The advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country's intelligence community.

Source: SROOLOVE via Shutterstock

Advanced persistent threat group "DONOT Team" is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

The "Tanzeem" and "Tanzeem Update" apps purport to be chat apps but do not work as advertised. Instead, once installed on a system they prompt the user to turn on the device's accessibility feature and grant access to several easily misused permissions. The apps then shut down and proceed to stealthily harvest information from the compromised device, according to researchers at Cyfirma, who recently spotted the new DONOT campaign.

**Intelligence Gathering and Beyond**

"The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia," Cyfirma noted in a blog post on Jan. 17. The goal appears to be to collect intelligence of strategic importance to India, the security vendor said.

Cyfirma's analysis of Tanzeem and Tanzeem Update showed the apps using OneSignal, a popular customer engagement platform, to send push notifications to users who install either app on their devices. OneSignal basically allows developers and businesses to send in-app messages, emails, and SMS messages to users across mobile devices, Web browsers, desktop apps, and other platforms.

When a user installs Tanzeem or Tanzeem Update on their device, they receive a push notification via OneSignal that prompts them to start a fake chat. Users tricked into clicking on the "Start Chat" prompt receive a subsequent prompt asking them to enable Android accessibility services to use the app. The victim is then directed to the accessibility settings page from which the app accesses several dangerous permissions. These include permissions that allow the two malicious Android apps to read and fetch call logs from the compromised device; to read and fetch contact information; and to search for and fetch data from the file manager.

Researchers at Cyfirma also found the apps to access several other permissions such as those that allow the threat actor to delete and read both incoming and outgoing text messages. They also can access the Android device's internal storage to extract its exact location and monitor its movement on a real-time basis.

Significantly, Cyfirma found the malicious apps using push notifications to try and get victims to install additional malicious payloads on compromised devices to ensure persistence. "This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma noted.

**A Persistent South Asian Threat**

DONOT Team, which some vendors track as APT-C-35, SectorE02, and Viceroy Tiger, is a threat group with a likely nexus to India that has been operational since at least 2016. Several vendors have associated the group with attacks and data theft campaigns targeting entities in South Asia. In November 2024, Cyble linked DONOT Team to a campaign targeting manufacturing companies in Pakistan associated with the country's defense and maritime industries.

Others, such as ESET have reported on DONOT Team using sophisticated Windows and Android malware in espionage campaigns targeting organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported finding three malicious Android apps on Google's Play store that the threat actor used against targeted individuals in Kashmir and Pakistan.

DONOT Team is one of several APT groups believed to be operating out of India that is engaged in a range of malicious activities, including online extortion scams, hacktivism, and increasingly, cyber espionage and surveillance. Security experts believe that at least some of the activity is tied to geopolitical tensions in the region and to a broader growth in all kinds of cybercrime in South Asia in recent years.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DONOT Group Deploys Malicious Android Apps in India

Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing…

Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps.

Cybersecurity researchers at Specops are delivering a global wake-up call over a major password-related issue: over 1 billion **passwords** were stolen by malware in the past year. According to Specops Software’s 2025 Specops Breached Password Report shared with Hackread.com ahead of its publishing on Tuesday, millions of stolen passwords met standard complexity requirements. The report also highlights the prevalence of malware stolen credentials, with over a billion found in the last 12 months.

The Report’s Key Findings:

*   Despite meeting common complexity requirements (length, uppercase, numbers, symbols), 230 million stolen passwords were still compromised.

*   Common weak passwords like “123456” and “admin” continue to plague systems, revealing a significant gap in user awareness and education.

*   Common base terms like “qwerty,” “guest,” and “student” are frequently used as password foundations.

*   **Redline, Vidar, and Raccoon Stealer** emerged as the top three credential-stealing malware, demonstrating the sophistication and persistence of these threats. These sophisticated malware strains actively target and steal credentials from various sources, including web browsers, email clients, and even VPN clients. Check out Hackread.com’s detailed analysis of these malware **here**.

*   The “malware-as-a-service” model, where cybercriminals rent out these tools, has increased the accessibility and availability of these powerful attack vector.

The **report** highlights the ongoing struggle which unsuspecting users and organizations face in addressing weak password practices, with end users still creating short, weak passwords despite knowing the risks.

Via Specops

Users often employ the same or slightly modified passwords across multiple accounts, including work, personal, and online services, which is a risky practice as reusing work passwords on personal devices and less secure platforms significantly increases the potential for compromise. A single breach on a less secure platform can compromise access to sensitive corporate systems, including Active Directory and **VPNs**.

Moreover, **stolen credentials** provide attackers with direct access to valuable data, including personal information, financial records, and corporate secrets. These credentials can be used to launch further attacks, such as phishing campaigns and more sophisticated breaches, enabling attackers to gain deeper access to organizational systems.  

> _“The amount of passwords being stolen by malware should be a concern for organizations. Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware.”_
> 
> Darren James, Senior Product Manager – Specops Software.

Considering these dangerous implications, security experts recommend organizations implement stronger password policies and regularly scan Active Directory for compromised passwords for immediate remediation. Educating users about weak passwords, and staying updated on threats and vulnerabilities to defend against emerging attacks is essential. Lastly, implement Multi-Factor Authentication (MFA) to add an extra layer of security beyond passwords.

1.  **Google Makes Passkeys Default for All Users**
2.  **Why Browser Security Matters More Than You Think**
3.  **Are We on the Brink of Saying Goodbye to Passwords?**
4.  **Pop Culture Passwords Most Likely to Get You Hacked**
5.  **Nissan source code leaked, it used “admin” as username, password**

Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws…

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws in common tunnelling protocols like IPIP, GRE, and 6in4/4in6. Learn how these vulnerabilities can be exploited for malicious attacks and how to protect your devices.

New vulnerabilities in multiple tunnelling protocols (IPIP/IP6IP6, GRE/GRE6, 4in6, 6in4) have been discovered by Top10VPN in collaboration with security researcher Mathy Vanhoef. These vulnerabilities allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access. 

A large-scale internet scan identified 4.2 million open tunnelling hosts. This includes critical infrastructure such as VPN servers, home routers, core internet routers, mobile network gateways, and even content delivery networks (CDNs) operated by major players like Facebook and Tencent. Vulnerable hosts can enable a range of attacks, including new DoS techniques and DNS spoofing. The identified vulnerabilities include CVE-2024-7595, CVE-2025-23018/23019, and CVE-2024-7596.

The most affected countries are China, France, Japan, the U.S., and Brazil. Over 11,000 autonomous systems (AS) have been impacted, with Softbank, Eircom, Telmex, and China Mobile being the most affected.

The vulnerabilities stem from many internet hosts accepting tunneling traffic without verifying the sender’s identity. This lack of authentication allows attackers to exploit these hosts as proxies for malicious activities. 

“These hosts accept unauthenticated tunneling traffic from any source. This means they can be abused as one-way proxies to perform a range of anonymous attacks. Vulnerable hosts can also potentially be abused to gain access to victims’ private networks,” Top10VPN’s researcher and report author Simon Migliano noted.

Specifically, attackers can manipulate these hosts to send traffic on their behalf, concealing their true origin and making it difficult to trace attacks back to them. In some cases, attackers might be able to exploit these vulnerabilities to gain access to private networks connected to the hijacked host.

Tunneling protocols, such as IPIP, GRE, and 6in4/4in6, play a crucial role in modern networking, enabling seamless communication across diverse networks. However, many devices utilizing these protocols lack proper authentication and encryption, leaving them vulnerable to exploitation. 

According to Top10VPN’s report, at least 1,365 vulnerable VPN servers were identified, including consumer VPNs, routers with remote access features, and business VPNs. AoxVPN, a service with over a million users, was among those with vulnerabilities.

Additionally, around 1,200 vulnerable dynamic DNS routers, primarily Synology models offering remote access via VPN Plus Server, were detected. And, 171 company VPN servers were exposed, mainly using the GRE protocol, belonging to businesses and organizations in 33 countries, with the United States, China, and Hong Kong being the most affected. Over 17% of vulnerable devices were Free ISP’s home routers in France, which accepted unauthenticated traffic.

Furthermore, researchers discovered novel attack methods, such as “Ping-pong Amplification” and “Tunneled-Temporal Lensing,” which leverage these vulnerabilities to launch powerful Denial-of-Service (DoS) attacks. These vulnerabilities can also amplify the impact of existing attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, and certain WiFi attacks.

The research highlights the need for enhanced security measures in these protocols to mitigate risks and ensure the reliability of our interconnected world. Proactive measures, including regular security audits, software updates, and increased awareness among system administrators and end-users, are also important for identifying and patching vulnerable devices.

1.  **Millions of websites using CDNs at risk of CPDoS attack**
2.  **DNS Tunneling Used for Stealthy Scans and Email Tracking**
3.  **GoogleUserContent CDN Hosting Images Infected with Malware**
4.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
5.  **Millions of Email Servers Exposed Due to Missing TLS Encryption**

Tunneling Flaws Put VPNs, CDNs and Routers at Risk Globally

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

Source: Thomas Bethge via Alamy Stock Photo

Highlights:

*   Consumer survey shows that the most common security issues are phishing attacks, such as text or emails seeking personal information, as well as malware and physical theft. 
    

*   Hands-on device testing shows that Samsung S24 offers the best anti-phishing protection, while the Google Pixel 9 Pro leads in many other areas. 
    

*   The iPhone 16 Pro and other premium Android smartphones from Honor, Xiaomi, and OnePlus lack security features and protections. 
    

COMMENTARY  
New research from Omdia shows that the security capabilities on several of the latest consumer smartphones, including top devices from Apple, Google, and Samsung, fail to detect several types of common phishing attacks.

As part of the fourth-annual Omdia Mobile Device Security Scorecard, Omdia surveyed 1,572 consumers across 13 major countries in the Americas, Asia and Oceania, and Europe, in October 2024. This survey covered the demographics of smartphone users, their security concerns and attitudes, their perception of the most common security threats, and the key smartphone purchasing drivers.

Consumers reported that the most common security issue they encountered was phishing scams and attacks (texts, emails or calls which use false pretenses to try to get the target to give away valuable personal information), with 24% reporting to have experienced phishing. 

Omdia also asked consumers to rate how important various security features were, with anti-phishing having the largest net-importance rating. In fact, over the four years Omdia has conducted its Mobile Device Security Scorecard research, anti-phishing has been rising in importance. This is no surprise, as phishing not only becomes more common, but also as consumers become more familiar with the attacks and the potential for personal information theft or financial loss. 

The next most common security issue was malware and viruses. The third most common was physical theft, such as pickpocketing, mugging or snatching. 

**Mobile Device Security Testing Results**

For each of these security issues, Omdia tested leading premium smartphones to determine availability and effectiveness of security features and capabilities. Google's Pixel 9 Pro and Samsung's Galaxy S24 both scored highly, ahead of Apple's iPhone 16 Pro and other leading Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro.

Despite the importance consumers place on phishing prevention on mobile devices, the anti-phishing features failed to some degree on every device Omdia tested. No device caught all the attempted phishing texts, calls, and emails initiated as part of the testing.  

Several of the devices did catch simulated spam calls: All Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung, which have voice call protection, flagged suspected spam calls before the recipient could answer the call. The iPhone 16 Pro, however, did not have the same protections and did not catch the simulated spam call. 

Text messages with malicious short links were sent from an unknown number and sender ID, but these were not successfully caught by the test devices. Simulated phishing emails were sent from both Gmail and Google's Mail Delivery subsystem, but no device caught the phishing emails from Gmail; the messages were only identified as spam when sent from Google's SMTP. 

Despite not all phishing texts and emails being caught, once malicious links were opened on the devices, those that use Google Safe Browsing protections successfully blocked the link from opening. A warning screen was raised, forcing the user to bypass it to proceed.

Yet not all Android devices performed similarly: Samsung Internet blocked most links except the more sophisticated custom URLs, while the Xiaomi Mii and OnePlus Internet browsers failed to warn the user even when loading known malicious links. 

In previous years' testing, smartphones have been able to detect and successfully block or warn against the attempted phish. However, the difference year-on-year showcases the ever-changing nature of threats.

**Lack of Mobile Security Impacts Consumer Trust**

The lack of effective security protections on mobile devices, particularly against the growing threat of phishing attacks, is eroding consumer trust.

When Omdia asked consumers if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer. 

Despite some manufacturers' efforts to ensure the latest mobile device security protections are in place, Omdia notes that it is difficult to protect against 100% of phishing attempts. This highlights the severity of the issue and potential impact to consumers.

That said, Omdia asserts that smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities on the market) and should have more effective baseline phishing protection in place — such as voice call protection, and all Android devices making use of Google’s Safe Browsing protections. 

Omdia sees the value in the phishing protection features implemented by the leading smartphone vendors, and how this can help to protect consumers — at least in most instances, based on Omdia's latest round of testing.

However, these features need to be paired with awareness activity from manufacturers, as well as the wider industry, to help consumers be vigilant and prepared for the instance when a security threat evades a protection mechanism. Such awareness adds an important additional layer of protection against the rising number of scams targeting consumers through their mobile devices.

**About the Authors**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Senior Analyst, Smartphones, Omdia

Aaron West provides expertise and analysis of the smartphone market, joining Omdia in 2022. His areas of reporting include the active smartphone installed base, eSIM development, mmWave 5G, sustainability, and the foldable smartphone market.

Aaron has a range of research and publishing experience. He graduated with a degree in theoretical physics before moving into consumer product testing, with a focus on sustainability and the environment.

In this role, he was responsible for research project management, including comparative testing of technology products and consumer surveys. He also reported on the energy efficiency and longevity of home appliances, as well as the product lifecycle and obsolescence of smartphones.

Phishing Attacks Are the Most Common Smartphone Security Issue for Consumers

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.

In December 2024, during routine threat hunting activities, Sekoia.io uncovered a new Adversary-in-the-Middle (AiTM) phishing kit specifically targeting Microsoft 365 accounts. This phishing kit, dubbed Sneaky 2FA, has been circulating since at least October 2024, with potential compromises identified through Sekoia.io telemetry.

Further probing revealed that Sneaky 2FA is being offered as a Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.

The modus operandi of the entire campaign includes customers receiving access to a licensed and obfuscated source code version, allowing them to independently deploy phishing pages, typically hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attackers.

Sneaky 2FA’s on Telegram and blurred background images that it uses (Via Sekoia)

In addition, the Sneaky 2FA phishing kit incorporates elements from the W3LL Panel OV6, another AiTM phishing kit previously reported by Group-IB. This connection suggests a possible lineage and development within the cybercriminal infrastructure.

****Characteristics of Sneaky 2FA****

According to Sekoia’s report, the Sneaky 2FA phishing kit employs several techniques to evade detection and enhance its success. It utilizes URL patterns, such as “mysilverfox.commy/00/#victimexamplecom,” to automatically prefill the phishing page with the victim’s email address.

These phishing URLs are generated using 150 alphanumeric characters, followed by the path /index, /verify, and /validate. This pattern offers opportunities for tracking. Most customers deploy the server in a dedicated repository, named /auth/ by default.

To further enhance its stealth, Sneaky 2FA integrates anti-bot and anti-analysis features. Cloudflare Turnstile pages are employed to differentiate human users from bots. These pages often present seemingly benign content before loading the actual challenge. Additionally, the phishing kit incorporates anti-debugging techniques to hinder analysis using web browser developer tools.  

The phishing pages themselves utilize a variety of obfuscation methods, including HTML and JavaScript code obfuscation, the embedding of text as images, and the inclusion of junk data within the HTML code. These techniques aim to make phishing pages more difficult to detect by security tools.

****Sneaky Log’s Operations****

The Sneaky Log service operates through a sophisticated Telegram bot that allows customers to purchase the phishing kit, manage subscriptions, and receive support. The bot offers a user-friendly interface and supports multiple cryptocurrency payment options, including Bitcoin, Ethereum, and Tether.  

Analysis of cryptocurrency transactions revealed potential money laundering activities, with users instructed to pay a 10% premium and subsequent transfers occurring between various addresses.

****Detection and Tracking Opportunities****

Detecting Sneaky 2FA attacks can be achieved by analysing authentication logs for anomalies. The phishing kit utilizes inconsistent User-Agent strings for different stages of the authentication process, which can be identified as “impossible device shifts” and flagged as suspicious activity.  Furthermore, the analysis of phishing page URLs, including patterns and domain registrations, can help track and identify campaigns associated with Sneaky 2FA.

Sneaky 2FA is a growing threat in Microsoft 365 phishing attacks, offering sophisticated features and a user-friendly PhaaS platform. To mitigate risks, organizations must continuously monitor and share threat intelligence apart from improving cybersecurity measures.

Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+ commented on this urging Microsoft 365 to remain alert. _“_This kit’s ‘sneaky’ aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages._“_

_“_The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,_“_ Stephen warned. _“_Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats._“_

1.  **Malware Bypasses MS Defender, 2FA to Steal $24K in Crypto**
2.  **Rockstar 2FA Phishing-as-a-Service Kit Hits MS 365 Accounts**
3.  **Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page**
4.  **New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users**
5.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security Software**

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

January 17, 2025 - A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

January 16, 2025 - Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

January 16, 2025 - The FBI has announced it's deleted PlugX malware from approximately 4,258 US-based computers and networks.

January 15, 2025 - An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

January 14, 2025 - An insurance company is accused of unlawfully collecting, using, and selling location data from millions of people's cell phones.

 A week in security (January 13 &#8211; January 19) 

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

The Supreme Court has affirmed TikTok's ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.

Source: Roykas Tenys via Alamy Stock Photo

Now that the US Supreme Court has upheld a ban on the wildly popular video social media platform we know as TikTok, its most influential users have decided to retaliate by moving their game over to REDnote, a competing Chinese social media company, thus creating an entirely new, and arguably worse, situation for the nation's cybersecurity.

The move to the alternate platform is emerging as a pop culture phenomenon. Of TikTok's roughly 170 million monthly users in the US, more than 3 million have already headed over to REDnote. Chart-topping rapper Doechii announced her account, with 2.5 million followers, was headed over to REDnote just days before the Supreme Court ruling. Bunnie XO, wife of country music star Jelly Roll, with 7 million TikTok followers, has already declared her love for Mandarin Trap music after spending time on the app. The term "TikTok refugees," referring to new US users, is trending on REDnote, according to data. Searches for REDnote have spiked 100% over the past three months, and a recent "TikTok refugees" live chat attracted more than 50,000 users across the US and China.

Meanwhile, native Chinese speakers on the app are teaching their new group of US users how to correctly pronounce REDnote's Mandarin name, "Xiaohongshu," which directly translates to "Little Red Book," sharing the same name as Mao Zedong's book of quotations. Chairman Mao founded the People's Republic of China.

And, as US TikTok culture jokes about willingly handing over their data to a Chinese company with impunity as payback for the government's ban of the app, the US national security over TikTok just got even more problematic, according to experts.

**REDnote's Cybersecurity Problems**

ByteDance, the parent company behind TikTok, is headquartered in Singapore, and it has tried to convince the US it is run independent of the Chinese government. REDnote, on the other hand, is based in Shanghai, and it's one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans and throttling propaganda aligned with the Chinese Communist Party (CCP) agenda seemingly much easier. For US users interested in the specific terms of service to use REDNote, they are written in Mandarin, leaving the few who want to drill down on the app's data use to rely on Google Translate or a similar service to decipher the details.

"REDnote appears to be a more dangerous application than TikTok, as its terms of service are in Mandarin and it has not been vetted as extensively as TikTok," Ted Miracco, CEO of Approov, says. "REDnote's servers are primarily located in China, which means that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. This situation contrasts with TikTok, which has made efforts to store some user data on US servers, offering a modicum of oversight by American authorities."

That said, national security concerns about a Chinese company controlling such a huge communications platform as TikTok in the US were well founded, according to Lawrence Pingree, vice president of Dispersive.

"I think that there are some valid concerns about the involvement of government agencies in espionage and influence operations that are important issues to address," Pingree said. "Things like data sovereignty, isolation networks and access, regular trusted third-party audits, background checks, authentication of remote employees, and, potentially, source code review are all prudent measures to require. Bans need to consider the totality of the situation, and the politics of the time."

And the politics are indeed prickly. Chinese government-backed hackers have been ramping up their espionage activities in recent weeks with compromises of multiple telecommunications networks and a breach of the US Treasury Department systems. Just a day before the Supreme Court's ruling, President Biden issued a sweeping new executive order on cybersecurity, directly calling out the malign activities of the Chinese government against the US.

The chances of a Chinese company like REDnote complying with any of the US's TikTok requirements to operate, like audits and background checks for employees, seem pretty slim in this environment.

**The Cyber Problem With the TikTok Ban**

The ban, which technically goes into effect on Sunday, was narrowly focused on TikTok and simply doesn't go far enough, Approov's Miracco adds.

"As the problem of data misuse continues to escalate, focusing solely on foreign platforms like TikTok without addressing the systemic issues within domestic social media creates an incomplete solution. A comprehensive approach is needed — one that holds all social media companies accountable for their data practices and prioritizes user privacy and security across the board," Miracco insists.

The ongoing larger problem is that legislation and lawmakers continue to lag behind technology, he adds. The ban wasn't able to effectively meet the moment, creating unintended consequences for US national security.

"The slow pace of legislative and legal actions often fails to keep up with the rapid evolution of technology and tactics employed by bad actors," Miracco says. "This gap can leave users unprotected against emerging threats that exploit the chaos surrounding the ban. As users seek alternatives to TikTok, they will inadvertently download less secure or malicious applications, including REDnote."

However, the threat of users migrating to other apps shouldn't be a deterrent to making decisions to improve US cybersecurity posture, argues Willy Leichter, chief marketing officer of AppSOC.

"The ban may inspire targeted attacks against other US-based social media platforms, but those are already happening. As a general rule, you shouldn't let the fear of reprisals stop you from taking proactive security steps," Leichter says. "We need to be prepared for the consequences anyway."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Has the TikTok Ban Already Backfired on US Cybersecurity?

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

Source: Marcos Alvarado via Alamy Stock Photo

A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices.

Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service.

That's according to researchers at Harmonic, who analyzed thousands of prompts submitted by users into GenAI platforms such as Microsoft, Copilot, OpenAI ChatGPT, Google Gemini, Anthropic's Clause, and Perplexity. In their research, they discovered that though in many cases employee behavior in using these tools was straightforward, such as wanting to summarize a piece of text, edit a blog, or some other relatively simple task, there were a subset of requests that were much more compromising. In all, 8.5% of the analyzed GenAI prompts included sensitive data, to be exact.

**Customer Data Most Often Leaked to GenAI**

The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code, according to Harmonic.

Customer data holds the biggest share of sensitive data prompts, at 45.77%, according to the researchers. An example of this is when employees submit insurance claims containing customer information into a GenAI platform to save time in processing claims. Though this might be effective in making things more efficient, inputting this kind of private and highly detailed information poses a high risk of exposing customer data such as billing information, customer authentication, customer profile, payment transactions, credit cards, and more.

Employee data makes up 27% of sensitive prompts in Harmonic's study, indicating that GenAI tools are increasingly used for internal processes. This could mean performance reviews, hiring decisions, and even decisions regarding yearly bonuses. Other information that ends up being offered up for potential compromise includes employment records, personally identifiable information (PII), and payroll data.

Legal and finance information is not as frequently exposed, at 14.88%, however, when it is, it can lead to great corporate risk, according to the researchers. Unfortunately, when GenAI is used in these fields, it's for simple tasks such as spell checks, translation, or summarizing legal texts. For something so small, the consequences are incredibly high, risking a variety of data such as sales pipeline details, mergers and acquisition information, and financial data. 

Security information and security code each compose the smallest amount of leaked sensitive data, at 6.88% and 5.64%, respectively. However, though these two groups fall short compared to those previously mentioned, they are some of the fastest growing and most concerning, according to the researchers. Security data inputted into GenAI includes penetration test results, network configurations, backup plans, and more, providing exact guidelines and blueprints as to how bad actors can exploit vulnerabilities and take advantage of their victims. Code inputted into these tools could put technology companies at a competitive disadvantage, exposing vulnerabilities and allowing competitors to replicate unique functionalities.

**Balancing GenAI Cyber-Risk & Reward**

If the research shows that GenAI offers high-risk potential consequences, should businesses continue to use it? Experts say they might not have a choice.

"Organizations risk losing their competitive edge of if they expose sensitive data," said the researchers in the report. "Yet at the same time, they also risk losing out if they don't adopt GenAI and fall behind."

Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, agrees. "Companies that don’t adopt generative AI risk losing significant competitive advantages in efficiency, productivity, and innovation as the technology continues to reshape business operations," he said in an emailed statement to Dark Reading. "Without GenAI, businesses face higher operational costs and slower decision-making processes, while their competitors leverage AI to automate tasks, gain deeper customer insights, and accelerate product development."

Others, however, disagree that GenAI is necessary, or that an organization needs any artificial intelligence at all.

"Utilizing AI for the sake of using AI is destined to fail," said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement to Dark Reading. "Even if it gets fully implemented, if it isn't serving an established need, it will lose support when budgets are eventually cut or reappropriated."

Though Kowski believes that not incorporating GenAI is risky, success can still be achieved, he notes.

"Success without AI is still achievable if a company has a compelling value proposition and strong business model, particularly in sectors like engineering, agriculture, healthcare, or local services where non-AI solutions often have greater impact," he said.

If organizations do want to pursue incorporating GenAI tools but want to mitigate the high risks that come along with it, the researchers at Harmonic have recommendations on how to best approach this. The first is to move beyond "block strategies" and implement effective AI governance, including deploying systems to track input into GenAI tools in real time, identifying what plans are in use and ensuring that employees are using paid plans for their work and not plans that use inputted data to train systems, gaining full visibility over these tools, sensitive data classification, creating and enforcing workflows, and training employees on best practices and risks of responsible GenAI use.

Employees Enter Sensitive Data Into GenAI Prompts Far Too Often

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.

COMMENTARY

Hacking is innovation in its purest form. Like any other innovation, a successful hack requires developing a creative solution to the scenario at hand and then effectively implementing that solution. As technologies facilitate implementation, successfully preventing a hack (that is, blue teaming) or simulating an attack to test defenses (red teaming) will require a better understanding of how adversaries generate creative ideas.

In the 1990s, many organizations and vendors did not sufficiently prioritize security when designing systems. As a result, finding solutions to bypass their security measures took hackers relatively little time. The problem was that while many hackers could imagine attacks that would bypass these rudimentary security measures, few had the technical skills to implement those attacks. For instance, while hacking enthusiasts theoretically understood how to abuse vulnerabilities in insecure network protocols, most lacked the technical skills necessary to write a raw socket library to do so. The bottleneck was implementation.

Over the next two decades, automated tools were developed for almost every generalized attack pattern. Suddenly, the complicated solutions that a '90s hacker could only imagine but lacked the programming capability to execute became possible with the click of a button for anyone. While some attacks still require technical skills, today it is possible to hack by creatively chaining together the abundant functions of various automated hacking tools (e.g., Metasploit, Burp Suite, Mimikatz) to penetrate the system's cracks.

Similarly, it is easy to find help, such as Copilot apps and software developers on freelancing platforms, to write specific functions required to implement an attack. In other words, with the advent of new tools and platforms, the emphasis in a successful hack has been shifting from implementation (that is, being able to write the code for the attack you imagine) to creativity (being able to imagine a novel attack). Now, the advent of large language models (LLMs) with growing inventive capabilities means that pure creativity — rather than bottlenecks in technical capability — will drive the next era of hacking.

**A New Breed of Hackers**

How will this new breed of hackers differ in terms of how they devise new cyberattacks? In many cases, this creativity will take the form of designing a novel prompt, as implementation will increasingly happen through LLMs and their various plug-ins (for instance, Anthropic's Claude 3.5 Sonnet model can already use computers). Most importantly, because many of them will not have a background in computer science, their reasoning will build on ideas and solutions from different domains — also known as analogical transfer. Many fighters in history designed novel martial arts by drawing inspiration from the behaviors of different animals. In a similar vein, a recently developed side-channel attack uses signals from wireless devices in a building to map the bodies of the people inside (analogous to how bats use echolocation to find their prey). Research has also found that information can be stolen even from air-gapped systems not connected to the Internet by examining the electromagnetic wave patterns emitted by a screen's cable or by analyzing the acoustic sound patterns of the screen itself to reconstruct the contents displayed on the computer's screen (perhaps analogous to reconstructing the recent history of a black hole by analyzing faint remnant signals in the form of Hawking radiation).

It's likely that novel prompts making similar analogies will lead to creative uses of LLMs in devising new and unexpected attack patterns. They may draw inspiration from famous battles, chess games, or business strategies, resulting in novel attack patterns or techniques. This also means that successfully preventing such attacks or emulating them for red-teaming purposes will require using research methods from behavioral sciences — such as marketing — to extrapolate common or uncommon prompts an attacker might try.

Research into potential prompts for designing an attack can take various forms. Traditional research methods, such as idea generation experiments, surveys, and in-depth interviews, can provide insights into common and uncommon prompts people may consider. Additionally, research from search engines and social media platforms may offer ideas about common combinations of knowledge (for instance, market basket analysis), which can be valuable for estimating potential analogies that people interested in hacking may be more likely to generate. Finally, crowdsourcing-based research, such as hacking challenges, will again be an asset, but the focus will be not only on the attack but also on the prompts used to develop that attack. Prompts that result in novel attacks are likely to be regularly utilized by both blue and red teams, much like Google Dorks are employed today.

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses. Insights from behavioral sciences like marketing will play a key role in achieving this goal.

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Professor of Marketing & Innovation, King's College London

Oguz A. Acar is a professor of marketing and innovation and head of generative AI at King's Business School, King's College London. He is also a research affiliate at Laboratory of Innovation Science at Harvard University and an expert at World Economic Forum.

Tag

#google