A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

Source: Daniel Chetroni via Alamy Stock Photo

Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on.

The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy.

Practically, TPUXtract enables a cyberattacker with no prior information to essentially steal an artificial intelligence (AI) model: They can recreate a model in its entirety and save the actual data it was trained on, for purposes of intellectual property (IP) theft or follow-on cyberattacks.

**How TPUXtract Works to Recreate AI Models**

The study was conducted on a Google Coral Dev Board, a single-board computer for machine learning (ML) on smaller devices: think edge, Internet of Things (IoT), medical equipment, automotive systems, etc. In particular, researchers paid attention to the board's Edge Tensor Processing Unit (TPU), the application-specific integrated circuit (ASIC) at the heart of the device that allows it to efficiently run complex ML tasks.

Any electronic device like this, as a byproduct of its operations, will emit EM radiation, the nature of which will be influenced by the computations it performs. Knowing this, the researchers conducted their experiments by placing an EM probe on top of the TPU — removing any obstructions like cooling fans — and centering it on the part of the chip emanating the strongest EM signals. Then they fed the machine input data and recorded the signals it leaked.

To begin to make sense of those signals, they first identified that before any data gets processed, a neural network quantizes — compresses — its input data. Only when the data is in a format suitable for the TPU does the EM signal from the chip shoot up, indicating that computations have begun.

At this point, the researchers could begin mapping the EM signature of the model. But trying to estimate all of the dozens or hundreds of compressed layers that comprise the network at the same time would have been effectively impossible.

Every layer in a neural network will have some combination of characteristics: It will perform a certain type of computation, have a certain number of nodes, etc. Importantly, "the property of the first layer affects the 'signature,' or the side-channel pattern of the second layer," notes Ashley Kurian, one of the researchers. Thus, trying to understand anything about the second, 10th, or 100th layer becomes increasingly impossible, as it rests on all of the properties of what came before it.

"So if there are 'N' layers, and there are 'K' numbers of combinations \[of hyperparameters\] for each layer, then computing cost would have been N raised to K," she explains. The researchers studied neural networks with 28 to 242 layers (N) and estimated that K — the total number of possible configurations for any given layer — equaled 5,528.

Instead of having to commit infinite computing power to the problem, they figured they could isolate and analyze each layer in turn.

To recreate each layer of a neural network, the researchers built "templates" — thousands of simulated combinations of hyperparameters, and read the signals they gave off when processing data. Then they compared those results to the signals emitted by the model they were trying to approximate. The closest simulation would be considered correct. Then, they applied the same process to the next layer.

"Within a day, we could completely recreate a neural network that took weeks or months of computation by the developers," Kurian reports.

**Stolen AIs Lead to IP, Cybercrime Risk to Companies**

Pulling off TPUXtract isn't trivial. Besides a wealth of technical know-how, the process also demands a variety of expensive and niche equipment.

The NCSU researchers used a Riscure EM probe station with a motorized XYZ table to scan the chip's surface, and a high sensitivity electromagnetic probe for capturing its weak radio signals. A Picoscope 6000E oscilloscope recorded the traces, Riscure's icWaves field-programmable gate array (FPGA) device aligned them in real-time, and the icWaves transceiver used bandpass filters and AM/FM demodulation to translate and filter out irrelevant signals.

As tricky and costly as it may be for an individual hacker, Kurian says, "It can be a competing company who wants to do this, \[and they could\] in a matter of a few days. For example, a competitor wants to develop \[a copy of\] ChatGPT without doing all of the work. This is something that they can do to save a lot of money."

Intellectual property theft, though, is just one potential reason anyone might want to steal an AI model. Malicious adversaries might also benefit from observing the knobs and dials controlling a popular AI model, so they can probe them for cybersecurity vulnerabilities.

And for the especially ambitious, the researchers also cited four studies that focused on stealing regular neural network parameters. Theoretically, those methods in combination with TPUXtract could be used to recreate the entirety of any AI model — parameters and hyperparameters in all.

To combat these risks, the researchers suggested that AI developers could introduce noise into the AI inference process using dummy operations, or running random operations concurrently, or confuse analysis by randomizing the sequence of layers during processing.

"During the training process," says Kurian, "developers will have to insert these layers, and the model should be trained to know that these noisy layers need not be considered."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

With 'TPUXtract,' Attackers Can Steal Orgs' AI Models

Law enforcement across mainland China have been using EagleMsgSpy surveillance tool to collect mobile device data since at least 2017, new research shows.

Source: Vicky Barlow via Alamy Stock Photo

NEWS BRIEF

A surveillance tool named EagleMeSpy, developed by a Chinese software company for legal use by the country's public security bureaus, has been scraping the most sensitive data from targeted Android devices since at least 2017.

Researchers at Lookout warn that the EagleMeSpy spyware has been under constant development, and while at the moment they have only seen evidence of an Android version, analysis of the tool's infrastructure indicates a potential Apple iOS version is out there somewhere as well.

Unlike other commercial spyware products, EagleMeSpy requires physical access to the targeted device to deploy the tool, the Lookout team found. The researchers reported they found no evidence of the spyware in Google Play or any other app stores, leading them to conclude Chinese law enforcement officials are the only ones initiating the surveillance software infection.

"An installer component, which would presumably be operated by law enforcement officers who gained access to the unlocked device, is responsible for delivering a headless surveillance module that remains on the device and collects extensive sensitive data," the Lookout report read.

Once installed, EagleMsgSpy gathers everything it can, including chat and text messages, screen and audio recordings, call logs, contacts, location data, and network activity, Lookout said. Additional evidence shows the vendor behind the spyware has multiple clients.

"Lookout researchers have observed an evolution in the sophistication of the use of obfuscation and storage of encrypted keys over time," the report warned. "This indicates that this surveillanceware is an actively maintained product whose creators make continuous efforts to protect it from discovery and analysis."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese Cops Caught Using Android Spyware to Track Mobile Devices

In Operation PowerOFF, global authorities aim to deter individuals from engaging in malicious cyber acts.

Source: M4OS Photos via Alamy Stock Photo

NEWS BRIEF

Law enforcement agencies around the world have seized 27 of the most popular Web platforms used to launch distributed denial-of-service (DDoS) attacks.

The international operation, which remains ongoing, is known as PowerOFF and was coordinated by Europol, involving 15 countries. The operation targeted various levels of operatives in the groups engaged in the cybercriminal activities, including three administrators who were arrested in France and Germany. It also identified 300 other cybercriminals.

Three of the so-called "booter" and "stresser" websites that were taken down as part of Operation PowerOFF include zdstresser.net, orbitalstress.net, and starkstresser.net.

"While these platforms are often marketed as legitimate tools for stress-testing, they are frequently misused to facilitate malicious attacks," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "By dismantling these services and identifying more than 300 customers, law enforcement agencies aim to disrupt the entire ecosystem addressing both the supply of these tools and the demand from those who use them for illegal activities."

The holiday season in particular has in the past been a peak period for hackers to carry out DDoS attacks, ultimately leading to financial loss, reputational damage for retailers, and operational disruption.

Law enforcement agencies launched an online ad campaign using Google search ads and YouTube to deter individuals from engaging in criminal activities like DDoS, highlighting the consequences of such attacks. Law enforcement also plans to conduct knock-and-talks, and use warning letters and emails.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Europol Cracks Down on Holiday DDoS Attacks

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.

In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.

Related:Lessons From the Largest Software Supply Chain Incidents

"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."

**Has the FCC Been Negligent in Enforcing Telco Security?**

In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix \[the FCC's\] own failure to fully implement telecom security requirements already required by federal law."

At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:

Requires a carrier to ensure that any interception of communications or \[call-identifying information\] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.

Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."

Related:Google Launches Open Source Patch Validation Tool

FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.

**What Wyden's Telco Security Bill Misses**

The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.

Related:Large-Scale Incidents & the Art of Vulnerability Prioritization

Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?

In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."

Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."

Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.

"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

****SUMMARY****

*   **Global Dismantling of DDoS Platforms**: Law enforcement from 15 countries shut down 27 websites offering DDoS attack services as part of Operation PowerOFF.

*   **Arrests and Identifications**: Europol coordinated the arrest of three site administrators in France and Germany and identified over 300 users for further action.

*   **Offline Platforms**: Popular DDoS services like zdstresser.net, orbitalstress.net, and starkstresser.net are now offline, displaying seizure notices.

*   **Holiday Season Spike**: The takedown coincides with a rise in DDoS attacks, often targeting gaming platforms and driven by financial, ideological, or extortion motives.

*   **Prevention and Outreach**: Operation PowerOFF combines takedowns with education and deterrence, including online ads and direct warnings to discourage illegal activities.

Law enforcement agencies from 15 countries have dismantled and seized 27 websites used to sell Distributed Denial-of-Service (DDoS) attack services. The takedown was part of the ongoing **Operation PowerOFF**, an initiative to shut down cybercrime and platforms facilitating it.

These websites, commonly referred to as ‘booter’ and ‘stresser’ sites, were popular among cybercriminals and hacktivists. By flooding targets with illegal traffic, these platforms enabled attackers to disrupt services, causing financial losses, reputational damage, and outages for their victims.

****Arrests!****

Coordinated by Europol; the operation targeted everyone involved in this criminal activity, from the administrators running these sites to the users hiring their services. Three administrators were arrested in France and Germany, and over 300 users were identified for further action.

As of now, 27 malicious service providers, including zdstresser.net, orbitalstress.net, and starkstresser.net, have been taken offline and display seizure notices to visitors.

The homepage of the seized sites (Credit: Hackread.com)

This takedown comes at a time when DDoS attacks, especially against gaming platforms, spike during the holiday season. Motivations for these attacks depend on several factors, including financial gain and extortion to ideological reasons, as seen with groups like Russian Killnet and Anonymous Sudan.

****Not Just Takedowns: A Broader Plan of Action****

According to Europol’s press release, Operation PowerOFF isn’t just about shutting down websites. It also aims to prevent future attacks through a combination of education and deterrence.

Europol, working with its international partners, has launched an online ad campaign targeting potential offenders. These ads, appearing on Google search results and YouTube, highlight the consequences of DDoS attacks and aim to dissuade individuals from engaging in this illegal activity.

In addition to online outreach, law enforcement agencies are using more traditional methods like warning letters and “knock-and-talks” to reach out to users of these illegal services.

In a comment to Hackread.com, Derek Manky, Chief Security Strategist at Fortinet, emphasizes the need for continued collaboration: “Turning the tide against cybercrime requires a global effort. Public-private partnerships are essential to disrupt large-scale cybercrime operations and create a safer online environment for everyone.”

1.  **Russian Ransomware Laundering Networks** **Disrupted**
2.  **Criminal Encrypted Messaging Platform MATRIX Taken Down**
3.  **Interpol Arrests 5,500 Cybercriminals, Recovers $400 Million**
4.  **INTERPOL Arrests 41, Takes Down 22,000 IPs and 59 Servers**
5.  **Phishers Impersonating Police Arrested in Multi-Million Euro Scam**

Authorities Shut Down 27 DDoS-for-Hire Platforms, Arrest 3 Admins

BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money.

****SUMMARY:****

*   **Researchers found a rise in phishing attacks in the UAE impersonating Dubai Police via SMS.**

*   **Attackers use fake domains with typosquatting and suspicious extensions like “.xyz” and “.top.”**

*   **Many domains originate from Singapore servers linked to prior malicious activity.**

*   **The scams aim to steal financial data and exploit fear using emergency numbers like 999.**

*   **Residents should verify websites, avoid unknown contacts, and check for “HTTPS” to stay safe.**

Cybersecurity researchers at BforeAI have identified a rise in phishing attacks targeting residents of the United Arab Emirates (**UAE**) by impersonating the Dubai Police. The attacks are primarily relayed via SMS texts and redirect users to malicious domains.

The researchers analyzed 268 domains from September 17 to November 22 to identify patterns and trends. Most domains originated from Singapore servers and have a history of malicious activity, including spam, phishing, and botnets. Around 50% of these domains were registered by Gname, and the rest by NameSilo, and Dominet.

One such SMS with a malicious link (Via BforeAI)

Further probing revealed that over two dozen domains have expired, with some registered as recently as November. Two registrants, from India and Dubai, have suspicious names suggesting legitimate company origins. Threat actors, however, have managed to keep their identities anonymous, revealed BeforeAI’s **advisory** shared exclusively with Hackread.com ahead of its publishing.

This update follows **last month’s revelations** that 99% of UAE’s .ae domains are vulnerable to phishing and spoofing attacks due to insufficient DMARC implementation.

****What’s going on****

The attackers are deploying a multi-sided approach to deceive victims. This includes registering numerous domains in fast succession, often with sequential numbering, hinting at the use of automated tools, and using **Typosquatting**. This means they are creating misspelled variations of “Dubai Police” (e.g., “dubaiploce”) to trick unsuspecting recipients into clicking on illegitimate links.

Furthermore, attackers are adding terms like “police,” “gov,” “portal,” and “online” to the domain names to appear official and trustworthy.

Beyond the “.com” domain, the attackers are heavily utilizing less-regulated extensions like “.top,” “.xyz,” and “.click,” which provide them with more anonymity. Interestingly, a significant portion of the domains were registered using Tencent servers in Singapore, previously linked to malicious activities.

****Who are the Targets?****

These fraudulent campaigns seem to have two main targets- stealing financial information from individuals who believe they’re interacting with a legitimate government entity and exploiting fear by incorporating emergency numbers like 999 (UAE emergency services) to target those worried about supposed fines or seeking genuine assistance from Dubai Police.

Researchers observed a quick turnaround time for these phishing campaigns.  Many domains expire within weeks, suggesting the attackers launch frequent, short-lived operations to evade detection.

To avoid falling victim to such scams, UAE residents should verify official websites, be cautious of unfamiliar contacts, and be wary of websites lacking the “HTTPS” protocol, broken links, or unprofessional design.

1.  **Stolen UAE InvestBank Data Sold on Dark Web**
2.  **Anonymous Sudan Hits UAE’s Flydubai with DDoS Attack**
3.  **US Gov Agencies Impersonated in DocuSign Phishing Scams**
4.  **In UAE Supporting Qatar on the Internet is Now a Cybercrime**
5.  **Google takes on sites with ties to hack-for-hire groups in UAE**

Scammers Exploit Fake Domains in Dubai Police Phishing Scams

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

**References**

*   golang/crypto@b4f1988
*   https://go.dev/cl/635315
*   https://go.dev/issue/70779
*   https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
*   https://pkg.go.dev/vuln/GO-2024-3321

GHSA-v778-237x-gjrc: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto

SUMMARY Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from…

****SUMMARY****

*   A sophisticated phishing campaign is targeting employees of 30+ companies across 12 industries worldwide.

*   Over 200 malicious links have been distributed, designed to steal user login credentials.

*   Attackers use trusted domains, dynamic company branding, and document platform impersonation to evade detection and trick users.

*   Stolen credentials are sent to attackers in real time via C2 servers or Telegram bots.

*   Organizations are urged to implement multi-factor authentication, train employees, and use advanced email filtering systems to protect against such attacks.

Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions.

So far, the campaign has successfully distributed over 200 malicious links designed to steal login credentials. The industries targeted in this phishing operation include the following:

*   Energy
*   Fashion
*   Finance
*   Aerospace
*   Manufacturing
*   Telecommunications
*   Government sectors

Countries and industries targeted in the campaign (Via Group-IB)

What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. In particular, the attackers are using three main techniques to bypass email security:

*   Trusted Domain Abuse
*   Dynamic Company Branding
*   Document Platform Impersonation

In the trusted domain abuse tactic, attackers embed malicious URLs within legitimate services like Adobe.com and Google AMP, making it harder for security tools to detect. In document platform impersonation, fake DocuSign and Adobe notifications are used to lure users into clicking links for what seem to be important documents.

Meanwhile, with dynamic company branding, phishing pages cleverly display the victim’s company logo and branding by pulling them directly from legitimate websites. It’s important to note that DocuSign has long been a target for cybercriminals to deliver malicious documents. While the platform works diligently to combat scammers, the abuse of its API has become a significant challenge in recent years.

Last month, a report revealed a staggering 98% increase in DocuSign phishing scams, including impersonation attempts and aggressive phishing attacks targeting the United States government.

In the ongoing attack, much like the previous campaign, users who click the malicious links are directed to convincing login pages that are pre-filled with their email addresses. Once credentials are entered, the data is sent to the attackers through either Command-and-Control (C2) servers or Telegram bots, giving them real-time access to the stolen information.

“The Telegram bot’s history log revealed that the collected credentials were not limited to a single company. Instead, they spanned a wide range of business email addresses belonging to various brands and countries, all impacted by an ongoing email phishing campaign,” Group-IB wrote in a blog post shared with Hackread.com heard of its publishing on Wednesday.

****Protecting Against Email-Based Attacks****

This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. To stay protected, organizations should:

*   Enable multi-factor authentication for an added layer of security.
*   Train employees to verify unexpected document requests before taking action.
*   Implement advanced email filtering systems to detect and block threats.
*   Regularly monitor accounts for unauthorized access to quickly identify and address breaches.

1.  **EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA**
2.  **99% of UAE’s .ae Domains Exposed to Phishing and Spoofing**
3.  **Black Basta Uses MS Teams, Email Bombing to Spread Malware**
4.  **Hackers Hit Job Seekers with AppLite Trojan with Fake Job Emails**
5.  **Phishers Impersonating Police Arrested in Multi-Million Euro Scam**

Global Ongoing Phishing Campaign Targets Employees Across 12 Industries

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Source: GK Images via Alamy Stock Photo

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

**Two-Part Attack Sequence**

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

**Cyberattacker Attribution & AWS Response**

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

**How to Secure the Cloud IT Footprint**

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

SUMMARY Zimperium’s zLabs has shared its latest research with Hackread.com, ahead of its publishing on December 10. According…

****SUMMARY****

*   **AppLite Trojan:** A new, stealthy banking trojan targeting Android devices, capable of stealing banking credentials, crypto wallets, and sensitive data.

*   **Phishing Campaign:** Delivered via fake job offer emails mimicking HR teams from reputable companies, tricking victims into downloading malware.

*   **Advanced Capabilities:** AppLite intercepts SMS, logs keystrokes, captures screenshots, and bypasses two-factor authentication.

*   **Evasion Tactics:** Employs obfuscation, dynamic behavior changes, and command-and-control updates to avoid detection.

*   **Safety Measures:** Avoid suspicious links, download apps only from trusted sources, and keep devices updated with strong security protocols.

Zimperium’s zLabs has shared its latest research with _Hackread.com_, ahead of its publishing on December 10. According to their research, millions of job seekers are unknowingly falling victim to a new wave of mobile-targeted phishing (mishing) campaign. Report author Vishnu Pratapagiri explained that cybercriminals are targeting individuals seeking new opportunities by sending fraudulent emails disguised as job offers from HR teams at well-known companies.

This highly sophisticated mobile phishing campaign involves distributing a new variant of the dangerous Antidot banking trojan. This new strain, dubbed AppLite by Zimperium researchers, targets unsuspecting victims through cleverly crafted job offer emails. 

Further probing reveals that AppLite is a particularly dangerous variant of the Antidot banking trojan. It’s designed to target mobile devices, primarily Android, and can steal sensitive information, including banking credentials and cryptocurrency wallet details.

For your information, in March 2024, Cyble researchers discovered an Android malware strain called “Antidot,” which disguised itself as a fake Google update and distributed through phishing campaigns, including SMSishing. Once installed, it stole sensitive banking information.

The attack begins with a well-crafted phishing email that mimics a job offer from a reputable company sent by the attackers posing as legitimate recruiters or HR representatives from the organization. Victims are tricked into visiting a legitimate job application page and downloading a seemingly harmless application, which acts as a dropper for the actual malware. 

The malicious email (left) – The phishing site used in the attack (Via Zimperium)

“In a subsequent communication, the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device,” researchers noted.

When this malicious app is installed, it secretly downloads and installs the AppLite trojan, which then requests extensive permissions, including Accessibility Services to get full control over the device.

AppLite’s capabilities are extensive. It can intercept SMS messages, log keystrokes, capture screenshots, and even control the device’s camera and microphone. It can also intercept two-factor authentication codes and steal sensitive information from banking and cryptocurrency apps.

Attack flow (Via Zimperium)

The malware’s developers have implemented several techniques to evade detection. It uses obfuscation techniques to hide its malicious code and can modify its behaviour to adapt to different security measures. Additionally, it leverages a command-and-control server to receive updates and instructions from the attackers.

To stay safe, it is crucial to stay cautious when downloading apps, especially from unknown sources. Be wary of unsolicited emails and messages, and avoid clicking on suspicious links or downloading attachments. Keep your device’s operating system and security software up-to-date, and enable strong password protection and two-factor authentication.

Tag

#google