the key delivery mechanisms that the agency uses to transmit content to its clients, including content delivery networks (CDNs) and file transfer services. Although the exact type of attack and the threat actors behind it remain unidentified, AFP said it has taken quick actions to restore full services.

According to AFP’s press release, French cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) was called in to aid in mitigating the impacts and securing the systems.

AFP’s technical teams have also identified that FTP credentials used by some clients to receive content might have been compromised during the incident. To address this, AFP has issued a cautionary alert to its partners, advising them to change their FTP passwords and ensure their reception systems are fully secure.

****Global News Coverage Remains Unaffected****

Despite the disruptions, AFP has made it clear that its editorial teams are operating without interruptions. The agency’s newsroom continues to report global events in multiple languages, including French, English, Arabic, and Spanish, ensuring the flow of news is not compromised. The incident specifically targets backend operations used for distribution rather than production, meaning AFP’s ability to gather and report news has not been impacted.

At this time, no group has claimed responsibility for the attack. However, France has experienced a series of high-profile cyberattacks throughout 2024, targeting healthcare providers to government services. This latest attack on AFP adds to a growing list of concerns regarding the online safety of French critical infrastructure, particularly in sensitive sectors like media.

1.  **FOX News Exposed 13 Million Sensitive Records Online**
2.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
3.  **France’s largest newspaper exposed 8TB of data, 7.4B records**
4.  **France Weather Forecast Website Hacked By Anti-War Hackers**
5.  **Hackers Leak 221K User Data in Tech in Asia News Outlet Breach**

AFP News Agency’s Content Delivery Systems Hit by Cyberattack

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.
This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.
The attacks

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.

This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.

The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH.

Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab.

On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan\[.\]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner.

Like other cryptojacking campaigns, it makes use of the libprocesshider rootkit to hide the malicious miner process from the user when running process enumerating tools like top and ps.

The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread\_docker\_local.sh, and spread\_ssh.sh – from the same server for lateral movement to Docker, Kubernetes, and SSH endpoints on the network.

Spread\_docker\_local.sh "uses masscan and zgrab to scan the same LAN ranges \[...\] for nodes with ports 2375, 2376, 2377, 4244, and 4243 open," the researchers said. "These ports are associated with either Docker Engine or Docker Swarm."

"For any IPs discovered with the target ports open, the malware attempts to spawn a new container with the name alpine. This container is based on an image named upspin, hosted on Docker Hub by the user nmlmweb3."

The upspin image is designed to execute the aforementioned init.sh script, thus allowing the group's malware to propagate in a worm-like fashion to other Docker hosts.

What's more, the Docker image tag that's used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, thereby allowing the threat actors to easily recover from potential takedowns by simply changing the file contents to point to a different container image.

The third shell script, spread\_ssh.sh, is capable of compromising SSH servers, as well as adding an SSH key and a new user named ftp that enables the threat actors to remotely connect to the hosts and maintain persistent access.

It also searches for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded file paths within the GitHub Codespaces environment (i.e., the "/home/codespace/" directory), and if found, uploads them to the C2 server.

In the final stage, both the Kubernetes and SSH lateral movement payloads execute another shell script called setup\_mr.sh that retrieves and launches the cryptocurrency miner.

Datadog said it also discovered three other scripts hosted on the C2 server -

*   ar.sh, a variant of init.sh that modifies iptables rules and clears logs and cron jobs to evade detection
*   TDGINIT.sh, which downloads scanning tools and drops a malicious container on each identified Docker host
*   pdflushs.sh, which installs a persistent backdoor by appending a threat-actor-controlled SSH key to the /root/.ssh/authorized\_keys file

TDGINIT.sh is also notable for its manipulation of Docker Swarm by forcing the host to leave any existing Swarm it may be part of and add it to a new Swarm under the attacker's control.

"This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation," the researchers said.

It's currently not clear who is behind the attack campaign, although the tactics, techniques, and procedures exhibited overlap with those of a known threat group known as TeamTNT.

"This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale," Datadog said.

"The campaign relies on Docker API endpoints being exposed to the Internet without authentication. The malware's ability to propagate rapidly means that even if the chances of initial access are relatively slim, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue conducting these attacks."

The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to establish persistence via GSocket and deploy malware families such as Kaiji and RUDEDEVIL (aka Lucifer) that facilitate distributed denial-of-service (DDoS) and cryptocurrency mining, respectively.

"The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels," researchers Remco Sprooten and Ruben Groenewoud said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Hacktivism-related DDoS attacks have risen 70% in the region, most often targeting the public sector, while stolen data and access offers dominate the Dark Web.

Source: Bernhard Klar via Alamy Stock Photo

Cyberattackers and hacktivists are increasingly targeting the United Arab Emirates, the Kingdom of Saudi Arabia, and other nations in the Gulf Cooperative Council (GCC) region. The region is likely a favored target because it's a hub for commerce and trade, full of rich economies; and because of regional nations' stance on certain geopolitical issues.

That's according to 18 months of Dark Web data compiled by Moscow-based threat research firm Positive Technologies. The report stated that the first half of the year, the number of distributed denial-of-service (DDoS) attacks in the region rose 70%, compared with the same period in the previous year.

Hacktivists use forums as both a way to call like-minded hackers to action and to publish evidence of their success against specific targets, says Anastasiya Chursina, a threat analyst with Positive Technologies.

"We believe that this trend may continue and the number of attacks carried out by hacktivists will go up," she says. "At the same time, the level of other attacks will increase, which will entail an increase in the number of risks and negative consequences for companies in the region."

Both Saudi Arabia and the UAE topped the chart of targeted nations in a March analysis of two years of attacks in the region. The UAE alone faces an average of 50,000 cyberattacks every day, the head of cybersecurity for the UAE government said earlier this year, while the country also has a rapidly growing attack surface.

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

More attacks are also being publicly disclosed: In July, pro-Palestinian hacktivist group BlackMeta targeted a bank in the United Arab Emirates with a DoS campaign that lasted more than 100 hours over six days. And in April, Saudi Arabia was added to the list of organizations targeted by the suspected China-linked group Solar Spider.

**More Cyber Threat Actors Coming Online?**

The increase of DoS attacks — rather than Web defacements or system breaches — may indicate an influx of new threat actors. The attackers' tactics of choice depend upon their skills and knowledge, and DDoS attacks can be accomplished by novice hackers, says Positive Technologies' Chursina.

"The main goal of hacktivists is to draw public attention to certain political, social, and religious issues," she says. "DDoS attacks are the most popular, as they do not require high professional knowledge and resources, and they can be performed by any novice hacker."

Positive Technologies' trove of forum posts and text messages totals 277 million items from 380 Telegram channels and Dark Web forums. For its GCC report, the company focused on six major nations in the region: the UAE, Saudi Arabia, Bahrain, Oman, Qatar, and Kuwait.

Related:Phishing Espionage Attack Targets US-Taiwan Defense Conference

Nearly two-thirds of discussions between GCC cyberthreat actors focus on the UAE and Saudi Arabia. Source: Positive Technologies

Stolen data and illicit access accounted for the topic of more than half (54%) of the posts, with the vast majority of of users selling or buying access. These posts focused on five sectors: trade, services, manufacturing, IT, and government agencies.

About 12% of the posts included a call to action for hacktivism or evidence of a successful hacktivist attack, according to the report. About 9% of hacktivist posts also advertised free credentials for use in attacks.

"Access giveaways represent a new trend for the region that first appeared in H2 2023," the report stated. "Most access giveaways (70%) contained the credentials of government agency employees."

**Cyber Domain Favored for Attacks, Espionage**

Cyberattacks have become the preferred battlefield for many groups — both nation-state and dissent organizations — in the region. The stakes are rapidly escalating as well, from Iran's increasing pace of cyber espionage to Israel's cyber-physical attacks using compromised supply chains to the compromise of naval information systems in the region.

With the UAE and Saudi Arabia increasingly invested in digitization, AI development, and shifting to a knowledge-based economy, organizations in the two nations — and the Middle East at large — need to focus on strengthening their cybersecurity posture, Positive Technologies says.

Related:As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

"Dark Web forums are full of offers and services tailored to this region," the company's report stated. "The abundance of posts related to the sale of access, often low-cost, makes it easier for attackers to gain initial access to a company and carry out an attack without wasting time looking for new entry points into the infrastructure. Access giveaways are a new trend on the part of haсktivists allowing low-grade hackers to carry out attacks and raise public awareness about social and political issues."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

UAE, Saudi Arabia Become Plum Cyberattack Targets

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw…

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.

A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,

The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.

Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:

*   **Remote Lock/Unlock: They could lock or unlock the doors.**
*   **Geolocate Vehicle: Hackers could pinpoint the car’s location.**
*   **Remote Start/Stop: They could start or turn off the engine remotely.**
*   **Remote Horn/Light: They could activate the car’s horn and lights.**
*   **Remote Camera: In some cases, they could even access the car’s cameras.**

A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.

Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.

This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.

Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”

“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
3.  Globally Used Points.com Loyalty System Hacked for Good
4.  Tesla cars can be remotely hacked using drone, WIFI dongle
5.  Internet Connected Car Hacked and DDoSed via Smartphone

Hackers Could Remotely Control Kia Cars by Exploiting License Plates

MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send…

MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send or receive payments, as the company works to restore systems and investigate the issue.

MoneyGram, a global leader in money transfer services, has been experiencing widespread service disruptions following a cyberattack that impacted its systems on September 21, 2024. The company has confirmed that its network connectivity and key systems were taken offline to address the security breach.

While it is unclear whether the incident was a DDoS attack or ransomware, the prolonged outage has left many users unable to send or receive payments globally, leading to frustration among customers who depend on the service for their financial transactions.

At the time of writing this article, the MoneyGram website was down and showing this message (Screenshot credit: Hackread.com)

****Timeline of the Outage****

As seen by Hackread.com, the issue first came to light late on September 21, 2024, when MoneyGram acknowledged the network outage in a tweet. In its first tweet, the company announced the following incident:

> _“MoneyGram is experiencing a network outage impacting connectivity to a number of our systems. We are working diligently to better understand the nature and scope of the issue. We recognize the importance and urgency of this matter to our customers.”_
> 
> MoneyGram – 11:19 PM · Sep 21, 2024

At this stage, the extent of the problem was unclear, and customers were left in the dark about when services would resume. It wasn’t until September 23, two days later, that MoneyGram confirmed a cybersecurity incident was behind the outage.

> _“MoneyGram recently identified a cybersecurity issue affecting certain of our systems. Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline which impacted network connectivity. We are working with leading external cybersecurity experts and coordinating with law enforcement.”_
> 
> MoneyGram – 2:06 PM · Sep 23, 2024

The company further explained that they had taken these preventive measures to protect their systems but acknowledged the inconvenience to their customers and partners.

****Customer Frustrations Grow****

By September 24, some key transactional systems were slowly being restored, but users were still facing major disruptions. Many reported being unable to send or receive payments, while others complained of pending transactions being stuck. At 3:38 PM, MoneyGram provided an update, stating:

> _“We continue to make progress in successfully restoring some of our key transactional systems. Our dedicated team is actively working around the clock on resuming normal business operations. Once all systems are fully operational, transactions that are currently pending will be made available to customers.”_
> 
> MoneyGram – 3:38 PM · Sep 24, 2024

Despite the ongoing work, many users expressed their frustration on social media, highlighting how the outage had affected their ability to access funds or complete urgent financial transactions.

****Partial Service Restoration Begins****

By September 25, more services were coming back online, but the company was still working to restore all of its systems fully. MoneyGram reported that many of its agent partners were back online and could send and receive money, providing some relief to customers with stuck payments.

> _“We continue to make progress and are resuming additional services. Many of our agent partners are now available for sending and receiving money, including fulfilling pending transactions. We are continuing to work diligently to resume our remaining services, including http://moneygram.com.”_
> 
> MoneyGram – 9:28 AM · Sep 25, 2024

Although progress was being made, some customers were still unable to use MoneyGram’s website and online services, further fueling frustration among users who rely on the platform for cross-border payments and remittances.

MoneyGram on Twitter (Screenshot credit: Hackread.com)

****Customer Impact and Response****

The outage, which is still ongoing, has left many users questioning MoneyGram’s ability to secure their financial transactions and data at this moment. The delay in service restoration, especially for time-sensitive transactions, has caused considerable inconvenience, particularly for individuals and businesses who rely on MoneyGram for international money transfers.

While MoneyGram has reassured customers that they are working with cybersecurity experts and law enforcement, the prolonged disruption and uncertainty have raised concerns about the company’s preparedness and ability to respond to cyberattacks.

****We will keep you posted****

MoneyGram has committed to keeping customers informed through social media updates, but as of now, the full extent of the data compromise remains unclear. Therefore, users are advised to monitor MoneyGram’s updates for further information about when full services will be restored and when pending transactions will be processed.

Meanwhile, Hackread.com is closely monitoring dark web leak sites associated with prominent ransomware gangs for any claims related to the MoneyGram cyberattack, in case it is confirmed to be a ransomware attack. Stay tuned.

1.  US Microchip Giant Hit by Cyberattack, Disrupting Operations
2.  AT&T Outage Disrupts Service for Millions of Users Across US
3.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
4.  Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack
5.  Android Money Transfer XHelper App was a Money Laundering Network

MoneyGram Cyberattack: Global Service Disruptions Enter Day 5

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising…

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising 260,000 compromised IoT devices. This operation neutralized a major cyber threat to U.S. infrastructure.

In a major blow to state-sponsored cyber malicious activity, the FBI, in cooperation with other U.S. government agencies, has successfully dismantled a massive botnet linked to Chinese government-backed hackers.

Known as **Flax Typhoon or Raptor Train**, the botnet comprised around 260,000 compromised Internet of Things (IoT) devices globally. The network was reportedly designed to steal sensitive information and disrupt critical services in the U.S. and other nations.

The compromised devices included a widespread network of IoT hardware such as cameras, routers, storage units, and video recorders. According to the joint advisory issued by the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), the operation not only removed malware from these devices but also severed their links to the larger botnet, making the network powerless.

The takedown came just seven months after, **in February 2024**, the agency dismantled the KV Botnet, which was used by Volt Typhoon, another Chinese state-sponsored threat actor group.

**Scope of the Botnet**

The FBI operation reveals the global reach of the botnet. The United States accounted for nearly half of the compromised devices, reflecting the strategic focus on U.S. infrastructure. Other nations, including Vietnam, Germany, and Canada, also faced significant exposure, showing the worldwide threat posed by the botnet.

Country

Node Count

Percentage

United States

126,000

47.9%

Vietnam

21,100

8.0%

Germany

18,900

7.2%

Romania

9,600

3.7%

Hong Kong

9,400

3.6%

Canada

9,200

3.5%

South Africa

9,000

3.4%

United Kingdom

8,500

3.2%

India

5,800

2.2%

France

5,600

2.1%

Bangladesh

4,100

1.6%

Italy

4,000

1.5%

Lithuania

3,300

1.3%

Albania

2,800

1.1%

Netherlands

2,700

1.0%

China

2,600

1.0%

Australia

2,400

0.9%

Poland

2,100

0.8%

Spain

2,000

0.8%

The table shows Botnet Devices per Country

**Global Reach and Architecture**

The botnet’s impact extended across multiple continents, with North America being the most affected region. Europe and Asia also experienced significant infection rates, while Africa and Oceania had smaller shares. This geographical spread shows the **global vulnerability of IoT devices** and the strategic use of botnets in cyber warfare.

Continent

Node Count

Percentage

North America

135,300

51.3%

Europe

65,600

24.9%

Asia

50,400

19.1%

Africa

9,200

3.5%

Oceania

2,400

0.9%

South America

800

0.3%

The table shows Botnet Devices per Continent

The operation also exposed the types of processors used by the infected devices. The majority were based on the x86 architecture, followed by MIPS and ARM systems, highlighting how a wide array of devices, often lacking sufficient security protocols, can be easily hijacked and integrated into malicious networks.

The full list of vulnerabilities exploited by the botnet, Indicators of Compromise (IoC), and compromised vendors is **available here** (PDF).

**Implications for Global Cybersecurity**

The successful dismantling of the botnet not only neutralizes a major threat to U.S. infrastructure but also sends a strong message to other nation-state actors. Additionally, as IoT devices become an integral part of our daily lives, they will increasingly become lucrative targets for cybercriminals. To protect your IoT devices, follow these simple yet vital guidelines:

*   **Change Default Passwords**: Always update default usernames and passwords on IoT devices to strong, unique credentials.
*   **Regularly Update Firmware**: Ensure your IoT devices are running the latest firmware to patch any security vulnerabilities.
*   **Disable Unnecessary Features**: Turn off features or services you don’t need, such as remote access, to reduce potential entry points for attackers.
*   **Use a Separate Network**: Set up a dedicated network for IoT devices to isolate them from more sensitive devices like computers and smartphones.
*   **Enable Encryption**: If available, activate encryption settings to protect data transmitted by your IoT devices from being intercepted.

1.  **Mozi Botnet Takedown: Who Killed the IoT Zombie Botnet?**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).

The sophisticated botnet, dubbed **Raptor Train** by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.

"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.

The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -

*   Tier 1: Compromised SOHO/IoT devices
*   Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
*   Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.

Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.

A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.

"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.

"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."

The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.

Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.

These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.

At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -

*   Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
*   Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
*   Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
*   Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains

The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.

The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.

"In fact, the w8510.com C2 domain for \[the Oriole\] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.

"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."

No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.

What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.

The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.

"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.

"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos